I am trying to use my normal Active Directory username to authenticate to my switches. I currently have a RADIUS server setup (Microsoft IAS 2003). I know that it works because my VPN concentrator uses it to authenticate people. I am unable to login to my switch with the following configuration:
aaa group server radius RADIUS
server 10.101.64.14 auth-port 1645 acct-port 1646
aaa authentication login use-radius group radius local
aaa authentication login localuser local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
radius-server host 10.x.64.14 auth-port 1645 acct-port 1646 key xxx
radius-server source-ports 1645-1646
The logs on my server don't even show that a request was attempted which leads me to believe that I have a misconfiguration somewhere. I can only authenticate using the localuser user account and none from my domain. Is there something I need to change or do on the AD side of things to tell the switch to allow on my AD account to authenticate to it? Does my configuration look good? I know the key is correct as well.
I think that you now have the correct understanding of the fall back logic of AAA and Radius server. It is one OR the other at any point in time and the primary (in our discussion primary is Radius) will be used when it is available.
If you are satisfied to have everyone access enable mode by entering the enable password, then what you have in the configuration works ok. I suggested configuring aaa authentication for enable because I think that it gives you more control. You can configure enable authentication similar to login authentication so that it will go to the Radius server as primary and use the local enable password as a backup. Going to the Radius server means that you can configure at the individual level who should have enable access, gives you an option to periodically force change in passwords, and when someone leaves the organization it is easy to remove their enable access to all routers and switches without having to configure new enable passwords on all devices. It is certainly your choice to do it either way.