OK, that got me most of the way done. However, it only works with console based login. If I try to login via SSH, I'm only able to get to User Exec mode. When I try to enter priviledge mode, I get "error in authentication". That is only when I use a domain account. If I try to use a local account on the router, it acts like I don't have the right password or something.

Robert

From your description of the symptoms I am guessing that you have AAA authentication working the same for the VPN authentication and for SSH login authentication and that Radius/AD are authenticating you for user mode but not for enable mode.

My suggestion would be to specify a named method (other than default) for either VPN or for vty and to use Radius/AD for VPN and to use local for vty.

HTH

Rick

So, I can't use AAA for both VPN users and vty?

OK, here is what I have right now. I know it looks pretty simple, but I am just starting to learn this stuff. Can you give me an example of separating the two? I'd like to use the same source (Active Directory, local as backup) to authenticate VPN users and SSH users, if possible.

aaa new-model

!

!

aaa group server radius RadiusServers

server 192.168.1.252 auth-port 1812 acct-port 1813

!

aaa authentication login default group RadiusServers local

aaa authorization network default group RadiusServers local

aaa accounting exec default start-stop group RadiusServers

aaa session-id common

Robert

When I was actively teaching Cisco classes I would sometimes make a point about the difference between what you CAN do and what you SHOULD do. I think that reminder is appropriate here.

You ask : "So, I can't use AAA for both VPN users and vty?"

and I respond yes you CAN but perhaps not that you SHOULD.

The config that you post is pretty clear that you are using Radius to configure authentication for both VPN and for vty. And according to your post that is creating a problem. So I suggest that perhaps you SHOULD specify different AAA authentication for VPN and for vty.

You have stated pretty clearly that:"I'd like to use the same source (Active Directory, local as backup) to authenticate VPN users and SSH users, if possible."

That should be possible and if you want to do this then you need to do some troubleshooting about why Radius is not authenticating you for privilege mode.

I am guessing that your original setup was using local authentication for SSH access. And I suggest that the easy solution is to continue using local authentication for vty and to use Radius for VPN.

HTH

Rick

Rick,

     That would seem the logical, easy choice. However, the "login local" option is no longer available under vty. Is this normal once any AAA is configured?

Yeah, I saw that and tried to use the "default" AAA I configured for VPN. With those two statements or without, still had same problem when using SSH. What doesn't make sense to me is that Radius works great when using console port or VPN. Yet, fails on SSH with no errors on IAS server. Regardless, I guess I'll have to stick with a different local method until I understand this more. Thanks for your help though. I appreciate it.

Robert

I am glad that my suggestions have been helpful to you. Thank you for using the rating system to mark this question as answered (and thanks for the points). It makes the forum more useful when people can read an issue and can know that a response did lead to a solution. Your marking has contributed to this.

In re-reading this thread I realize that you say that the problem is authenticating to privilege mode. But you have not shown us what (if anything) in your config of AAA controls authentication for privilege mode. So a couple of questions come to mind:

- is there an enable secret (or enable password) configured on the router?

- is there anything in your aaa configuration that controls privilege mode?

- perhaps you could post your config for aaa and your config for line con 0 and for the line vty

HTH

Rick

Sure thing. I didn't even know you could control priviledge mode from AAA. Below is what you requested. What is more interesting is that from a console port, I can only use radius credentials. Even though below you see a username created with priv 15, it doesn't recognize it. It gives me the "error in authentication" when trying to enter priv mode. I wonder, would the ip domain-name being different from the domain the radius server is authenticating with cause this issue?

aaa group server radius RadiusServers

server 192.168.1.252 auth-port 1812 acct-port 1813

!

aaa authentication login default group RadiusServers local

aaa authentication login vty_ssh local

aaa authorization network default group RadiusServers local

aaa accounting exec default start-stop group RadiusServers

aaa session-id common

username craigrobertlee privilege 15 password 7 XXXXXXXXXXX

radius-server host 192.168.1.252 auth-port 1812 acct-port 1813 key 7 XXXXXX

line con 0

line aux 0

no exec

line vty 0 4

access-class 12 in

exec-timeout 0 0

login authentication vty_ssh

transport input ssh

transport output none

Robert

The domain name (same or different) is not causing any of these issues.

Thanks for posting additional information. It makes it clear why you are only able to use Radius when logging in on the console. The console is using the default login authentication which is Radius. And as long as Radius is available it will not recognize the local ID and password. You should be able to configure the console to use the vty_ssh method similar to what you did for the vty.

If you want to control privilege mode from aaa you might try something like this

aaa authentication enable default enable

and this will prompt for the enable password which should be configured on the router.

Give that a try and let us know how it works.

Also I would suggest that when making this kind of change in configuration there is some possibility that you could do something that might lock you out of the router. So I would not do any write mem or copy running startup until you are sure that the config changes are not having unexpected results.

HTH

Rick

OK, now some magic is happening. I am now able to get in SSH with a local account and then it prompts me for the enable password, which is great. So, for giggles, I changed

aaa authentication login vty_ssh local

to

aaa authentication login vty_ssh group RadiusServers local

Now I am able to SSH with my AD account, and then it prompts me for the enable password. So, just so I know, if my IAS server behind my firewall dies and AAA can't contact it, the router will automatically use it's local database to authenticate VPN, Console, and SSH?