Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2030
Views
0
Helpful
5
Replies

disable the telnet and enable password

Go to solution
dpatkins
Level 1
Level 1

‎03-03-2009 05:35 AM - edited ‎03-10-2019 04:22 PM

Or remove them. Good morning. My goal is to one or two internal logins on each Cisco device and then allow Radius authentication for telnet or SSH?

Is there a simple way to do this on a Cisco Device?

Thanks

Dwane

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ivan Martinon
Level 7
Level 7
In response to dpatkins

‎03-03-2009 08:38 AM

Oh I see what you mean, use local authentication when radius fail! You almost go it right.

aaa authentication login LINE1 group radius local

line vty 0 4 "or"

line vty 0 15

login authentication LINE1

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Ivan Martinon
Level 7
Level 7

‎03-03-2009 07:44 AM

Hi Dwane, what you mean is that you want to first 2 connections via telnet or SSH to be authenticated via the LOCAL database and the subsequent connections to be authenticated via a RADIUS server? I think this can be done only on devices that use the line vty connections.

Since the line VTY numbers go from 0 to 15, you can configure each line separately unsing for example something like this:

aaa authentication login LINE1_2 local

aaa authenticaiton login LINE3_16 group radius

line vty 0

login authentication LINE1_2

line vty 1

login authentication LINE1_2

line vty 2 15

login authentication LINE3_16

The way this works is that when you initially telnet/SSH to your router, it will be connected to the line vty 0 line using the LOCAL authentication same applies to line 1, once you have used both line 0 and line 1 and you try to use line 2 those will be placed under line vty 2 which is authenticating via a radius.

Note radius authentication will only apply or kick in if the the previous lines are used.

HTH

Ivan

0 Helpful

Go to solution
dpatkins
Level 1
Level 1
In response to Ivan Martinon

‎03-03-2009 08:34 AM

No, what I would like to do is only be able to authenticate via Radius Authentication and if Radius authentication fails, I would liek to be able to use a local username.

I see what you are saying, but I think what I need to do is create

aaa authentication login LINE1 radius local

line vty 0

login authentication LINE1

line vty 1

login authentication LINE1

line vty 2 15

login authentication LINE1

This will work, right?

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to dpatkins

‎03-03-2009 08:38 AM

Oh I see what you mean, use local authentication when radius fail! You almost go it right.

aaa authentication login LINE1 group radius local

line vty 0 4 "or"

line vty 0 15

login authentication LINE1

0 Helpful

Go to solution
dpatkins
Level 1
Level 1
In response to Ivan Martinon

‎03-03-2009 08:40 AM

Ivan,

Thank you. Now one last quick question, when I create a username and give them a privilege of 15, that should give them enable-mode capabilities, correct?

Dwane

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to dpatkins

‎03-03-2009 08:47 AM

You need to configure authorization as well to make this happen:

aaa authorization exec LINE1 group radius local

line vty 0 15

authorization exec LINE1

0 Helpful
Customers Also Viewed These Support Documents