Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
692
Views
0
Helpful
9
Replies

Configuring AAA

Go to solution
kamrannaseem
Level 1
Level 1

‎07-17-2013 03:24 AM - edited ‎03-10-2019 08:39 PM

Hi All,

I have configured aaa on my cisco switch with the follwoing commands.

and i have been told that I have used few unnecessary commands which are not required.

what would be the effect I remove the lines in red ?

any help will be much appriciated.

 

aaa new-model

aaa authentication login default group radius local

aaa authentication login VTY group radius local

aaa authentication login ssh group radius

aaa authentication ppp default if-needed group radius local

aaa authorization exec default group radius local

aaa authorization exec VTY group radius local

aaa accounting exec default start-stop group radius

line con 0

password Testing

line vty 0 4

access-class 1 in

authorization exec VTY

transport input telnet ssh

line vty 5 15

access-class 1 in

authorization exec VTY

transport input telnet ssh

Many thanks.

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎07-17-2013 03:47 AM

It would not create any issues with login because you already have "aaa authentication login default group radius local" which actually applies to all lines. The one you have highlighted are nothing but just method-list that you can create for different lines as per your need.

You may need this command, if you have some dial-in authentication configured.

aaa authentication ppp default if-needed group radius local

For example, if you want to authenticate ONLY console session with local database and vty lines via radius, you can add the below listed config.

aaa authentication login CON local

aaa authorization exec CON local

line console 0

login authentication CON

authorization exec CON

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to kamrannaseem

‎07-17-2013 05:35 AM

If you talk about only aaa commands, then you should have below listed commands:

For SSH/Telnet the default command would work:

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

aaa accounting exec default start-stop group radius

username privilege 15 password

!

!

For authenticating users from console session, make sure you have below listed config.

aaa authentication login CON local

aaa authorization exec CON local

line console 0

login authentication CON

authorization exec CON

P.S: I've assumed you already have radius server and other required commands added and authentication is working with radius.

Hope this helps.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to kamrannaseem

‎07-17-2013 05:51 AM

You got it right.

The below listed commands have local keywords at the end. With that if radius goes down, you can login via local credentials defined in local database.

aaa authentication login default group radius local

aaa authorization exec default group radius local

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎07-17-2013 03:47 AM

It would not create any issues with login because you already have "aaa authentication login default group radius local" which actually applies to all lines. The one you have highlighted are nothing but just method-list that you can create for different lines as per your need.

You may need this command, if you have some dial-in authentication configured.

aaa authentication ppp default if-needed group radius local

For example, if you want to authenticate ONLY console session with local database and vty lines via radius, you can add the below listed config.

aaa authentication login CON local

aaa authorization exec CON local

line console 0

login authentication CON

authorization exec CON

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
kamrannaseem
Level 1
Level 1
In response to Jatin Katyal

‎07-17-2013 04:13 AM

Hi Jatin,

I just want to ssh into my switches using RADIUS and i am using AD user accounts and i have one local account on the switch just incase if the radius fails, so I could login using loacal account.

which commands you suggest for this scenerio ?

Many thanks.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to kamrannaseem

‎07-17-2013 04:27 AM

Do you want to authenticate console session also from Radius session or from local database directly or you want no authentication for console session?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
kamrannaseem
Level 1
Level 1
In response to Jatin Katyal

‎07-17-2013 05:22 AM

Hi Jatin,

Local database directly.the user account created on the switch.

many thanks.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to kamrannaseem

‎07-17-2013 05:35 AM

If you talk about only aaa commands, then you should have below listed commands:

For SSH/Telnet the default command would work:

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

aaa accounting exec default start-stop group radius

username privilege 15 password

!

!

For authenticating users from console session, make sure you have below listed config.

aaa authentication login CON local

aaa authorization exec CON local

line console 0

login authentication CON

authorization exec CON

P.S: I've assumed you already have radius server and other required commands added and authentication is working with radius.

Hope this helps.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
kamrannaseem
Level 1
Level 1
In response to Jatin Katyal

‎07-17-2013 05:43 AM

Hi Jatin,

So If I use these commands you suggested I should be able to ssh into my switch and if in future my RADIUS server fails I would be able to ssh using local user account.

many thanks.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to kamrannaseem

‎07-17-2013 05:51 AM

You got it right.

The below listed commands have local keywords at the end. With that if radius goes down, you can login via local credentials defined in local database.

aaa authentication login default group radius local

aaa authorization exec default group radius local

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
kamrannaseem
Level 1
Level 1
In response to Jatin Katyal

‎07-17-2013 05:54 AM

Thank you ever so much Jatin.

Much appriciated for your time.

regards,

Kamran.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to kamrannaseem

‎07-17-2013 05:57 AM

yw

Have a nice one.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents