SSH on TTY Ports

From: Stephen Wells (stewells@bellatlantic.net)
Date: Mon Nov 18 2002 - 00:44:26 GMT-3

• Next message: Joe A: "RE: What are the "usual" books / materials"
• Previous message: steve brown: "ANSWER - Re: DDR ATTN Brian Dennis (used your exact configs,"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am trying to configure a tty port to allow console access to secure UNIX
box using SSH w/ RADIUS authentication as the primary means of
authentication. If my RADIUS servers are off-line I want to authenticate via
a local user database on the 2621 router. With SSH when I shut down access
to my RADIUS servers I am unable to authenticate using the local user cisco;
however, when I use TELNET (transport input telnet on line 2033) and I
shutdown access to my RADIUS servers I am able to authenticate and access
the UNIX box's console using the local user cisco.

Here is the config I am using (IOS v 12.2.2T):

version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname r1
!
logging rate-limit console 10 except errors
aaa new-model
aaa authentication login secure1 group radius local-case
enable secret 5 $1$7COtpoi$XFM3V5.wCoyk0sMJiFANh0
!
username cisco password 7 059780F1C2243
!
!
memory-size iomem 10
ip subnet-zero
!
!
ip domain-name cisco1.com
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh port 2033 rotary 33 64
no ip dhcp-client network-discovery
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.21.35.7 255.255.255.0
 no shutdown
 speed auto
 full-duplex
!
interface FastEthernet0/1
 ip address 10.21.39.7 255.255.255.0
 no shutdown
 speed auto
 full-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.21.35.1
!
!
snmp-server engineID local 000000090200000AF4620F40
snmp-server community DLLATX37pblc RO
radius-server host 10.21.48.39 auth-port 1645 acct-port 1646
radius-server host 10.21.23.39 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server timeout 60
radius-server challenge-noecho
radius-server key 7 120M04680B1E1F0F2F32
!
dial-peer cor custom
!
!
!
!
!
line con 0
line 33
 no exec
 no flush-at-activation
 login authentication secure1
 rotary 33
 transport input ssh

...

Thanks,

Steve, CCIE 7337, CISSP

• Next message: Joe A: "RE: What are the "usual" books / materials"
• Previous message: steve brown: "ANSWER - Re: DDR ATTN Brian Dennis (used your exact configs,"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:04 GMT-3