problem with AAA on the 12.2(58).SE version

Unanswered Question
Jan 29th, 2012

Hi,

I have a lot of switches (about 400 to be precisely) series 2960 and 3750, with IOS version

Series 2960: c2960-lanbasek9-mz.122-52.SE.bin

Series 2960S: c2960s-universalk9-mz.122-53.SE2.bin

Series 3750: c3750-ipservicesk9-mz.122-52.SE.bin

The follow configuration to AAA is:

aaa new-model

!

aaa authentication login default group radius line none

aaa authentication enable default enable none

aaa authorization exec default group radius if-authenticated

aaa accounting exec default start-stop group radius

aaa accounting system default start-stop group radius

enable secret «password removed»

...

radius-server host 192.168.30.1 auth-port 1812 acct-port 1813 key «password removed»

radius-server retransmit 2

radius-server timeout 2

line con 0

exec-timeout 5 0

password «password removed»

login

Then when I tried to upgrade the 2960 and 3750 series to the 12.2(58) version, I had a problem with this configuration. When the RADIUS is down, I cannot have access to the switches, even with password on the line con 0. The prompt is always with username and password, not the password prompt was used to be in the 12.2(52).SE and 12.2(53).SE version.

Anyone have the same problem? How can I fix it?

Thanks in advanced,

António

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
johnnylingo Sun, 01/29/2012 - 13:46

I believe newer IOS versions always require a username / password be used, even when the Radius / Tacacs server is down.

Something like this will let you login with username 'admin' if the radius server is unavailable.

username admin priv 15 password 0

aaa authentication login default group radius local

aaa authorization exec default group radius local

line con 0

no password

exit

glen.grant Sun, 01/29/2012 - 16:41

  You don't need a  username and password as long as you have the line password and enable secret passwords defined  unless radius is different from tacacs .

ebarticel Sun, 01/29/2012 - 19:25

You need to add a second option to your authentication method to let you use local database if not radius is available.

Hope this helps

Eugen

adeus Mon, 01/30/2012 - 04:02

Hi,

Thanks to all, but the solution is what write johnnylingo.

Best regards,

António

Actions

Login or Register to take actions

This Discussion

Posted January 29, 2012 at 8:23 AM
Stats:
Replies:4 Avg. Rating:
Views:547 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
155
77
69
65
45