Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

I've made my Cisco 2511 authenticate dialin users with RADIUS BUT... 2

Status
Not open for further replies.
danclark

danclark

IS-IT--Management
Apr 9, 2001
46
NZ
The problem here is that after setting up an Async Group to authenticate dialin users with my RADIUS server I can't log into either a telnet session or even the console.
I get prompted for a username and a password instead of just the password.
I can't see how I could create a user account on the RADIUS to let me into the router, tailing the logs, it tells me that the user I have entered in the telnet/console line has been denied access, I tried using my windows account which appears on the RADIUS server but to no avail.

Any ideas would be very helpful, it would appear that the RADIUS authentication lines in my config are being applied to the security of the whole router instead of just my Async Group...
I would supply a config but can't get back into the router unless I reboot into a different config-reg
 
Sort by date Sort by votes
Here is my configuration.


aaa new-model
aaa authentication login admins local
aaa authentication ppp dialins group radius local
aaa authorization exec default local
aaa authorization network dialins group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius
enable secret 5 [password deleted]
!
username user password 7 [password deleted]



If I'm not mistaken, the exec default local is the key to getting the system to accept the login (along with the username and password). Without that the router will attempt to connect to the radius server to authenticate you. This would be a problem if the router lost communication with the Radius server, you would not be able to get into the router. Once this is enabled you have to type in your local user name and password in order for you to get to the router. I'm not sure if there is a different way to do this but I got the config off the Cisco site when I was configuring RADIUS.



david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*
 
Upvote 0 Downvote
do you have authorization set up for that user?

i.e.


LINE ACCESS (CONSOLE + AUX)

username gconnect privilege 15 password likeiwouldtellu

aaa new-model
aaa authentication login default group local
aaa authorization exec default group local (and/or 'if-authenticated' if needbe for testing)

line vty 0 4
login local
-or-
login authentication (aaa group-tag)

INTERFACE ACCESS

aaa authentication ppp dialupusers group radius
aaa authorization network dialupaccess group radius

interface async1
encap ppp
ppp authentication pap dialupusers
ppp authorization dialupaccess

 
Upvote 0 Downvote
hi
if you make a username and password in your biling system maby you can login in your router.
bye
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
378
CPM86
CPM86
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
237
badwolf1686
B
pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
607
nt8d09
nt8d09
jobsp90
  • Locked
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
288
DavetheChef
DavetheChef
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
592
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top