Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
748
Views
0
Helpful
2
Replies

9800 admin cli authentication

Wes Schochet
Level 3
Level 3

‎05-04-2020 10:03 AM - edited ‎07-05-2021 12:01 PM

Hi All-

I am working on my first 9800 implementation and set up a 9800-C in the lab.  I am having issues using radius to log in to the controller. 

 

I can log in via WEB GUI using radius credentials,  I am using ISE as the radius server.  I see good radius transactions and the av-pair (shell:priv-lvl=15) is returned from ISE when I log in via web GUI.

 

When I try to log in via CLI, no request is sent to the radius server.  aaa / RADIUS debug shows:

 

AAA/AUTHEN/LOGIN (000044CE): Pick method list ' Permanent Local'
and there is no transaction in the RADIUS log. 

 

Current config is:

c9800-test-1.stp#show run aaa
!
aaa authentication login authentication_login local group ise_radius_grp
aaa authentication dot1x authentication_dot1x group ise_radius_grp
aaa authorization exec authentication_login local group ise_radius_grp
username admin privilege 15 secret 9 $x$012345abcde#
!
aaa server radius dynamic-author
client 10.28.16.77 server-key 7 012345abcde
client 10.18.16.77 server-key 7 012345abcde
!
radius server isepsn1
address ipv4 10.1.2.3 auth-port 1645 acct-port 1646
key 7 012345abcde
!
radius server isepsn2
address ipv4 10.1.2.4 auth-port 1645 acct-port 1646
key 7 012345abcde
!
radius-server load-balance method least-outstanding
!
aaa group server radius ise_radius_grp
server name isepsn1
server name isepsn2
!
aaa local authentication authentication_login authorization authentication_login
aaa new-model
aaa session-id common


Also, on the console, I am always automatically logged in.  

What did I miss?  Thanks in advance.

 

Wes

0 Helpful
2 Replies 2

Rafael E
Cisco Employee
Cisco Employee

‎05-04-2020 10:54 AM

what about the VTY lines? 

 

paolo-9800(config)#line vty 0 15
paolo-9800(config-line)#login authentication radAutheMethod
paolo-9800(config-line)#authorization exec radAuthzMethod

You can check this document.  

Saludos,
Rafael - TAC
0 Helpful

JPavonM
VIP
VIP

‎05-06-2020 12:11 AM

Your aaa methods do not match that defined under vty lines (you are missing deffinition of radAutheMethod/radAuthzMethod:

!

aaa authentication login authentication_login local group ise_radius_grp
aaa authentication dot1x authentication_dot1x group ise_radius_grp
aaa authorization exec authentication_login local group ise_radius_grp
!
line vty 0 15
 login authentication radAutheMethod
 authorization exec radAuthzMethod 

HTH
-Jesus
*** Please Rate Helpful Responses ***

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card