Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2299
Views
0
Helpful
6
Replies

AAA new-model - line vty 0 4 - privilege level 15 error

QadirAmin54118
Level 1
Level 1

‎06-11-2020 09:37 AM

I am running into an issue with the auth on VTY with AAA enabled. Is it because of privilege level 15 on line vty 0 4

 

!
enable secret 5 $12345678ABCD
enable password cisco
!

aaa new-model
aaa authentication login default group radius
aaa authentication login CONSOLE enable
aaa authentication enable default enable
aaa authorization exec default group radius
aaa authorization exec console none
!

!

!
line vty 0 4
exec-timeout 480 0
privilege level 15
password cisco
transport input telnet ssh
!


line vty 5 15
exec-timeout 480 0
password Cisco123
line vty 16
exec-timeout 480 0
!
exception core-file
!

##### Removing the AAA allows for the local auth to work.

aaa new-model
no aaa authentication login default group radius
no aaa authentication login CONSOLE enable
no aaa authentication enable default enable
no aaa authorization exec default group radius
no aaa authorization exec console none
!

 

Please provide some suggestions.

 

Thank you

Labels:
0 Helpful
6 Replies 6

Simon Ko
Level 1
Level 1

‎06-11-2020 10:02 AM

Provided that your radius is sending back following attribute:

 

cisco-avpair= ”shell:priv-lvl=15“

First, I would remove console from being authenticated.

Second ,remove enable password.

 

enable secret 5 $12345678ABCD
!

aaa new-model

aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
!

!

!
line vty 0 4
exec-timeout 480 0
transport input telnet ssh
!

0 Helpful

QadirAmin54118
Level 1
Level 1
In response to Simon Ko

‎06-11-2020 12:19 PM

 

To perform this "First, I would remove console from being authenticated."

Is this the valid command to remove the console auth via AAA

no aaa authorization exec console none

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎06-11-2020 10:06 AM

Hi,

Where is Radius server configuration with the group "radius"?

Share the full details.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

QadirAmin54118
Level 1
Level 1
In response to Deepak Kumar

‎06-11-2020 11:50 AM

Hi Deepak

 

The statements below prevented the telnet sessions from authentication

 

!
aaa new-model
aaa authentication login default group radius
aaa authentication login CONSOLE enable
aaa authentication enable default enable
aaa authorization exec default group radius
aaa authorization exec CONSOLE none
!
aaa session-id common

 

#### Current config is

aaa new-model
!
!
aaa authorization exec CONSOLE none
!
!
!
aaa session-id common
!

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to QadirAmin54118

‎06-11-2020 12:48 PM

Hi,
Where is the Username and password stored? Is it stored on the router itself or any other third party server as radius?
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

QadirAmin54118
Level 1
Level 1
In response to Deepak Kumar

‎06-11-2020 02:56 PM

Hi Deepak,


The password currently is on the local router, I am trying to use the Microsoft RADIUS server to authenticate with AAA along with the other routers / switches so that user accounts and passwords are in sync.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card