Keith

The console port is for hardwired connections and as far as I know does not support SSH connection. At least on the switches I checked you can specify an output transport protocol but not an inbound transport (I do not have a 4948 to test on however). So I am not sure the fact that the console authenticates really tells us that SSH is ok.

Is it possible that the switch is configured for SSHv1 and that your putty is configured for SSHv2? There were quite a few versions of IOS that supported SSHv1 but not SSHv2.

It would help if you would post the configuration (at least the authentication parts, the SSH config, and the console and vty config).

It might help us figure out what is the problem is you would run debug ip ssh, make an effort to connect to the vty, and post the debug output.

Shumon

If it were a key mismatch how would the console be authenticating?

HTH

Rick

Here's my configuration. When I go through the console port I authenticate to the RADIUS server. However, when I try using SSH through the VTY ports I get an authorization failed message.

aaa new-model

aaa group server radius tssi-infb.tssiapps.sed

server 10.100.10.45 auth-port 1645 acct-port 1646

aaa authentication login default group radius group tssi-infb.tssiapps.sed local enable

aaa authentication login aaa-fallback group radius group radius group tssi-infb.tssiapps.sed local

aaa authorization exec default group radius group tssi-infb.tssiapps.sed none

ip ssh version 2

radius-server host 10.100.10.45 auth-port 1645 acct-port 1646

radius-server key XXXXXX

line con 0

password xxxxxx

login authentication aaa-fallback

line vty 0 4

login authentication aaa-fallback

transport input ssh

Keith

The additional information is quite helpful. In particular your explanation of the error is different here. In the original post you indicated that it was an authentication error. But in this post you indicate that it is an authorization error - which is quite different.

One additional question will really help us get to an understanding of this issue. When you are successful in logging in on the console (and when you attempt to SSH to the VTY) are you really authenticating with the Radius server or are you doing local authentication? (assuming that you may have set up the same user ID as a local name as what is configured in Radius I would suggest giving the local name a different password than the Radius password. this way it will be clear what is doing the authenticating).

I have seen the same error with a configuration that was very similar when the server was not authenticating. It would do local authentication and then would fail on the authorization.

Note that in this situation the console will succeed and the vty will fail because by default Cisco does not do authorization on the console and does do authorization on the vty.

In my case I fixed the issue by changing the authorization slightly. I would suggest that instead of this:

aaa authorization exec default group radius group tssi-infb.tssiapps.sed none

that you configure this:

aaa authorization exec default group radius group tssi-infb.tssiapps.sed if-authenticated

HTH

Rick

Rick,

Thanks again for the response. To answer your question, I do have a different username and password setup for the local than what is on the Radius. When looking at the Radius log it shows where the authorization is granted. I ran debug as well and can see the authorization mesages for the console and see the fail messages for the vty.

I will try the command you suggested and see if that fixes the problem.

Keith