06-28-2008 08:41 AM
Experts,
I have a weird problem in accessing my virtual terminals.
The router has been configured to authenticate via RADIUS. All was going well for more than 1 year until last week.
I can authenticate via RADIUS from console but not from vty 0-4. No changes has been made in the configuration.
Any suggestions ?
Thanks,
k0rg
06-29-2008 05:19 AM
HI Joseph,
Can you please post your AAA Configuration and Line VTY Configuration.
Thanks in Advance.
Regards,
Guru Prasad R
06-30-2008 06:31 PM
k0rg
I agree that seeing the config would be the best place to start. If we do not identify the problem from that it would be helpful if you would run debug aaa authentication and debug radius authentication, attempt to access via vty, and post the debug output.
HTH
Rick
07-06-2008 07:45 PM
Hi,
Here is my aaa line. I can login from the console and authenticating my session via radius. It's only the virtual lines that I have to deal with.
aaa authentication login SECURE group radius local
aaa authentication login console-access none
aaa authentication enable default group radius enable
aaa accounting exec default start-stop group radius
aaa accounting commands 15 default stop-only group radius
aaa accounting system default start-stop group radius
line con 0
exec-timeout 5 0
stopbits 1
line vty 0 15
session-timeout 10
access-class myAdmin in
exec-timeout 5 0
timeout login response 180
password 7 xxxxxxxxxxxx
login authentication SECURE
transport input ssh
Thanks,
K0rG
07-06-2008 08:58 PM
HI, [Pls Rate all Informative POST]
Under line VTY configuration:
"access-class myAdmin in" is being matched. Ensure the Source Segment from where you are trying to access is not denyied.
Also, can you make your line VTY configuration more simple as below inorder to Check:
line vty 0 4
exec-timeout 3 0
password 7 xxxxxxxxxxxxx
login authentication vty
Below provided the sample TACACS+ Configuration for your reference. You can modify the same as per RADIUS Authentication:
aaa new-model
aaa authentication login vty group tacacs+ local
aaa authentication login conuser group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization network default group radius
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group radius
aaa session-id common
Pls Rate all Informative POST
Best Regards,
Guru Prasad R
07-07-2008 08:40 AM
K0rG
There are some aspects of the config that you posted that puzzle me:
- there is an aaa authentication method list for console-access, but this is not referenced on the console config that you included.
- without any authentication commands configured under line con 0 then it should be using aaa authentiation login default. But there is no default method configured.
- are you sure that your login to the console is authenticated by radius? Is it possible that the console is authenticated locally - or is not authenticated?
Anything that you can tell us that would clarify these would be helpful.
Can you tell if attempts to authenticate on vty are getting to the Radius server? Are there entries in the logs that would verify what response the Radius server generated for these attempts?
HTH
Rick
07-07-2008 09:22 PM
Hi Rick,
My apologies but the console line is authenticated through 'console-access' in the aaa line.
Thanks,
K0rg
07-08-2008 04:43 AM
K0rg
If the console authentication is through "console-access" which says:
aaa authentication login console-access none
then its authentication is "none" and it does not go to the Radius server for authentication.
The vty do go to Radius for authentication. So that brings me back to my question about whether there is anything in the logs on the Radius server that indicates whether the Radius server is seeing any authentication requests from the vty.
I would also suggest that it might help us get to understanding the problem if you would run
debug aaa authentication
debug radius authentication
then attempt to login in through vty and then post the debug output.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide