AAA login issues with dead RADIUS server...

Unanswered Question
Dec 21st, 2009

We have around 60 Cisco switches that we use RADIUS authentication and authorization on (Will be moving to TACACS+ in the next few months).  It works great, as long as the trunk back to the main network is up, if it (the trunk) fails for any reason I can only login to a user level privilege, no exec level.  This happens on all VTYs and the Console. Also on the console regardless of the Trunk is up, I can only login with user level.  I'm sure it has to do with using the "default" AAA list.  However I cannot figure out how to create a named list.


The switch models vary from 2960s to 3750Es.  Here is an example of the config of one of the 2960's that I'm currently configuring:


! Last configuration change at 15:31:22 EST Mon Dec 21 2009
! NVRAM config last updated at 15:31:25 EST Mon Dec 21 2009
!
version 12.2
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname BMS-IDF-D
!
boot-start-marker
boot-end-marker
!
enable secret 5 <SNIP>.
!
username cp_adminswitch privilege 15 secret 5 <SNIP>.
!
!
aaa new-model
!
!
aaa group server radius rad_admin
server 10.x.x.254 auth-port 1645 acct-port 1646
!
aaa authentication login default group rad_admin local
aaa authentication enable default group rad_admin
aaa authorization exec default group rad_admin local
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
!
!
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
crypto pki trustpoint TP-self-signed-2439932416
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2439932416
revocation-check none
rsakeypair TP-self-signed-2439932416
!
!
crypto pki certificate chain TP-self-signed-2439932416
certificate self-signed 01 nvram:IOS-Self-Sig#3636.cer
!
!
!
archive
path tftp://10.x.x.90/Switch/Conf/BMS-IDF-D/
write-memory
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh time-out 30
ip ssh version 2
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
switchport trunk native vlan 99
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/2
description BMS-IDF-F Uplink
switchport trunk native vlan 99
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan20
description BMS
no ip address
no ip route-cache
!
interface Vlan99
description Management VLAN
ip address 10.x.x.180 255.255.255.0
no ip route-cache
!
no ip http server
ip http secure-server
ip sla enable reaction-alerts
radius-server host 10.13.11.254 auth-port 1645 acct-port 1646 timeout 5 retransmit 3 key 7 <SNIP>
!
line con 0
line vty 0 4
length 0
line vty 5 15
length 0
!
ntp clock-period 36028818
ntp server 10.x.x.254 key 0 prefer
end


I know that I'm just missing something simple, but it's driving me nuts!!!!  any help would be greatly appreciated, as I need to resolve this for my own piece of mind.



Jason Partridge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Sat, 12/26/2009 - 07:48

Hi Jason,


As per the aaa configuration done by at your switches


aaa authentication login default group rad_admin local
aaa authentication enable default group rad_admin
aaa authorization exec default group rad_admin local


First request will be forwarded to radius server if not reachable then will check for local database as per the configuartion.


Is it working or not ?


and i have one query reagrding on your statement  I cannot figure out how to create a named list. can you brief what is this requirement.


and check out the belwo link hope this helps out your query


http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093c81.shtml


Regards

Ganesh.H

gshinman Tue, 12/29/2009 - 03:31


Hi Jason,

     You have the following on your switch:

aaa authentication login default group rad_admin local
aaa authentication enable default group rad_admin
aaa authorization exec default group rad_admin local


Notice the local at the end of the first and third lines. This tells the switch to try the local database of users if radius is not reached.

Your missing the local on the second line which tells the switch how to authentication for exec or "enable" level access. Add it and you should be good to go.

kush.sri2001 Thu, 12/31/2009 - 14:49

Hi Jason,



When you create a method list, instead of "default" keyword you specify a name of the list. The difference between the default and the named list is that default list is automatically applied on all the interfaces but the named list has to be specifically applied on the vty lines and the console.


If you would like to create a named list for authentication and authorization, please remove the existing commands and try the ones below:




- aaa authentication login rad_authentication group rad_admin local


- aaa authorization exec rad_authorization group rad_admin local


Now as I mentioned previously, go to the line vty and type the following:


- Line vty 0 15

- login authentication rad_authentication.

- authorization exec rad_authorization.







Regards,


Kush

Actions

This Discussion

Related Content