ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Unable to log into an X-series after Radius has been configured


Article ID: 168118


Updated On:




PAM error when authenticating via Radius due to missing local accountUnable to log into an X-series chassis after Radius is set up.


via ssh

Sep 6 15:46:38 EUDC1F002 sshd(pam_unix)[12092]: check pass; user unknown Sep 6 15:46:38 EUDC1F002
sshd(pam_unix)[12092]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=


via telnet
Sep 6 15:38:34 EUDC1F002 login(pam_unix)[12067]: could not identify user (from getpwnam(testuser))
Sep 6 15:38:34 EUDC1F002 login[12067]: User not known to the underlying authentication module

The Cisco ACS is reporting sucessful authentication


The username must be defined on the Crossbeam platform itself. If "testuser" is not fully defined and qualified on the Crossbeam (account, permissions, uid, etc.) then it cannot authenticate correctly with radius.

A local user must be configured, because different user levels with different permissions can be configured on Crossbeam. The user access permissions not only specify whether objects can be modified or not, but it also has impact on things like unix level file permissions and audit logging.

Some network devices allow Radius authenticated users without a local account configured, but these are often devices which have a simple set of access permisions and are not based on an operating system like XOS (Linux).