«

Hi,
I have an as5300 which I can console into fine.

However.. if I try to telnet into it I get:

Password:

and I can't type or do anything.

If I dial into it it says:

Username: (I enter my username)
Password: (I enter my password)

It says %authentication failure
and disconnects.

Any ideas?

Connect to the AS5300 via the console, display the config and look at
the "line config commands which are at the end of the config.

The box must have aaa authentication enabled using local username and
passwords or authenticating to a TACACS or RADIS server.

If local authentication is enabled then you will see something like
the following listed in your config:


line con 0

line vty 0 4
login local

This is what I'm seeing:

aaa authentication login SECURE group radius enable
aaa authentication login CONSOLE local
aaa authentication login AUX group radius enable
aaa authentication login VTY line
aaa authentication login vty line
aaa authentication ppp default if-needed group radius local
aaa authentication ppp enable group radius
aaa authentication ppp radius group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa session-id common

---other stuff -- snip ---

!
line con 0
password 7 [removed]
login authentication CONSOLE
line 1 192
exec-timeout 0 0
no flush-at-activation
modem InOut
modem autoconfigure type mica2940
rotary 1
transport input all
autoselect during-login
autoselect ppp
line aux 0
line vty 0
exec-timeout 2 0
password 7 [removed]
login authentication VTY
transport input telnet
line vty 1 4
exec-timeout 2 0
password 7 0008060850565B08
login authentication VTY
transport input telnet
!
!
end


As far as I can tell this is the same config that is on our other access
servers and it works just fine there.

When you dial into it, I think the Username/Password prompt is a
consequence of using the autoselect during-login command. Could it be
that the authentication method you expect to be used is not the one
actually used. Recheck the aaa authentication ppp commands?

Matt wrote:

> This is what I'm seeing:
>
> aaa authentication login SECURE group radius enable
> aaa authentication login CONSOLE local
> aaa authentication login AUX group radius enable
> aaa authentication login VTY line
> aaa authentication login vty line

If you just want to use the line password (without using any aaa
specific functionality) you could just replace login authentication with
a straight login under your line vty configuration commands.

To hazard a guess as to why this config will not accept a telnet
connection - it could be that you have two seprate line passwords
configured for vty (one for line vty 0, another for line vty 1 -4). aaa
might then be confused as to which line password to use. Other
suggestions: call your listname anything other than VTY (for example,
telnet1 or telnet2)

>
> aaa authentication ppp default if-needed group radius local
> aaa authentication ppp enable group radius
> aaa authentication ppp radius group radius
> aaa authorization exec default group radius if-authenticated
> aaa authorization network default group radius if-authenticated
> aaa accounting exec default start-stop group radius
> aaa accounting network default start-stop group radius
> aaa session-id common
>
> ---other stuff -- snip ---
>
> !
> line con 0
> password 7 [removed]
> login authentication CONSOLE
> line 1 192
> exec-timeout 0 0
> no flush-at-activation
> modem InOut
> modem autoconfigure type mica2940
> rotary 1
> transport input all
> autoselect during-login
> autoselect ppp
> line aux 0
> line vty 0
> exec-timeout 2 0
> password 7 [removed]
> login authentication VTY
> transport input telnet
> line vty 1 4
> exec-timeout 2 0
> password 7 0008060850565B08
> login authentication VTY
> transport input telnet
> !
> !
> end
>
>
> As far as I can tell this is the same config that is on our other
> access servers and it works just fine there.