02-12-2006 05:47 PM - edited 03-10-2019 02:28 PM
Hi,
I am trying to set up an authentication method whereby users can SSH to my Cisco kit in conjunction with RADIUS - This works fine.
But i also have it set up that if they dont have a RADIUS/Windows account they can use normal telnet and authenticate against the local database.
The problem is i cannot get the the normal telnet to authenticate against the local database - It always gives me Authorization failed.
Now i've debugged the AAA stuff and i've noticed that normal telnet still wants to authenticate against RADIUS even though i've configured it not to do this.
Theres something obviously wrong with my config which is pasted below.
aaa new-model
aaa authentication login default group radius enable
aaa authentication login console none
aaa authentication login thirdparty local-case enable
aaa authorization exec default group radius none
aaa authorization exec console none
aaa session-id common
!
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server retransmit 1
radius-server key xxx
radius-server vsa send accounting
radius-server vsa send authentication
!
ip ssh source-interface lo1
ip ssh logging events
ip ssh version 2
!
ip radius source-interface lo1
!
line vty 0 4
exec-timeout 60 0
transport input ssh
transport output telnet ssh
!
line vty 5 9
login authentication thirdparty
transport input telnet
02-13-2006 11:54 AM
Alex
I wonder if there is a clue to the problem in the details of how you describe it. You describe the result as:
It always gives me Authorization failed
I suspect that your issue is about authorization rather than about authentication. I wonder if you change this line:
aaa authorization exec default group radius none
into this:
aaa authorization exec default group radius if-authenticated
if the results would be different.
Give it a try and let us know if it helps.
HTH
Rick
02-14-2006 03:23 PM
Sorry.. the scope has changed now.
What i now need is a way for SSH authentication to first look at the local DB and if it does not find an account then it will query RADIUS.
Is there a way to do this?
PS. My manager didnt like the Telnet solution due to it being slightly pointless.
03-03-2006 10:34 AM
Alex,
I'm in slightly the same boat you are. I need to change all my VTY lines to SSH and disable telnet. However, I need lines 0-3 to use an RSA server for AAA authentication, and the local database for line VTY 4. Do you know of a command that will let the user ssh to a particular line instead of the other?
If you were OK with telnet, you could set your VTY 0 2 lines for Telnet and local database authentication, and VTY 3 4 for SSH and RADIUS authentication, but if your looking for SSH for both - we are both looking for the same answer.
03-05-2006 04:08 PM
Hi,
I found my solution and i am using SSH for both local and radius.
This is my config.
aaa new-model
aaa authentication login default local group radius
aaa authentication login console none
aaa authorization exec default local group radius if-authenticated
aaa authorization exec console none
!
line vty 0 4
exec-timeout 60 0
transport input ssh
transport output none
This config will first look at the local DB and if not found then RADIUS.
I didnt need to assign VTYs with this config.
03-06-2006 05:08 AM
Alex,
I agree that this configuration will work, but from a security prespective it is less than desired. For example, I'm adding a local username to the database named "administrator". Now, for tracking purposes, I would rather have the 10 people that log into the device use their RADIUS authentication so I can track who did what. Since everyone will know the local "administrator" account name and password as a backup just in case RADIUS fails, there is nothing to prevent the user from using the "administrator" password instead of the RADIUS username and password with this configuration.
Just a thought, but I'm sure my environment is a bit different.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: