01-29-2012 08:23 AM - edited 03-07-2019 04:36 AM
Hi,
I have a lot of switches (about 400 to be precisely) series 2960 and 3750, with IOS version
Series 2960: c2960-lanbasek9-mz.122-52.SE.bin
Series 2960S: c2960s-universalk9-mz.122-53.SE2.bin
Series 3750: c3750-ipservicesk9-mz.122-52.SE.bin
The follow configuration to AAA is:
aaa new-model
!
aaa authentication login default group radius line none
aaa authentication enable default enable none
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting system default start-stop group radius
enable secret «password removed»
...
radius-server host 192.168.30.1 auth-port 1812 acct-port 1813 key «password removed»
radius-server retransmit 2
radius-server timeout 2
line con 0
exec-timeout 5 0
password «password removed»
login
Then when I tried to upgrade the 2960 and 3750 series to the 12.2(58) version, I had a problem with this configuration. When the RADIUS is down, I cannot have access to the switches, even with password on the line con 0. The prompt is always with username and password, not the password prompt was used to be in the 12.2(52).SE and 12.2(53).SE version.
Anyone have the same problem? How can I fix it?
Thanks in advanced,
António
01-29-2012 01:46 PM
I believe newer IOS versions always require a username / password be used, even when the Radius / Tacacs server is down.
Something like this will let you login with username 'admin' if the radius server is unavailable.
username admin priv 15 password 0
aaa authentication login default group radius local
aaa authorization exec default group radius local
line con 0
no password
exit
01-29-2012 04:41 PM
You don't need a username and password as long as you have the line password and enable secret passwords defined unless radius is different from tacacs .
01-29-2012 07:25 PM
You need to add a second option to your authentication method to let you use local database if not radius is available.
Hope this helps
Eugen
01-30-2012 04:02 AM
Hi,
Thanks to all, but the solution is what write johnnylingo.
Best regards,
António
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide