Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RADIUS Config

Hi

I am looking to deploy a simple RADIUS solution and I'm having some issues.  I would like to have RADIUS authentication for selected Active Directory users.  Should the RADIUS server become unavailable, I would like to be able to log in to the switch using the switch local admin account. This is not working with my current configuration.

My users:

User 1: testuser

User 2: admin (local switch admin)

User 1 can authenticate to the switch via RADIUS and cannot authenticate to the locally (as I have not included User 1 in the local db on purpose). 

User 2 cannot authenticate using RADIUS as expected however cannot log on to the switch locally either which is expected.  This is not working properly. 

 

My configuration:

username admin privilege 15 secret Password1

aaa new-model

aaa group server radius IAS
 server 192.168.193.162 auth-port 1812 acct-port 1813

aaa authentication login userAuthentication group radius local enable
aaa authorization config-commands
aaa authorization exec userAuthorisation group IAS group radius local

aaa session-id common

line con 0
 logging synchronous

line vty 0 4
 authorization exec userAuthorisation
 login authentication userAuthentication

line vty 5 15
 authorization exec userAuthorisation
 login authentication userAuthentication

 

Can anyone see what I'm doing wrong?

Thanks in advance :D

SteveP

1 ACCEPTED SOLUTION

Accepted Solutions

Steve,In your current setup,

Steve,

In your current setup, I think you're going to have a problem. If the radius server is up at all, it will just send a reject back to the router should it either not find a user or the user have the incorrect password. The only way the router will failover to the local database is if the radius server isn't available at all.

You can set the local database first in aaa and then configure the radius server. The admin user will be able to log in using the local database, but the user will not be able to since they're not in there. If the user simply wasn't found in the local database, you would roll over to the radius server and authenticate there.

Soooo, try to flip your command from:

aaa authentication login userAuthentication group radius local enable

to:

aaa authentication login userAuthentication local group radius enable

HTH,

John

HTH, John *** Please rate all useful posts ***
2 REPLIES

Steve,In your current setup,

Steve,

In your current setup, I think you're going to have a problem. If the radius server is up at all, it will just send a reject back to the router should it either not find a user or the user have the incorrect password. The only way the router will failover to the local database is if the radius server isn't available at all.

You can set the local database first in aaa and then configure the radius server. The admin user will be able to log in using the local database, but the user will not be able to since they're not in there. If the user simply wasn't found in the local database, you would roll over to the radius server and authenticate there.

Soooo, try to flip your command from:

aaa authentication login userAuthentication group radius local enable

to:

aaa authentication login userAuthentication local group radius enable

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Hi JohnThat worked a treat. 

Hi John

That worked a treat.  Thank you very much. 

Cheers

SteveP :D

130
Views
0
Helpful
2
Replies
CreatePlease to create content