This is the line that I was hoping to use to authenticate with:

aaa authentication login bryan.lofland group radius

Perhaps I am not understanding the role of a group as well. I have group called RADIUS that contains my RADIUS server I have setup. The only line that I see with use-radius in it is the first one:

aaa authentication login use-radius group radius local

It is getting pretty apparent that I am getting confused.

Thanks for the help!

So I have made some progress!!! I can successfully login with my AD username/pass however, it says "Press RETURN to get started" so I do but it immediately kicks me out. I am posting a fresh aaa/line config to update on how my config looks:

aaa new-model

aaa group server radius RADIUS

server 10.101.64.14 auth-port 1645 acct-port 1646

!

aaa authentication login use-radius group radius local

aaa authentication login dharmacon local

aaa authentication login RADIUS group radius local

aaa authentication dot1x default group radius

aaa authorization exec default local

aaa authorization network default group radius

...

radius-server host 10.101.64.14 auth-port 1645 acct-port 1646 key 7 1327470707080138

radius-server source-ports 1645-1646

...

line con 0

stopbits 1

line vty 0 4

password 7 02250B0A04140E251C

login authentication RADIUS

transport input telnet ssh

Thanks for any help!

Bryan

I am glad that you are making progress. I am not clear what is happening that is immediately kicking you out. Is there any kind of message when this happens?

HTH

Rick

have you authorixed the IAS server in the AD domain ?

Try debugging aaa authentication & see the logs

Try the following

aaa authentication login default local group radius

aaa authentication enable default group radius enable

I have tried ading those lines and it didn't really help. I am still kicked out as soon as it authenticates me to the RADIUS server. There are no messages that tell me that something has timed out or anything of that sort.

Also now that I added those two lines I can login via the local account but I can't get to priviliged exec mode it tells me:

%Error in authenticiation

Here is my current config (minus the interfaces).

Thanks,

Bryan

Attached config:

You can try:

1. remove the following commands from your aaa config. You already have this command in place (aaa authentication login RADIUS group radius local) so the ones above it are not neccessary)

aaa authentication login use-radius group radius local

aaa authentication login dharmacon local

2. You've only one Radius server, so there's no point of putting it into a "group". Use "radius-server host 10.101.64.14 auth-port 1645 acct-port 1646"

3. Add these Authorization commands:

aaa authorization config-commands

aaa authorization exec default if-authenticated

aaa authorization network default group radius local

4. Remove the "dot1q" in authorization.

5. Add "radius-server attribute 6 on-for-login-auth"

6. On line vty 0 4, add "login authentication default"

hth.

Bryan

Thanks for posting the additional information. Based on this I do have a few suggestions:

- clearly you do have it configured to authenticate telnet access (or SSH) to the Radius server with backup of the local username. I am not clear whether you are really authenticating with the Radius server or if it is falling back to local authentication. Are there log records on the Radius server that indicate whether it is seeing the authentication request and if so whether it is passing or failing?

- to take care of getting to enable mode I would suggest adding this:

aaa authentication enable default group radius enable

- I would suggest a small change in the aaa authorization line:

aaa authorization exec default local if-authenticated

HTH

Rick

So I did #s 1-6. If I remove the line:

aaa authentication login dharmacon local

I can no longer authenticate with a local username/pass. I also kept:

aaa authentication dot1x default group radius

because I use dot1x auth (certificates) on some ports on that switch.

Now I can't login with my local account. So it looks like I have to choose one or the other but I can't figure out why it won't allow local authentication if I use a local username OR AD authentication if I use an AD account.

Bryan

Maybe I am not as clear on what is going on as I thought I was. Based on the config that you posted there is nothing that uses the line:

aaa authentication login dharmacon local

but you say that if you remove it you can no longer authenticate with a local username. I would have expected that outcome if you removed this line:

aaa authentication login RADIUS group radius local

Perhaps we also need to talk a bit more about the way that AAA authentication works. You seem to want the ability to authenticate with AD or local username interchangeably. You can set up different ports to work differently (perhaps vty starts with Radius and console starts with local username) and you can configure AAA to have a primary authentication method and a backup. But it does not offer interchangeability as an option. So you could configure it to authenticate with Radius/AD as the primary method and local as a backup. But if Radius is configured as primary then it will authenticate with Radius and only use local usernames if communication with Radius fails.

Perhaps you can clarify what is working as you expect. And if some things are not working as you expect (or as you want) then perhaps you can give us specifics about them.

HTH

Rick

Thanks for the clarification. What I am expecting is the AAA should use RADIUS primarily and if that is unavailable to then use local accounts. So let's say that I have an AD account called bryan.lofland and I use it to log in with to config my switches/routers (currently works). What if I want to use the local account "dharmacon" to login instead of my AD account? I can't seem to do that right now. So it looks like the falling back onto the local account isn't working.

So with this running-config I can login with my AD account however I can't login with the local username dharmacon.: