cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
926
Views
0
Helpful
4
Replies

problem with AAA on the 12.2(58).SE version

ANTONIO DEUS
Level 1
Level 1

Hi,

I have a lot of switches (about 400 to be precisely) series 2960 and 3750, with IOS version

Series 2960: c2960-lanbasek9-mz.122-52.SE.bin

Series 2960S: c2960s-universalk9-mz.122-53.SE2.bin

Series 3750: c3750-ipservicesk9-mz.122-52.SE.bin

The follow configuration to AAA is:

aaa new-model

!

aaa authentication login default group radius line none

aaa authentication enable default enable none

aaa authorization exec default group radius if-authenticated

aaa accounting exec default start-stop group radius

aaa accounting system default start-stop group radius

enable secret «password removed»

...

radius-server host 192.168.30.1 auth-port 1812 acct-port 1813 key «password removed»

radius-server retransmit 2

radius-server timeout 2

line con 0

exec-timeout 5 0

password «password removed»

login

Then when I tried to upgrade the 2960 and 3750 series to the 12.2(58) version, I had a problem with this configuration. When the RADIUS is down, I cannot have access to the switches, even with password on the line con 0. The prompt is always with username and password, not the password prompt was used to be in the 12.2(52).SE and 12.2(53).SE version.

Anyone have the same problem? How can I fix it?

Thanks in advanced,

António

4 Replies 4

johnnylingo
Level 5
Level 5

I believe newer IOS versions always require a username / password be used, even when the Radius / Tacacs server is down.

Something like this will let you login with username 'admin' if the radius server is unavailable.

username admin priv 15 password 0

aaa authentication login default group radius local

aaa authorization exec default group radius local

line con 0

no password

exit

  You don't need a  username and password as long as you have the line password and enable secret passwords defined  unless radius is different from tacacs .

ebarticel
Level 4
Level 4

You need to add a second option to your authentication method to let you use local database if not radius is available.

Hope this helps

Eugen

ANTONIO DEUS
Level 1
Level 1

Hi,

Thanks to all, but the solution is what write johnnylingo.

Best regards,

António

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco