×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

RADIUS Fallback Local account not working

Answered Question
Jul 3rd, 2013
User Badges:

Hi all,


I have a RADIUS server running on windows 2003. I am using cisco 2960 switch, everything is working fine but i need to test the local user account on the switch so that i dont lock myself out if the radius server is not available.


which command shall i enter to enable that ?


any help will be much appricated.




many thanks,

Kamran.

Correct Answer by kcnajaf@25070 about 4 years 1 month ago

Hi,


If you look at my previous post i have asked you to remove the CONSOLE group from line VTY 0 4.


line vty 0 4

no login authentication CONSOLE


By the by how are you testing this? I mean how are you making radius server un reachable? Hope you already have a local username and password configured?


Regards


Najaf

Please rate when applicable or helpful !!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Przemyslaw Konitz Wed, 07/03/2013 - 04:56
User Badges:

hi,

any logs? are u writing about administration access to switch or dot1x?


check docs about AAA on switch


second method is reached if the 1st is unreachable


aaa authentication login default group radius local


regards

kcnajaf@25070 Wed, 07/03/2013 - 04:58
User Badges:
  • Gold, 750 points or more

Hi Kamran,


How is your current aaa configuration looking like?


If you have console access to device you can check the local username and password using console as below.


aaa authentication login CONSOLE local


line console 0

login authentication CONSOLE


Please ensure that you have a local username and password is configured/.


Hope that helps


Regards


Najaf


Please rate when applicable or helpful !!!

kamrannaseem Wed, 07/03/2013 - 05:56
User Badges:

Hi Najaf,


Thanks for your help.


what about if i want to ssh into my device ?


many thanks,

kamran.

kcnajaf@25070 Wed, 07/03/2013 - 05:59
User Badges:
  • Gold, 750 points or more

Hi,


The above suggestion was to test if local  credentials are working...


So now are you looking for how to enable ssh in to your devices? Or you want to test the how the radius fall back will work for ssh?


Sorry i didnt really get your question :-(


Regards


Najaf


Please rate when applicable or helpful !!!

kamrannaseem Wed, 07/03/2013 - 06:23
User Badges:

Hi Najaf,


Yes I want to have access to switch if the radius server is not available.


many thanks.

kcnajaf@25070 Wed, 07/03/2013 - 06:30
User Badges:
  • Gold, 750 points or more

Hi Kamran,


Could you please share your exsisting aaa configuration?


If you want to test if your configuration is working, then try replacing the exsisting radius server ip (on your switch configuration through console) with a dummy ip address. Then radius server will not respond and then u can try ssh to device using your local credentials..Easiest way to make radius server un available other wise would be to shut the port where radius server is connected. In that case you will have trouble in accessing other devices if local logins are not working :-(


Regards


Najaf


Please rate when applicable or helpful !!!

kamrannaseem Wed, 07/03/2013 - 06:37
User Badges:

Hi Najaf,



aaa new-model

aaa authentication login default group radius

aaa authentication login VTY group radius local

aaa authentication login ssh group radius

aaa authentication login CONSOLE local

aaa authentication ppp default if-needed group radius local

aaa authorization exec default group radius local

aaa authorization exec VTY group radius local

aaa accounting exec default start-stop group radius




many thanks.

kcnajaf@25070 Wed, 07/03/2013 - 06:42
User Badges:
  • Gold, 750 points or more

Hi Kamran,


Try this


aaa authentication login default group radius local


This will fall back to local authentication if your radius server is not reachable.


Hope you are not currently calling any specific group under your line 0 4. If it is there remove it...


Hope that helps


Regards


Najaf


Please rate when applicable or helpful !!!

kamrannaseem Wed, 07/03/2013 - 06:47
User Badges:

Hi Najaf,


The console bit u mentioned earlier should i remove that from aaa and from lines.



line con 0

login authentication CONSOLE

line vty 0 4

access-class 1 in

authorization exec VTY

login authentication CONSOLE

transport input telnet ssh

line vty 5 15

access-class 1 in

authorization exec VTY

login authentication CONSOLE

transport input telnet ssh




many thanks.

kcnajaf@25070 Wed, 07/03/2013 - 06:49
User Badges:
  • Gold, 750 points or more

Hi Kamran


Try this..


line vty 0 4

access-class 1 in

authorization exec VTY

transport input telnet ssh


Hope that helps


Regards


Najaf


Please rate when applicable or helpful !!!

kamrannaseem Wed, 07/03/2013 - 07:00
User Badges:

Hi Najaf,


No its not letting me in through RADIUS.


Should i remove the following lines from my configuration:


aaa authentication login CONSOLE local


line con 0

login authentication CONSOLE



line vty 0 4

login authentication CONSOLE

line vty 5 15

login authentication CONSOLE

many thanks,

Correct Answer
kcnajaf@25070 Wed, 07/03/2013 - 07:08
User Badges:
  • Gold, 750 points or more

Hi,


If you look at my previous post i have asked you to remove the CONSOLE group from line VTY 0 4.


line vty 0 4

no login authentication CONSOLE


By the by how are you testing this? I mean how are you making radius server un reachable? Hope you already have a local username and password configured?


Regards


Najaf

Please rate when applicable or helpful !!!

kamrannaseem Wed, 07/03/2013 - 08:32
User Badges:

Hi Najaf,


Thank you ever so much its working !!!


much appricated for your time.


how long you been working on cisco devices ?


kind regards,

kamran

Jatin Katyal Wed, 07/03/2013 - 06:03
User Badges:
  • Cisco Employee,

If you want to do SSH using local username/password


then add the same command what  Najaf suggested in the above post.


line vty 0 15

login authentication CONSOLE

transport input ssh

exit



~BR
Jatin Katyal

**Do rate helpful posts**

kamrannaseem Wed, 07/03/2013 - 06:28
User Badges:

Hi jatin,


After using these commands i can not login to my switch through RADIUS. how do i remove them?


many thanks.

Jatin Katyal Wed, 07/03/2013 - 06:44
User Badges:
  • Cisco Employee,

If you want to do SSH using local username/password


then add the same command what  Najaf suggested in the above post.


line vty 0 15

login authentication CONSOLE

transport input ssh

exit

The above config will not help you access the device with radius credentials. I did mention that if you want to SSH using local database so use local credentials from the device itself.



~BR
Jatin Katyal

**Do rate helpful posts**

kcnajaf@25070 Wed, 07/03/2013 - 16:04
User Badges:
  • Gold, 750 points or more

Hi,

Thanks for using the rating system and glad to know that it is working as expected. I have been with playing with Cisco for about 10 years now:-)

Regards
Najaf

Sent from Cisco Technical Support iPhone App

Actions

This Discussion