oppofwar
asked on
aaa authentication console problem
i have configured AAA on cisco swiches & routers and aaa server is open source free radius. When i try to take ssh of the switch i am able to login to the device using radius authentication. its working fine,but when i try to access switch using console it asks for the username & password & i am able to login the user mode, after then it ask for enable password, but i am not able to login using local password or radius password.
Below is the configuration of switch for AAA authentication:-
username cisco secret 5 $1$tiM.$fk18bg8A/hfumyfe6j
aaa new-model
aaa group server radius radiuss
server x.x.x.x auth-port 1812 acct-port 1813
aaa authentication login default group radiuss local
aaa authentication login CONSOLE local
aaa authentication enable default group radius
aaa authorization exec default group radius if-authenticated
aaa session-id common
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key 7 01030F145726575B701A1758
line con 0
exec-timeout 5 0
password 7 0822455D0A16
login authentication CONSOLE
Below is the configuration of switch for AAA authentication:-
username cisco secret 5 $1$tiM.$fk18bg8A/hfumyfe6j
aaa new-model
aaa group server radius radiuss
server x.x.x.x auth-port 1812 acct-port 1813
aaa authentication login default group radiuss local
aaa authentication login CONSOLE local
aaa authentication enable default group radius
aaa authorization exec default group radius if-authenticated
aaa session-id common
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key 7 01030F145726575B701A1758
line con 0
exec-timeout 5 0
password 7 0822455D0A16
login authentication CONSOLE
aaa authentication login CONSOLE local enable
The privilege level 15 suggestion above will put you into enable mode as soon as you log in. The 2nd suggestion will allow you to use the enable password for login if the local password fails. Neither sounds like what you're asking for.
It sounds like what you want is to be able to use the line password on the console. To do this, change
aaa authentication login CONSOLE local
to
aaa authentication login CONSOLE line
If you want to be able to use RADIUS, but use the line password if RADIUS isn't available, then change it to this:
aaa authentication login CONSOLE group radiuss line
It sounds like what you want is to be able to use the line password on the console. To do this, change
aaa authentication login CONSOLE local
to
aaa authentication login CONSOLE line
If you want to be able to use RADIUS, but use the line password if RADIUS isn't available, then change it to this:
aaa authentication login CONSOLE group radiuss line
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
line con 0
privilege level 15
This will let the authentication go straight to the # prompt.