05-12-2010 08:33 AM - edited 03-10-2019 05:07 PM
Hi,
Just learning AAA and I'm struggling with one thing. I've got a RADIUS server set up and switches/routers authenticate to it. Everything's working fine.
As a safety measure I've got a local account set up as well, just in case both RADIUS servers are down.
I was able to configure them to log on users directly to privileged mode, which is quite convinient. However when I log on using the local account I'm in the privileged mode as well.
Is there a way to configure a switch/router to log on users who authenticated through RADIUS server directly to enable mode, but if a user logs on using a local account it will be in exec mode and will have to enter a password to access privileged mode?
Here's my configuration:
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
enable secret 5 <...>
username testlocal privilege 15 password 7 <...>ip radius source-interface Vlan150
radius-server host 192.168.10.2 auth-port 1812 acct-port 1813 key 7 <...>
radius-server host 192.168.17.2 auth-port 1812 acct-port 1813 key 7 <...>
radius-server retransmit 3
Solved! Go to Solution.
05-12-2010 09:27 AM
Change:
username testlocal privilege 15 password 7 <...>
to read:
username testlocal password 7 <...>
05-12-2010 09:27 AM
Change:
username testlocal privilege 15 password 7 <...>
to read:
username testlocal password 7 <...>
05-13-2010 02:22 AM
Hi Javier,
Thank you for the reply. I can't believe it was so easy to fix!
However in order to allow a local user to access 'enable mode' I had to remove this line as well:
aaa authentication enable default group radius enable
as there was no way I could authenticate. The switch was using '$ena15$' as a username to authenticate on RADIUS server.
There was the same problem if I logged on using my Active Directory account, entered 'disable' command and then tried to go back to privileged mode.
I figured that I rather authenticate to enable mode locally.
Anyway it's all sorted now. Thank you again.
05-13-2010 04:48 AM
> The switch was using '$ena15$' as a username to authenticate on RADIUS server.
That is the expected behavior with RADIUS.
With TACACS+, it will send the actual username.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: