Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

authenticate telent access locally

Hi,

I'm trying to authenticate telnet accesses to my core sw 4503 but to no avail, I've tried the same config on sw 3560 amazingly worked fine.

I know its straight forward config but it bugged me

1- create username/password

2- under line vty --> login local

any suggestions !!!

3 REPLIES
Hall of Fame Super Silver

Re: authenticate telent access locally

Hello Abu,

the config is fine but only if your device is not already using aaa new-model

you can verify with

sh run | inc aaa

if you find a line like

aaa new-model

you need to declare a list of authentication

methods:

conf t

aaa authentication login default local

aaa authentication enable default enable

or

aaa authentication login Locale local

line vty 0 4

login authentication Locale

Or

you do:

no aaa new-model

and use the classic pre-AAA config

Hope to help

Giuseppe

Community Member

Re: authenticate telent access locally

Hi Giuseppe,

thx for ur input..

I've tried both ways,

1- with ** aaa new-model ** approach

I got the error msg ** % Authentication failed. **

2- with ** login local ** approach

I got the error msg ** % Login invalid **

any comments !!

Hall of Fame Super Silver

Re: authenticate telent access locally

Hello Abu,

1) % Authentication failed.

make sure the device is not asking to a tacacs+ server or radius first

the aaa authentication login provides an ORDERED list of methods: first method is used and only if unavailable the second is used:

example:

aaa authentication login default tacacs local

the local is used only if the tacacs is not configured or it is unreachable: during AAA tests I had to use tricks to verify the fallback to local mode when the server cannot answer

use multiple vty sessions to test, this is really handy.

Also it can be useful to know the supervisor model and IOS version you are running

For example on our 4506s we have:

aaa new-model

aaa authentication login ACS group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa accounting update newinfo

aaa accounting exec ACS start-stop group tacacs+

aaa accounting commands 1 ACS start-stop group tacacs+

aaa accounting commands 15 ACS start-stop group tacacs+

!

aaa session-id common

line vty 0 3

access-class 24 in

exec-timeout 15 0

accounting commands 1 ACS

accounting commands 15 ACS

accounting exec ACS

login authentication ACS

Hope to help

Giuseppe

268
Views
0
Helpful
3
Replies
CreatePlease to create content