David’s Cisco Networking Blog

Nov 6 2007   4:56PM GMT

How to setup multiple Authentication groups with Cisco IOS security

David Davis David Davis Profile: David Davis

Recently, I had an email from a reader who was using a Cisco router as a SSH server on the Internet to access his Cisco rack. The users would SSH to the router and then telnet to individual ports on the router to access the Cisco equipment hanging off of the terminal server ports of the router.

For the SSH authentication, he was using a Windows IAS RADIUS server and Active Directory (AD) username and passwords. The problem was, once the user logged in successfully to the router using SSH and tried to telnet to the Cisco device on a line off of the router, the user would be prompted to autenticate again. The question was to find a way to get rid of this.

The trick is to have the vty lines authenticate with one authentication method and the physical lines authenticate with another authentication method.

Here is the configuration, showing the important parts of the code:

aaa authentication login AUTHEN group radius local
aaa authorization exec AUTHEN group radius if-authenticated

aaa authentication login TTY_LINES line none

ip host r1 2001
ip host r2 2002
ip host r3 2003
ip host r4 2004
ip host r5 2005
ip host r6 2006
ip host sw1 2007
ip host sw2 2008

interface Loopback0
ip address

radius-server host auth-port 1645 acct-port 1646
radius-server key 7 RADIUSKEYHERE

line 1 8
exec-timeout 0 0
login authentication TTY_LINES
no exec
transport preferred telnet
transport input all

Personal Website: HappyRouter.com – home of Cisco how-to articles & videos
David Recommends:
HappyRouter Cisco VMware Workstation & Server Video Training Series
HappyRouter Cisco CCNA & CCNP Video Training Series

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: