cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
236
Views
0
Helpful
2
Replies
Highlighted
Beginner

9800 admin cli authentication

Hi All-

I am working on my first 9800 implementation and set up a 9800-C in the lab.  I am having issues using radius to log in to the controller. 

 

I can log in via WEB GUI using radius credentials,  I am using ISE as the radius server.  I see good radius transactions and the av-pair (shell:priv-lvl=15) is returned from ISE when I log in via web GUI.

 

When I try to log in via CLI, no request is sent to the radius server.  aaa / RADIUS debug shows:

 

AAA/AUTHEN/LOGIN (000044CE): Pick method list ' Permanent Local'
and there is no transaction in the RADIUS log. 

 

Current config is:

c9800-test-1.stp#show run aaa
!
aaa authentication login authentication_login local group ise_radius_grp
aaa authentication dot1x authentication_dot1x group ise_radius_grp
aaa authorization exec authentication_login local group ise_radius_grp
username admin privilege 15 secret 9 $x$012345abcde#
!
aaa server radius dynamic-author
client 10.28.16.77 server-key 7 012345abcde
client 10.18.16.77 server-key 7 012345abcde
!
radius server isepsn1
address ipv4 10.1.2.3 auth-port 1645 acct-port 1646
key 7 012345abcde
!
radius server isepsn2
address ipv4 10.1.2.4 auth-port 1645 acct-port 1646
key 7 012345abcde
!
radius-server load-balance method least-outstanding
!
aaa group server radius ise_radius_grp
server name isepsn1
server name isepsn2
!
aaa local authentication authentication_login authorization authentication_login
aaa new-model
aaa session-id common


Also, on the console, I am always automatically logged in.  

What did I miss?  Thanks in advance.

 

Wes

2 REPLIES 2
Highlighted
Cisco Employee

what about the VTY lines? 

 

paolo-9800(config)#line vty 0 15
paolo-9800(config-line)#login authentication radAutheMethod
paolo-9800(config-line)#authorization exec radAuthzMethod

You can check this document.  

Saludos,
Rafael - TAC
Highlighted
Beginner

Your aaa methods do not match that defined under vty lines (you are missing deffinition of radAutheMethod/radAuthzMethod:

!

aaa authentication login authentication_login local group ise_radius_grp
aaa authentication dot1x authentication_dot1x group ise_radius_grp
aaa authorization exec authentication_login local group ise_radius_grp
!
line vty 0 15
login authentication radAutheMethod
authorization exec radAuthzMethod 

HTH
-Jesus
*** Please Rate Helpful Responses ***