Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

disable the telnet and enable password

Or remove them. Good morning. My goal is to one or two internal logins on each Cisco device and then allow Radius authentication for telnet or SSH?

Is there a simple way to do this on a Cisco Device?

Thanks

Dwane

1 ACCEPTED SOLUTION

Accepted Solutions

Re: disable the telnet and enable password

Oh I see what you mean, use local authentication when radius fail! You almost go it right.

aaa authentication login LINE1 group radius local

line vty 0 4 "or"

line vty 0 15

login authentication LINE1

5 REPLIES

Re: disable the telnet and enable password

Hi Dwane, what you mean is that you want to first 2 connections via telnet or SSH to be authenticated via the LOCAL database and the subsequent connections to be authenticated via a RADIUS server? I think this can be done only on devices that use the line vty connections.

Since the line VTY numbers go from 0 to 15, you can configure each line separately unsing for example something like this:

aaa authentication login LINE1_2 local

aaa authenticaiton login LINE3_16 group radius

line vty 0

login authentication LINE1_2

line vty 1

login authentication LINE1_2

line vty 2 15

login authentication LINE3_16

The way this works is that when you initially telnet/SSH to your router, it will be connected to the line vty 0 line using the LOCAL authentication same applies to line 1, once you have used both line 0 and line 1 and you try to use line 2 those will be placed under line vty 2 which is authenticating via a radius.

Note radius authentication will only apply or kick in if the the previous lines are used.

HTH

Ivan

Community Member

Re: disable the telnet and enable password

No, what I would like to do is only be able to authenticate via Radius Authentication and if Radius authentication fails, I would liek to be able to use a local username.

I see what you are saying, but I think what I need to do is create

aaa authentication login LINE1 radius local

line vty 0

login authentication LINE1

line vty 1

login authentication LINE1

line vty 2 15

login authentication LINE1

This will work, right?

Re: disable the telnet and enable password

Oh I see what you mean, use local authentication when radius fail! You almost go it right.

aaa authentication login LINE1 group radius local

line vty 0 4 "or"

line vty 0 15

login authentication LINE1

Community Member

Re: disable the telnet and enable password

Ivan,

Thank you. Now one last quick question, when I create a username and give them a privilege of 15, that should give them enable-mode capabilities, correct?

Dwane

Re: disable the telnet and enable password

You need to configure authorization as well to make this happen:

aaa authorization exec LINE1 group radius local

line vty 0 15

authorization exec LINE1

1206
Views
0
Helpful
5
Replies
CreatePlease to create content