3750's AAA setup

Unanswered Question
Feb 23rd, 2009

We use IAS for win2k as our radius server to authenticate users. In our Cat3750 switch to configure the following command:

================

aaa new-model

aaa authentication login default group radius local

aaa authentication login ConsoleAuth local

line con 0

logging synchronous

login authentication ConsoleAuth

==========

I think we should access this switch with local account when we tried to console in. But we have to provide the raidus account, and then access it sucessfully. Could you tell me the reason please?

I think authentication process should be followed the spcified list-name,right?

Thanks for your help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Mon, 02/23/2009 - 13:55

Huan

I do not see a problem in your config. Is there a user ID and password configured on the switch which can be used for authentication?

One way to investigate this would be to run debug aaa authentication, attempt login through the console, and post all debug output.

HTH

Rick

mike.cadwgan Mon, 02/23/2009 - 15:35

I think the problem may lie in your order of authentication as your authentication is looking for radius first and then local. This would be pretty normal as you will authenticate with your radius username but if you were not able to get to the radius server it would then drop to the local login.

if you do want local username try removing the group radius from the line or moving it to after the local login.

aaa authentication login default local group radius

Richard Burts Mon, 02/23/2009 - 21:05

Michael

As a CCIE I would hope that you would have read more carefully the original post. The default login authentication does use Radius with local as a backup method. But clearly the config that was posted uses a different named authentication method for the console. So your suggestion of changing the default authentication method would not have any effect on authentication for the console.

HTH

Rick

Danilo Dy Mon, 02/23/2009 - 22:15

I have similar setup (IAS/Win2003) and I'm able to login to console using local account.

I make sure that local and radius account are different. You will have problem trying to login using local account if you have the same account in radius (but different password) when radius is still reachable.

My Cat3750 aaa configuration is a little bit different than your configuration. I can't remember whether I encountered a problem with the "default".

================

aaa new-model

aaa authentication login ConsoleAuth group radius local

line con 0

login authentication ConsoleAuth

================

The login using local account is slower than the login using radius account because the system will try to contact radius first (reachable or not) - so be patient.

Its good to turn on aaa debug as Rick recommended to find out whats going on.

Actions

This Discussion