Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unexpected AAA Behavior in Lab Setup

I have attatched the config for my lab router in its entirety.  The lab is air-gapped so I'm not scrubbing anything from its config.  I configured some example server groups, and the servers are dummy servers to force a failed connection so that my understanding of the processing of an aaa authentication list is validated.  My final login option is local, and I have a user with privilege level 15 specified.  However, when I configured the telnet lines to use my list configured as 'RADIUS', I got an error stating that the list didn't exist.  But when you look at the config, it is there on the vty lines.  Also, when I login via telnet, I am not in privileged mode and I have to enter it manually.  Below is the output on the router as I configured my aaa new-model:

3825_Lab(config)#aaa group server radius RADIUS_PRIMARY
3825_Lab(config-sg-radius)#server 192.168.200.2
3825_Lab(config-sg-radius)#exit
3825_Lab(config)#aaa group server radius RADIUS_BACKUP
3825_Lab(config-sg-radius)#server 192.168.200.3
3825_Lab(config-sg-radius)#exit
3825_Lab(config)#aaa group server tacacs+ TACACS_PRIMARY
3825_Lab(config-sg-tacacs+)#server 192.168.200.4
3825_Lab(config-sg-tacacs+)#exit
3825_Lab(config)#aaa group server tacacs+ TACACS_BACKUP
3825_Lab(config-sg-tacacs+)#server 192.168.200.5
3825_Lab(config-sg-tacacs+)#exit
3825_Lab(config)#aaa authentication login RADIUS group RADIUS_PRIMARY group RADIUS_BACKUP local
3825_Lab(config)#aaa authentication login TACACS group TACACS_PRIMARY group TACACS_BACKUP local
3825_Lab(config)#lin vty 0 4
3825_Lab(config-line)#login authentication RADIUS
AAA: Warning authentication list "RADIUS" is not defined for LOGIN.  <-----------------  Huh?  Didn't I just create that list 4 lines previous?

From the 'show run' it is applied to the interface:


line vty 0 4
logging synchronous
login authentication RADIUS

Since my server groups are dummy groups, it should fail the radius lookup due to no server response and fall back to 'local' authentication.  So why when I telnet in do I get dropped into 'user exec' mode rather than 'privileged exec' mode?  My username statement is:

username admin privilege 15 password 0 admin

Any suggestions?

Regards,
Scott

1 REPLY
Bronze

Re: Unexpected AAA Behavior in Lab Setup

You may need to adjust somthing with the authorization settings. aaa authorization exec RADIUS group RADIUS_PRIMARY group RADIUS_BACKUP local maybe?

583
Views
0
Helpful
1
Replies