12-11-2011 04:40 PM - edited 03-04-2019 02:35 PM
Can anyone give me an example of an AAA configuration for local database and active directory? I've configured it for active directory to supply for my VPN clients (which still don't work by the way) and now I can't SSH into my router with either a AD or local account. All I can do right now is hook up a console cable. Any help is appreciated. Thanks!
Solved! Go to Solution.
12-12-2011 09:34 PM
Robert
Yes it is normal that when you configure aaa new-model that login local is no longer an option on the vty. But there is then an option to specify an authentication "named method" for authentication on the vty. The config might look something like this:
line vty 0 4
login authentication vty_auth
aaa authentication login vty_auth local
HTH Rick
12-13-2011 10:30 AM
Robert
Yes the router now has a primary method for authentication which is Radius and a backup method of authentication which is local. The router will attempt the primary method (Radius) and if it is not available then it will use its backup method.
If I am following your changes correctly I believe that now the default authentication method and the vty_ssh method are doing the same thing - using Radius as primary and local as the backup. So perhaps you do not need the vty_ssh method?
HTH
Rick
12-11-2011 06:04 PM
You need to configure your AD server for RADIUS, this article explains how:
http://www.tech-recipes.com/rx/1478/how-to-setup-ias-to-use-radius-to-authenticate-cisco-device/
Then, you can apply the AAA commands in the routers such as:
aaa new-model
aaa authentication login default group radius local
aaa authorization network default group radius local
aaa accounting exec default start-stop group radius
username xxxx priv 15 password xxx
radius-server host x.x.x.x key xxxxx
12-12-2011 11:31 AM
OK, that got me most of the way done. However, it only works with console based login. If I try to login via SSH, I'm only able to get to User Exec mode. When I try to enter priviledge mode, I get "error in authentication". That is only when I use a domain account. If I try to use a local account on the router, it acts like I don't have the right password or something.
12-12-2011 01:53 PM
Robert
From your description of the symptoms I am guessing that you have AAA authentication working the same for the VPN authentication and for SSH login authentication and that Radius/AD are authenticating you for user mode but not for enable mode.
My suggestion would be to specify a named method (other than default) for either VPN or for vty and to use Radius/AD for VPN and to use local for vty.
HTH
Rick
12-12-2011 02:44 PM
So, I can't use AAA for both VPN users and vty?
12-12-2011 05:04 PM
OK, here is what I have right now. I know it looks pretty simple, but I am just starting to learn this stuff. Can you give me an example of separating the two? I'd like to use the same source (Active Directory, local as backup) to authenticate VPN users and SSH users, if possible.
aaa new-model
!
!
aaa group server radius RadiusServers
server 192.168.1.252 auth-port 1812 acct-port 1813
!
aaa authentication login default group RadiusServers local
aaa authorization network default group RadiusServers local
aaa accounting exec default start-stop group RadiusServers
aaa session-id common
12-12-2011 09:12 PM
Robert
When I was actively teaching Cisco classes I would sometimes make a point about the difference between what you CAN do and what you SHOULD do. I think that reminder is appropriate here.
You ask : "So, I can't use AAA for both VPN users and vty?"
and I respond yes you CAN but perhaps not that you SHOULD.
The config that you post is pretty clear that you are using Radius to configure authentication for both VPN and for vty. And according to your post that is creating a problem. So I suggest that perhaps you SHOULD specify different AAA authentication for VPN and for vty.
You have stated pretty clearly that:"I'd like to use the same source (Active Directory, local as backup) to authenticate VPN users and SSH users, if possible."
That should be possible and if you want to do this then you need to do some troubleshooting about why Radius is not authenticating you for privilege mode.
I am guessing that your original setup was using local authentication for SSH access. And I suggest that the easy solution is to continue using local authentication for vty and to use Radius for VPN.
HTH
Rick
12-12-2011 09:19 PM
Rick,
That would seem the logical, easy choice. However, the "login local" option is no longer available under vty. Is this normal once any AAA is configured?
