https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234659#M104354 <HTML><HEAD></HEAD><BODY><P>You got it right.</P><P></P><P>The below listed commands have local keywords at the end. With that if radius goes down, you can login via local credentials defined in local database.</P><P></P><P>aaa authentication login default group radius<STRONG> local</STRONG></P><P>aaa authorization exec default group radius <STRONG>local</STRONG></P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Wed, 17 Jul 2013 12:51:16 GMT Jatin Katyal 2013-07-17T12:51:16Z https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234652#M104347 <P>Hi All,</P><P></P><P>I have configured aaa on my cisco switch with the follwoing commands.</P><P>and i have been told that I have used few unnecessary commands which are not required. </P><P></P><P>what would be the effect I remove the lines in red ?</P><P></P><P>any help will be much appriciated.</P><P>&nbsp; </P><P>aaa new-model</P><P>aaa authentication login default group radius local</P><P><SPAN style="color: #993300;"><STRONG>aaa authentication login VTY group radius local</STRONG></SPAN></P><P><SPAN style="color: #993300;"><STRONG>aaa authentication login ssh group radius</STRONG></SPAN></P><P><SPAN style="color: #993300;"><STRONG>aaa authentication ppp default if-needed group radius local</STRONG></SPAN></P><P>aaa authorization exec default group radius local</P><P><SPAN style="color: #993300;"><STRONG>aaa authorization exec VTY group radius local</STRONG></SPAN></P><P>aaa accounting exec default start-stop group radius</P><P></P><P></P><P>line con 0</P><P>password Testing</P><P>line vty 0 4</P><P>access-class 1 in</P><P><SPAN style="color: #993300;"><STRONG>authorization exec VTY</STRONG></SPAN></P><P>transport input telnet ssh</P><P>line vty 5 15</P><P>access-class 1 in</P><P><SPAN style="color: #993300;"><STRONG>authorization exec VTY</STRONG></SPAN></P><P>transport input telnet ssh</P><P></P><P></P><P></P><P>Many thanks.</P> Mon, 11 Mar 2019 03:39:35 GMT https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234652#M104347 kamrannaseem 2019-03-11T03:39:35Z https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234653#M104348 <HTML><HEAD></HEAD><BODY><P>It would not create any issues with login because you already have "aaa authentication login default group radius local" which actually applies to all lines. The one you have highlighted are nothing but just method-list that you can create for different lines as per your need.</P><P></P><P>You may need this command, if you have some dial-in authentication configured.</P><P><STRONG>aaa authentication ppp default if-needed group radius local</STRONG></P><P></P><P>For example, if you want to authenticate ONLY console session with local database and vty lines via radius, you can add the below listed config.</P><P></P><P><STRONG>aaa authentication login CON local</STRONG></P><P><STRONG>aaa authorization exec CON local<BR /></STRONG></P><P><STRONG>line console 0</STRONG></P><P><STRONG>login authentication CON</STRONG></P><P><STRONG>authorization exec CON<BR /></STRONG></P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Wed, 17 Jul 2013 10:47:08 GMT https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234653#M104348 Jatin Katyal 2013-07-17T10:47:08Z https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234654#M104349 <HTML><HEAD></HEAD><BODY><P> Hi Jatin,</P><P></P><P>I just want to ssh into my switches using RADIUS and i am using AD user accounts and i have one local account on the switch just incase if the radius fails, so I could login using loacal account.</P><P></P><P>which commands you suggest for this scenerio ?</P><P></P><P></P><P>Many thanks.</P></BODY></HTML> Wed, 17 Jul 2013 11:13:51 GMT https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234654#M104349 kamrannaseem 2013-07-17T11:13:51Z https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234655#M104350 <HTML><HEAD></HEAD><BODY><P>Do you want to authenticate console session also from Radius session or from local database directly or you want no authentication for console session?</P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Wed, 17 Jul 2013 11:27:19 GMT https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234655#M104350 Jatin Katyal 2013-07-17T11:27:19Z https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234656#M104351 <HTML><HEAD></HEAD><BODY><P> Hi Jatin,</P><P></P><P>Local database directly.the user account created on the switch.</P><P></P><P></P><P>many thanks.</P></BODY></HTML> Wed, 17 Jul 2013 12:22:11 GMT https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234656#M104351 kamrannaseem 2013-07-17T12:22:11Z https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234657#M104352 <HTML><HEAD></HEAD><BODY><P>If you talk about only aaa commands, then you should have below listed commands:</P><P></P><P>For SSH/Telnet the default command would work:</P><P></P><P>aaa new-model</P><P>aaa authentication login default group radius local</P><P>aaa authorization exec default group radius local</P><P>aaa accounting exec default start-stop group radius</P><P><STRONG>username <USER> privilege 15 password <PASSWORD></PASSWORD></USER></STRONG></P><P>!</P><P>!</P><P>For authenticating users from console session, make sure you have below listed config.</P><P><STRONG>aaa authentication login CON local</STRONG></P><P><STRONG>aaa authorization exec CON local<BR /></STRONG></P><P><STRONG>line console 0</STRONG></P><P><STRONG>login authentication CON</STRONG></P><P> <STRONG>authorization exec CON</STRONG></P><P></P><P>P.S: I've assumed you already have radius server and other required commands added and authentication is working with radius.<STRONG><BR /></STRONG></P><P></P><P>Hope this helps.</P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Wed, 17 Jul 2013 12:35:39 GMT https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234657#M104352 Jatin Katyal 2013-07-17T12:35:39Z https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234658#M104353 <HTML><HEAD></HEAD><BODY><P>Hi Jatin,</P><P></P><P>So If I use these commands you suggested I should be able to ssh into my switch and if in future my RADIUS server fails I would be able to ssh using local user account.</P><P></P><P></P><P>many thanks.</P></BODY></HTML> Wed, 17 Jul 2013 12:43:00 GMT https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234658#M104353 kamrannaseem 2013-07-17T12:43:00Z https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234659#M104354 <HTML><HEAD></HEAD><BODY><P>You got it right.</P><P></P><P>The below listed commands have local keywords at the end. With that if radius goes down, you can login via local credentials defined in local database.</P><P></P><P>aaa authentication login default group radius<STRONG> local</STRONG></P><P>aaa authorization exec default group radius <STRONG>local</STRONG></P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Wed, 17 Jul 2013 12:51:16 GMT https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234659#M104354 Jatin Katyal 2013-07-17T12:51:16Z https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234660#M104355 <HTML><HEAD></HEAD><BODY><P>Thank you ever so much Jatin.</P><P></P><P>Much appriciated for your time.</P><P></P><P>regards,</P><P>Kamran.</P></BODY></HTML> Wed, 17 Jul 2013 12:54:55 GMT https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234660#M104355 kamrannaseem 2013-07-17T12:54:55Z https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234661#M104356 <HTML><HEAD></HEAD><BODY><P>yw <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P>Have a nice one.</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Wed, 17 Jul 2013 12:57:34 GMT https://community.cisco.com/t5/network-access-control/configuring-aaa/m-p/2234661#M104356 Jatin Katyal 2013-07-17T12:57:34Z