disable the telnet and enable password

Answered Question
Mar 3rd, 2009
User Badges:

Or remove them. Good morning. My goal is to one or two internal logins on each Cisco device and then allow Radius authentication for telnet or SSH?


Is there a simple way to do this on a Cisco Device?


Thanks


Dwane

Correct Answer by Ivan Martinon about 8 years 3 weeks ago

Oh I see what you mean, use local authentication when radius fail! You almost go it right.


aaa authentication login LINE1 group radius local


line vty 0 4 "or"


line vty 0 15

login authentication LINE1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Tue, 03/03/2009 - 07:44
User Badges:
  • Cisco Employee,

Hi Dwane, what you mean is that you want to first 2 connections via telnet or SSH to be authenticated via the LOCAL database and the subsequent connections to be authenticated via a RADIUS server? I think this can be done only on devices that use the line vty connections.


Since the line VTY numbers go from 0 to 15, you can configure each line separately unsing for example something like this:


aaa authentication login LINE1_2 local

aaa authenticaiton login LINE3_16 group radius


line vty 0

login authentication LINE1_2


line vty 1

login authentication LINE1_2


line vty 2 15

login authentication LINE3_16


The way this works is that when you initially telnet/SSH to your router, it will be connected to the line vty 0 line using the LOCAL authentication same applies to line 1, once you have used both line 0 and line 1 and you try to use line 2 those will be placed under line vty 2 which is authenticating via a radius.


Note radius authentication will only apply or kick in if the the previous lines are used.


HTH

Ivan

dpatkins Tue, 03/03/2009 - 08:34
User Badges:

No, what I would like to do is only be able to authenticate via Radius Authentication and if Radius authentication fails, I would liek to be able to use a local username.

I see what you are saying, but I think what I need to do is create


aaa authentication login LINE1 radius local


line vty 0

login authentication LINE1



line vty 1

login authentication LINE1


line vty 2 15

login authentication LINE1


This will work, right?

Correct Answer
Ivan Martinon Tue, 03/03/2009 - 08:38
User Badges:
  • Cisco Employee,

Oh I see what you mean, use local authentication when radius fail! You almost go it right.


aaa authentication login LINE1 group radius local


line vty 0 4 "or"


line vty 0 15

login authentication LINE1

dpatkins Tue, 03/03/2009 - 08:40
User Badges:

Ivan,


Thank you. Now one last quick question, when I create a username and give them a privilege of 15, that should give them enable-mode capabilities, correct?


Dwane

Ivan Martinon Tue, 03/03/2009 - 08:47
User Badges:
  • Cisco Employee,

You need to configure authorization as well to make this happen:


aaa authorization exec LINE1 group radius local



line vty 0 15

authorization exec LINE1

Actions

This Discussion