Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring AAA groups using Local DB and RADIUS.

Hi,

I am trying to set up an authentication method whereby users can SSH to my Cisco kit in conjunction with RADIUS - This works fine.

But i also have it set up that if they dont have a RADIUS/Windows account they can use normal telnet and authenticate against the local database.

The problem is i cannot get the the normal telnet to authenticate against the local database - It always gives me Authorization failed.

Now i've debugged the AAA stuff and i've noticed that normal telnet still wants to authenticate against RADIUS even though i've configured it not to do this.

Theres something obviously wrong with my config which is pasted below.

aaa new-model

aaa authentication login default group radius enable

aaa authentication login console none

aaa authentication login thirdparty local-case enable

aaa authorization exec default group radius none

aaa authorization exec console none

aaa session-id common

!

radius-server host x.x.x.x auth-port 1645 acct-port 1646

radius-server host x.x.x.x auth-port 1645 acct-port 1646

radius-server retransmit 1

radius-server key xxx

radius-server vsa send accounting

radius-server vsa send authentication

!

ip ssh source-interface lo1

ip ssh logging events

ip ssh version 2

!

ip radius source-interface lo1

!

line vty 0 4

exec-timeout 60 0

transport input ssh

transport output telnet ssh

!

line vty 5 9

login authentication thirdparty

transport input telnet

5 REPLIES
Hall of Fame Super Silver

Re: Configuring AAA groups using Local DB and RADIUS.

Alex

I wonder if there is a clue to the problem in the details of how you describe it. You describe the result as:

It always gives me Authorization failed

I suspect that your issue is about authorization rather than about authentication. I wonder if you change this line:

aaa authorization exec default group radius none

into this:

aaa authorization exec default group radius if-authenticated

if the results would be different.

Give it a try and let us know if it helps.

HTH

Rick

New Member

Re: Configuring AAA groups using Local DB and RADIUS.

Sorry.. the scope has changed now.

What i now need is a way for SSH authentication to first look at the local DB and if it does not find an account then it will query RADIUS.

Is there a way to do this?

PS. My manager didnt like the Telnet solution due to it being slightly pointless.

New Member

Re: Configuring AAA groups using Local DB and RADIUS.

Alex,

I'm in slightly the same boat you are. I need to change all my VTY lines to SSH and disable telnet. However, I need lines 0-3 to use an RSA server for AAA authentication, and the local database for line VTY 4. Do you know of a command that will let the user ssh to a particular line instead of the other?

If you were OK with telnet, you could set your VTY 0 2 lines for Telnet and local database authentication, and VTY 3 4 for SSH and RADIUS authentication, but if your looking for SSH for both - we are both looking for the same answer.

New Member

Re: Configuring AAA groups using Local DB and RADIUS.

Hi,

I found my solution and i am using SSH for both local and radius.

This is my config.

aaa new-model

aaa authentication login default local group radius

aaa authentication login console none

aaa authorization exec default local group radius if-authenticated

aaa authorization exec console none

!

line vty 0 4

exec-timeout 60 0

transport input ssh

transport output none

This config will first look at the local DB and if not found then RADIUS.

I didnt need to assign VTYs with this config.

New Member

Re: Configuring AAA groups using Local DB and RADIUS.

Alex,

I agree that this configuration will work, but from a security prespective it is less than desired. For example, I'm adding a local username to the database named "administrator". Now, for tracking purposes, I would rather have the 10 people that log into the device use their RADIUS authentication so I can track who did what. Since everyone will know the local "administrator" account name and password as a backup just in case RADIUS fails, there is nothing to prevent the user from using the "administrator" password instead of the RADIUS username and password with this configuration.

Just a thought, but I'm sure my environment is a bit different.

268
Views
0
Helpful
5
Replies