3750's AAA setup

Unanswered Question
Feb 23rd, 2009
User Badges:

We use IAS for win2k as our radius server to authenticate users. In our Cat3750 switch to configure the following command:

================

aaa new-model

aaa authentication login default group radius local

aaa authentication login ConsoleAuth local


line con 0

logging synchronous

login authentication ConsoleAuth


==========


I think we should access this switch with local account when we tried to console in. But we have to provide the raidus account, and then access it sucessfully. Could you tell me the reason please?


I think authentication process should be followed the spcified list-name,right?


Thanks for your help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Mon, 02/23/2009 - 13:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Huan


I do not see a problem in your config. Is there a user ID and password configured on the switch which can be used for authentication?


One way to investigate this would be to run debug aaa authentication, attempt login through the console, and post all debug output.


HTH


Rick

mike.cadwgan Mon, 02/23/2009 - 15:35
User Badges:

I think the problem may lie in your order of authentication as your authentication is looking for radius first and then local. This would be pretty normal as you will authenticate with your radius username but if you were not able to get to the radius server it would then drop to the local login.


if you do want local username try removing the group radius from the line or moving it to after the local login.


aaa authentication login default local group radius




Richard Burts Mon, 02/23/2009 - 21:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


As a CCIE I would hope that you would have read more carefully the original post. The default login authentication does use Radius with local as a backup method. But clearly the config that was posted uses a different named authentication method for the console. So your suggestion of changing the default authentication method would not have any effect on authentication for the console.


HTH


Rick

HWangLoyalty_2 Mon, 02/23/2009 - 18:36
User Badges:

Thanks for your suggestions. I would try it again with eable debug aaa.

Danilo Dy Mon, 02/23/2009 - 22:15
User Badges:
  • Blue, 1500 points or more

I have similar setup (IAS/Win2003) and I'm able to login to console using local account.


I make sure that local and radius account are different. You will have problem trying to login using local account if you have the same account in radius (but different password) when radius is still reachable.


My Cat3750 aaa configuration is a little bit different than your configuration. I can't remember whether I encountered a problem with the "default".

================

aaa new-model

aaa authentication login ConsoleAuth group radius local


line con 0

login authentication ConsoleAuth

================


The login using local account is slower than the login using radius account because the system will try to contact radius first (reachable or not) - so be patient.


Its good to turn on aaa debug as Rick recommended to find out whats going on.

Actions

This Discussion