It is my understanding that if Radius does not authenticate the user then Radius can not authorize for the user since authentication and authorization are done together in Radius. Since your aaa CONSOLE_LOGIN authenticates locally and not with Radius I believe that this is your problem. Perhaps you could try configuring it like this and see if it works better
aaa authentication login CONSOLE_LOGIN group radius enable
This is odd and I wish that I had a better explanation. In reading your original post I thought that it should work for a couple of reasons but since you indicate that it was not working I was trying to suggest something that would work. If my work around does not accomplish what you need then we need to go back to try something else.
In general IOS devices do not do authorization on the console connection. So I am surprised that you are getting an authorization error on the console. So I would ask that you check and verify that there are no commands in the config that specify authorization on the console. Perhaps you could post the output of show run | include author
And in general I would expect that specifying if-authenticated in the command
aaa authorization exec default group radius if-authenticated
would allow it to work. I remember working with a router (quite a while back) where if-authenticated did not work as it should. A code upgrade fixed the problem for me then. And so I might suggest that you try a different version of code on the switch where you are having the problem.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...