12-12-2011 09:34 PM
Robert
Yes it is normal that when you configure aaa new-model that login local is no longer an option on the vty. But there is then an option to specify an authentication "named method" for authentication on the vty. The config might look something like this:
line vty 0 4
login authentication vty_auth
aaa authentication login vty_auth local
HTH Rick
12-12-2011 09:39 PM
Yeah, I saw that and tried to use the "default" AAA I configured for VPN. With those two statements or without, still had same problem when using SSH. What doesn't make sense to me is that Radius works great when using console port or VPN. Yet, fails on SSH with no errors on IAS server. Regardless, I guess I'll have to stick with a different local method until I understand this more. Thanks for your help though. I appreciate it.
12-12-2011 09:57 PM
Robert
I am glad that my suggestions have been helpful to you. Thank you for using the rating system to mark this question as answered (and thanks for the points). It makes the forum more useful when people can read an issue and can know that a response did lead to a solution. Your marking has contributed to this.
In re-reading this thread I realize that you say that the problem is authenticating to privilege mode. But you have not shown us what (if anything) in your config of AAA controls authentication for privilege mode. So a couple of questions come to mind:
- is there an enable secret (or enable password) configured on the router?
- is there anything in your aaa configuration that controls privilege mode?
- perhaps you could post your config for aaa and your config for line con 0 and for the line vty
HTH
Rick
12-13-2011 07:48 AM
Sure thing. I didn't even know you could control priviledge mode from AAA. Below is what you requested. What is more interesting is that from a console port, I can only use radius credentials. Even though below you see a username created with priv 15, it doesn't recognize it. It gives me the "error in authentication" when trying to enter priv mode. I wonder, would the ip domain-name being different from the domain the radius server is authenticating with cause this issue?
aaa group server radius RadiusServers
server 192.168.1.252 auth-port 1812 acct-port 1813
!
aaa authentication login default group RadiusServers local
aaa authentication login vty_ssh local
aaa authorization network default group RadiusServers local
aaa accounting exec default start-stop group RadiusServers
aaa session-id common
username craigrobertlee privilege 15 password 7 XXXXXXXXXXX
radius-server host 192.168.1.252 auth-port 1812 acct-port 1813 key 7 XXXXXX
line con 0
line aux 0
no exec
line vty 0 4
access-class 12 in
exec-timeout 0 0
login authentication vty_ssh
transport input ssh
transport output none
12-13-2011 09:37 AM
Robert
The domain name (same or different) is not causing any of these issues.
Thanks for posting additional information. It makes it clear why you are only able to use Radius when logging in on the console. The console is using the default login authentication which is Radius. And as long as Radius is available it will not recognize the local ID and password. You should be able to configure the console to use the vty_ssh method similar to what you did for the vty.
If you want to control privilege mode from aaa you might try something like this
aaa authentication enable default enable
and this will prompt for the enable password which should be configured on the router.
Give that a try and let us know how it works.
Also I would suggest that when making this kind of change in configuration there is some possibility that you could do something that might lock you out of the router. So I would not do any write mem or copy running startup until you are sure that the config changes are not having unexpected results.
HTH
Rick
12-13-2011 10:12 AM
OK, now some magic is happening. I am now able to get in SSH with a local account and then it prompts me for the enable password, which is great. So, for giggles, I changed
aaa authentication login vty_ssh local
to
aaa authentication login vty_ssh group RadiusServers local
Now I am able to SSH with my AD account, and then it prompts me for the enable password. So, just so I know, if my IAS server behind my firewall dies and AAA can't contact it, the router will automatically use it's local database to authenticate VPN, Console, and SSH?
12-13-2011 10:30 AM
Robert
Yes the router now has a primary method for authentication which is Radius and a backup method of authentication which is local. The router will attempt the primary method (Radius) and if it is not available then it will use its backup method.
If I am following your changes correctly I believe that now the default authentication method and the vty_ssh method are doing the same thing - using Radius as primary and local as the backup. So perhaps you do not need the vty_ssh method?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide