Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Configuring AAA

Hi All,

I have configured aaa on my cisco switch with the follwoing commands.

and i have been told that I have used few unnecessary commands which are not required.

what would be the effect I remove the lines in red ?

any help will be much appriciated.

 

aaa new-model

aaa authentication login default group radius local

aaa authentication login VTY group radius local

aaa authentication login ssh group radius

aaa authentication ppp default if-needed group radius local

aaa authorization exec default group radius local

aaa authorization exec VTY group radius local

aaa accounting exec default start-stop group radius

line con 0

password Testing

line vty 0 4

access-class 1 in

authorization exec VTY

transport input telnet ssh

line vty 5 15

access-class 1 in

authorization exec VTY

transport input telnet ssh

Many thanks.

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Configuring AAA

It would not create any issues with login because you already have "aaa authentication login default group radius local" which actually applies to all lines. The one you have highlighted are nothing but just method-list that you can create for different lines as per your need.

You may need this command, if you have some dial-in authentication configured.

aaa authentication ppp default if-needed group radius local

For example, if you want to authenticate ONLY console session with local database and vty lines via radius, you can add the below listed config.

aaa authentication login CON local

aaa authorization exec CON local

line console 0

login authentication CON

authorization exec CON

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Re: Configuring AAA

If you talk about only aaa commands, then you should have below listed commands:

For SSH/Telnet the default command would work:

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

aaa accounting exec default start-stop group radius

username privilege 15 password

!

!

For authenticating users from console session, make sure you have below listed config.

aaa authentication login CON local

aaa authorization exec CON local

line console 0

login authentication CON

authorization exec CON

P.S: I've assumed you already have radius server and other required commands added and authentication is working with radius.

Hope this helps.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Configuring AAA

You got it right.

The below listed commands have local keywords at the end. With that if radius goes down, you can login via local credentials defined in local database.

aaa authentication login default group radius local

aaa authorization exec default group radius local

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
9 REPLIES
Cisco Employee

Configuring AAA

It would not create any issues with login because you already have "aaa authentication login default group radius local" which actually applies to all lines. The one you have highlighted are nothing but just method-list that you can create for different lines as per your need.

You may need this command, if you have some dial-in authentication configured.

aaa authentication ppp default if-needed group radius local

For example, if you want to authenticate ONLY console session with local database and vty lines via radius, you can add the below listed config.

aaa authentication login CON local

aaa authorization exec CON local

line console 0

login authentication CON

authorization exec CON

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Configuring AAA

Hi Jatin,

I just want to ssh into my switches using RADIUS and i am using AD user accounts and i have one local account on the switch just incase if the radius fails, so I could login using loacal account.

which commands you suggest for this scenerio ?

Many thanks.

Cisco Employee

Configuring AAA

Do you want to authenticate console session also from Radius session or from local database directly or you want no authentication for console session?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Configuring AAA

Hi Jatin,

Local database directly.the user account created on the switch.

many thanks.

Cisco Employee

Re: Configuring AAA

If you talk about only aaa commands, then you should have below listed commands:

For SSH/Telnet the default command would work:

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

aaa accounting exec default start-stop group radius

username privilege 15 password

!

!

For authenticating users from console session, make sure you have below listed config.

aaa authentication login CON local

aaa authorization exec CON local

line console 0

login authentication CON

authorization exec CON

P.S: I've assumed you already have radius server and other required commands added and authentication is working with radius.

Hope this helps.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Configuring AAA

Hi Jatin,

So If I use these commands you suggested I should be able to ssh into my switch and if in future my RADIUS server fails I would be able to ssh using local user account.

many thanks.

Cisco Employee

Configuring AAA

You got it right.

The below listed commands have local keywords at the end. With that if radius goes down, you can login via local credentials defined in local database.

aaa authentication login default group radius local

aaa authorization exec default group radius local

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Configuring AAA

Thank you ever so much Jatin.

Much appriciated for your time.

regards,

Kamran.

Cisco Employee

Configuring AAA

yw

Have a nice one.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
162
Views
0
Helpful
9
Replies