David’s Cisco Networking Blog

Nov 6 2007   4:56PM GMT

How to setup multiple Authentication groups with Cisco IOS security

David Davis David Davis Profile: David Davis

Recently, I had an email from a reader who was using a Cisco router as a SSH server on the Internet to access his Cisco rack. The users would SSH to the router and then telnet to individual ports on the router to access the Cisco equipment hanging off of the terminal server ports of the router.

For the SSH authentication, he was using a Windows IAS RADIUS server and Active Directory (AD) username and passwords. The problem was, once the user logged in successfully to the router using SSH and tried to telnet to the Cisco device on a line off of the router, the user would be prompted to autenticate again. The question was to find a way to get rid of this.

The trick is to have the vty lines authenticate with one authentication method and the physical lines authenticate with another authentication method.

Here is the configuration, showing the important parts of the code:

aaa authentication login AUTHEN group radius local
aaa authorization exec AUTHEN group radius if-authenticated

aaa authentication login TTY_LINES line none

ip host r1 2001 10.1.1.1
ip host r2 2002 10.1.1.1
ip host r3 2003 10.1.1.1
ip host r4 2004 10.1.1.1
ip host r5 2005 10.1.1.1
ip host r6 2006 10.1.1.1
ip host sw1 2007 10.1.1.1
ip host sw2 2008 10.1.1.1

interface Loopback0
ip address 10.1.1.1 255.255.255.255

radius-server host 192.168.14.14 auth-port 1645 acct-port 1646
radius-server key 7 RADIUSKEYHERE

line 1 8
exec-timeout 0 0
login authentication TTY_LINES
no exec
transport preferred telnet
transport input all

-David
Personal Website: HappyRouter.com – home of Cisco how-to articles & videos
David Recommends:
HappyRouter Cisco VMware Workstation & Server Video Training Series
HappyRouter Cisco CCNA & CCNP Video Training Series

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: