[Router-hwtacacs-hwtac] quit
# Create ISP domain bbb and configure AAA methods for login users.
[Router] domain bbb
[Router-isp-bbb] authentication login hwtacacs-scheme hwtac
[Router-isp-bbb] authorization login hwtacacs-scheme hwtac
[Router-isp-bbb] accounting login hwtacacs-scheme hwtac
[Router-isp-bbb] quit
# Create local RSA and DSA key pairs.
[Router] public-key local create rsa
[Router] public-key local create dsa
# Enable the SSH service.
[Router] ssh server enable
# Enable the default user role feature to assign authenticated SSH users the default user role
network-operator.
[Router] role default-role enable
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Router] line vty 0 63
[Router-line-vty0-63] authentication-mode scheme
[Router-line-vty0-63] quit
Verifying the configuration
When the user initiates an SSH connection to the router and enter the correct username and password,
the user successfully logs in and can use the commands for the network-operator user role.
Troubleshooting RADIUS
RADIUS authentication failure
Symptom
User authentication always fails.
Analysis
Possible reasons include:
A communication failure exists between the NAS and the RADIUS server.
•
The username is not in the format userid@isp-name, or the ISP domain is not correctly configured on
•
the NAS.
The user is not configured on the RADIUS server.
•
The password entered by the user is incorrect.
•
•
The RADIUS server and the NAS are configured with different shared keys.
Solution
Check that:
•
The NAS and the RADIUS server can ping each other.
47