I'm having difficulty logging in to a Catalyst4948 Switch via putty with RADIUS authentication. The VTY and console lines are set for transport in ssh. I can login via the console port and authenticate with the RADIUS server. I get an authentication failed when using putty through the VTY ports
Check for any VTY passwords set in the switch.As you get authentication failed message the issue might be with the keys used for authentication.If the keys mismatch then authentication fails.Also check for VTY line setup with SSH.
The console port is for hardwired connections and as far as I know does not support SSH connection. At least on the switches I checked you can specify an output transport protocol but not an inbound transport (I do not have a 4948 to test on however). So I am not sure the fact that the console authenticates really tells us that SSH is ok.
Is it possible that the switch is configured for SSHv1 and that your putty is configured for SSHv2? There were quite a few versions of IOS that supported SSHv1 but not SSHv2.
It would help if you would post the configuration (at least the authentication parts, the SSH config, and the console and vty config).
It might help us figure out what is the problem is you would run debug ip ssh, make an effort to connect to the vty, and post the debug output.
If it were a key mismatch how would the console be authenticating?
The additional information is quite helpful. In particular your explanation of the error is different here. In the original post you indicated that it was an authentication error. But in this post you indicate that it is an authorization error - which is quite different.
One additional question will really help us get to an understanding of this issue. When you are successful in logging in on the console (and when you attempt to SSH to the VTY) are you really authenticating with the Radius server or are you doing local authentication? (assuming that you may have set up the same user ID as a local name as what is configured in Radius I would suggest giving the local name a different password than the Radius password. this way it will be clear what is doing the authenticating).
I have seen the same error with a configuration that was very similar when the server was not authenticating. It would do local authentication and then would fail on the authorization.
Note that in this situation the console will succeed and the vty will fail because by default Cisco does not do authorization on the console and does do authorization on the vty.
In my case I fixed the issue by changing the authorization slightly. I would suggest that instead of this:
aaa authorization exec default group radius group tssi-infb.tssiapps.sed none
that you configure this:
aaa authorization exec default group radius group tssi-infb.tssiapps.sed if-authenticated
Thanks again for the response. To answer your question, I do have a different username and password setup for the local than what is on the Radius. When looking at the Radius log it shows where the authorization is granted. I ran debug as well and can see the authorization mesages for the console and see the fail messages for the vty.
I will try the command you suggested and see if that fixes the problem.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...