Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

vty access

Experts,

I have a weird problem in accessing my virtual terminals.

The router has been configured to authenticate via RADIUS. All was going well for more than 1 year until last week.

I can authenticate via RADIUS from console but not from vty 0-4. No changes has been made in the configuration.

Any suggestions ?

Thanks,

k0rg

7 REPLIES

Re: vty access

HI Joseph,

Can you please post your AAA Configuration and Line VTY Configuration.

Thanks in Advance.

Regards,

Guru Prasad R

Hall of Fame Super Gold

Re: vty access

k0rg

I agree that seeing the config would be the best place to start. If we do not identify the problem from that it would be helpful if you would run debug aaa authentication and debug radius authentication, attempt to access via vty, and post the debug output.

HTH

Rick

Community Member

Re: vty access

Hi,

Here is my aaa line. I can login from the console and authenticating my session via radius. It's only the virtual lines that I have to deal with.

aaa authentication login SECURE group radius local

aaa authentication login console-access none

aaa authentication enable default group radius enable

aaa accounting exec default start-stop group radius

aaa accounting commands 15 default stop-only group radius

aaa accounting system default start-stop group radius

line con 0

exec-timeout 5 0

stopbits 1

line vty 0 15

session-timeout 10

access-class myAdmin in

exec-timeout 5 0

timeout login response 180

password 7 xxxxxxxxxxxx

login authentication SECURE

transport input ssh

Thanks,

K0rG

Re: vty access

HI, [Pls Rate all Informative POST]

Under line VTY configuration:

"access-class myAdmin in" is being matched. Ensure the Source Segment from where you are trying to access is not denyied.

Also, can you make your line VTY configuration more simple as below inorder to Check:

line vty 0 4

exec-timeout 3 0

password 7 xxxxxxxxxxxxx

login authentication vty

Below provided the sample TACACS+ Configuration for your reference. You can modify the same as per RADIUS Authentication:

aaa new-model

aaa authentication login vty group tacacs+ local

aaa authentication login conuser group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa authorization network default group radius

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group radius

aaa session-id common

Pls Rate all Informative POST

Best Regards,

Guru Prasad R

Hall of Fame Super Gold

Re: vty access

K0rG

There are some aspects of the config that you posted that puzzle me:

- there is an aaa authentication method list for console-access, but this is not referenced on the console config that you included.

- without any authentication commands configured under line con 0 then it should be using aaa authentiation login default. But there is no default method configured.

- are you sure that your login to the console is authenticated by radius? Is it possible that the console is authenticated locally - or is not authenticated?

Anything that you can tell us that would clarify these would be helpful.

Can you tell if attempts to authenticate on vty are getting to the Radius server? Are there entries in the logs that would verify what response the Radius server generated for these attempts?

HTH

Rick

Community Member

Re: vty access

Hi Rick,

My apologies but the console line is authenticated through 'console-access' in the aaa line.

Thanks,

K0rg

Hall of Fame Super Gold

Re: vty access

K0rg

If the console authentication is through "console-access" which says:

aaa authentication login console-access none

then its authentication is "none" and it does not go to the Radius server for authentication.

The vty do go to Radius for authentication. So that brings me back to my question about whether there is anything in the logs on the Radius server that indicates whether the Radius server is seeing any authentication requests from the vty.

I would also suggest that it might help us get to understanding the problem if you would run

debug aaa authentication

debug radius authentication

then attempt to login in through vty and then post the debug output.

HTH

Rick

361
Views
0
Helpful
7
Replies
CreatePlease to create content