AAA login problems using ssh

Unanswered Question
Apr 28th, 2008

I'm having difficulty logging in to a Catalyst4948 Switch via putty with RADIUS authentication. The VTY and console lines are set for transport in ssh. I can login via the console port and authenticate with the RADIUS server. I get an authentication failed when using putty through the VTY ports

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
smahbub Mon, 05/05/2008 - 05:55

Check for any VTY passwords set in the switch.As you get authentication failed message the issue might be with the keys used for authentication.If the keys mismatch then authentication fails.Also check for VTY line setup with SSH.

Richard Burts Mon, 05/05/2008 - 08:54


The console port is for hardwired connections and as far as I know does not support SSH connection. At least on the switches I checked you can specify an output transport protocol but not an inbound transport (I do not have a 4948 to test on however). So I am not sure the fact that the console authenticates really tells us that SSH is ok.

Is it possible that the switch is configured for SSHv1 and that your putty is configured for SSHv2? There were quite a few versions of IOS that supported SSHv1 but not SSHv2.

It would help if you would post the configuration (at least the authentication parts, the SSH config, and the console and vty config).

It might help us figure out what is the problem is you would run debug ip ssh, make an effort to connect to the vty, and post the debug output.


If it were a key mismatch how would the console be authenticating?



Sw33tpea1 Fri, 05/16/2008 - 07:11

Here's my configuration. When I go through the console port I authenticate to the RADIUS server. However, when I try using SSH through the VTY ports I get an authorization failed message.

aaa new-model

aaa group server radius tssi-infb.tssiapps.sed

server auth-port 1645 acct-port 1646

aaa authentication login default group radius group tssi-infb.tssiapps.sed local enable

aaa authentication login aaa-fallback group radius group radius group tssi-infb.tssiapps.sed local

aaa authorization exec default group radius group tssi-infb.tssiapps.sed none

ip ssh version 2

radius-server host auth-port 1645 acct-port 1646

radius-server key XXXXXX

line con 0

password xxxxxx

login authentication aaa-fallback

line vty 0 4

login authentication aaa-fallback

transport input ssh

Richard Burts Fri, 05/16/2008 - 11:58


The additional information is quite helpful. In particular your explanation of the error is different here. In the original post you indicated that it was an authentication error. But in this post you indicate that it is an authorization error - which is quite different.

One additional question will really help us get to an understanding of this issue. When you are successful in logging in on the console (and when you attempt to SSH to the VTY) are you really authenticating with the Radius server or are you doing local authentication? (assuming that you may have set up the same user ID as a local name as what is configured in Radius I would suggest giving the local name a different password than the Radius password. this way it will be clear what is doing the authenticating).

I have seen the same error with a configuration that was very similar when the server was not authenticating. It would do local authentication and then would fail on the authorization.

Note that in this situation the console will succeed and the vty will fail because by default Cisco does not do authorization on the console and does do authorization on the vty.

In my case I fixed the issue by changing the authorization slightly. I would suggest that instead of this:

aaa authorization exec default group radius group tssi-infb.tssiapps.sed none

that you configure this:

aaa authorization exec default group radius group tssi-infb.tssiapps.sed if-authenticated



Sw33tpea1 Mon, 05/19/2008 - 04:16


Thanks again for the response. To answer your question, I do have a different username and password setup for the local than what is on the Radius. When looking at the Radius log it shows where the authorization is granted. I ran debug as well and can see the authorization mesages for the console and see the fail messages for the vty.

I will try the command you suggested and see if that fixes the problem.



This Discussion