Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

using radius to authenticate telnet sessions

Status
Not open for further replies.
eclidad

eclidad

Technical User
Jan 5, 2005
81
Hi,

We are having problems getting our radius authentication running. Right now we only use it for VPN connections. My understanding is that I can only test this from outside our office. This despite the fact we have 2 wan connections on out 1841. It would be nice to go out one and back in the other and do it all from the comfort of my desk. Plan B is to set up a user that needs RADIUS to authenticate a telnet session to the router. Then I could snoop packets and debug much faster. What "aaa" and "username" commands do I need to enter to support this? This is what I have now

aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen group radius local
aaa authorization exec default local
aaa authorization network groupauthor local
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor


Thanks,
- Joel
 
Sort by date Sort by votes
I found what I needed but not what I was hoping for. If you do

aaa authentication login default group radius local

It checks in with the radius server. I wanted to see this happen before I headed out of the office. More than that, I wanted responses to get back to the router. What I'd like to see is that it first looks in radius and if that fails it looks in the local database. The user to manage the server is not in radius. For now we only use radius to manage accounts that will use the VPN.

- Joel
 
Upvote 0 Downvote
This is the expected behaviour. The AAA lists are in order of preference - i.e. 'radius local' as you have. Radius is tried first, assuming the radius server is operational (i.e. it's online and the keys are correct) then a user logon challenge will result in a Pass or a Fail. If its a Pass then the user authenticates, if its a fail then the user gets a failed authentication. If the Radius server is offline or you have misconfigured the keys then the Radius server will effectively not respond. In this case the router will try the next option in the list - in your case 'local'. If there is a local user configured then you will pass authentication, if the user is not configured or the password is wrong then you fail.
There used to be a 'local override' option but this was removed a long time ago (maybe IOS 12.0?).

This is just how it works. Add the user to Radius.

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
299
DavetheChef
DavetheChef
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
249
badwolf1686
B
CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
381
CPM86
CPM86
Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
429
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
607
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top