Since i've configured ssh on my vpn router IOS won't let me add the "login" command on line console 0. I know it's an aaa issue but im not that familar with aaa. How can i restore the login feature in line console with aaa new-model enable?
Current configuration : 5741 bytes
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
boot system flash c870-advipservicesk9-mz.124-4.T8.bin
logging buffered 8196 debugging
enable password 1234
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
no ip domain lookup
ip domain name mydomain.com
username cisco password 0 cisco
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
The partial config that you posted shows aaa new-model but has no aaa commands that you configured. I am a little puzzled why you have entered aaa new-model but no other aaa commands. Perhaps you can clarify what is intended in the config?
The issue is that when you enable aaa new-model then aaa establishes its own default method for authenticating login. And as you discovered it then prevents you from configuring "login" on the console or vty. The default authentication in aaa is local. Since you do have a local user ID configured you should be able to login to the router using that user ID.
The solution suggested by Leo will work if you have a radius server. But I do not see anything in your original post indicating that you intend to use radius. If you are looking to just have the router authenticate the console using the console line password (which was the default before aaa new-model) then you could try something like this in your config:
aaa authentication login Console line
line console 0
login authentication Console
note that the authentication named method is case sensitive.
This can be a problem indeed.
Do you actually have a radius server? Otherwise, the command is not really usefull.
This is what I used a while ago. It lets you login via console with local authentication when radius is unavailable:
username admin privilege 15 password xxx
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting suppress null-username
aaa accounting update newinfo
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
radius-server host 10.12.1.2 auth-port 1645 acct-port 1646
radius-server key xxx
To login local by default, you need something like:
aaa authentication login default local