k0rg

I agree that seeing the config would be the best place to start. If we do not identify the problem from that it would be helpful if you would run debug aaa authentication and debug radius authentication, attempt to access via vty, and post the debug output.

HTH

Rick

Hi,

Here is my aaa line. I can login from the console and authenticating my session via radius. It's only the virtual lines that I have to deal with.

aaa authentication login SECURE group radius local

aaa authentication login console-access none

aaa authentication enable default group radius enable

aaa accounting exec default start-stop group radius

aaa accounting commands 15 default stop-only group radius

aaa accounting system default start-stop group radius

line con 0

exec-timeout 5 0

stopbits 1

line vty 0 15

session-timeout 10

access-class myAdmin in

exec-timeout 5 0

timeout login response 180

password 7 xxxxxxxxxxxx

login authentication SECURE

transport input ssh

Thanks,

K0rG

HI, [Pls Rate all Informative POST]

Under line VTY configuration:

"access-class myAdmin in" is being matched. Ensure the Source Segment from where you are trying to access is not denyied.

Also, can you make your line VTY configuration more simple as below inorder to Check:

line vty 0 4

exec-timeout 3 0

password 7 xxxxxxxxxxxxx

login authentication vty

Below provided the sample TACACS+ Configuration for your reference. You can modify the same as per RADIUS Authentication:

aaa new-model

aaa authentication login vty group tacacs+ local

aaa authentication login conuser group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa authorization network default group radius

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group radius

aaa session-id common

Pls Rate all Informative POST

Best Regards,

Guru Prasad R

K0rG

There are some aspects of the config that you posted that puzzle me:

- there is an aaa authentication method list for console-access, but this is not referenced on the console config that you included.

- without any authentication commands configured under line con 0 then it should be using aaa authentiation login default. But there is no default method configured.

- are you sure that your login to the console is authenticated by radius? Is it possible that the console is authenticated locally - or is not authenticated?

Anything that you can tell us that would clarify these would be helpful.

Can you tell if attempts to authenticate on vty are getting to the Radius server? Are there entries in the logs that would verify what response the Radius server generated for these attempts?

HTH

Rick

Hi Rick,

My apologies but the console line is authenticated through 'console-access' in the aaa line.

Thanks,

K0rg

K0rg

If the console authentication is through "console-access" which says:

aaa authentication login console-access none

then its authentication is "none" and it does not go to the Radius server for authentication.

The vty do go to Radius for authentication. So that brings me back to my question about whether there is anything in the logs on the Radius server that indicates whether the Radius server is seeing any authentication requests from the vty.

I would also suggest that it might help us get to understanding the problem if you would run

debug aaa authentication

debug radius authentication

then attempt to login in through vty and then post the debug output.

HTH

Rick