topic AAA - Local authentication problem in Network Access Control

AAA - Local authentication problem

bapatsubodh — Mon, 11 Mar 2019 02:34:17 GMT

We have following configuration

aaa new-model

aaa authentication login default local group radius

aaa authentication enable default enable

aaa authorization exec default group radius local

aaa session-id common

authentication preference is local and then it's radius.

Currently Radius is reachable but we need to test the local username and passsowrds.

But when local username and passwords are given switch still contacts RADIUS and then access is denied.

Looking for way to test the local username and passwords.

Please share the experience.

Cheers.

- Subodh

AAA - Local authentication problem

Tarik Admani — Thu, 20 Sep 2012 17:38:50 GMT

Hi,

You can try setting up an ACL on the svi that belongs to the radius server and just deny it from ths host.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re:AAA - Local authentication problem

hkhrais — Thu, 20 Sep 2012 21:13:01 GMT

Hi ,

You defined local meyhod as the 1'st method in auth. However in autho u defined the AAA server.

In my prespective this is a logical error because when the autho request recieved ,the server will say u didn't authenticated to begin with since auth. Was local.

To achieve ur goal

==================

-make the first authentication method is AAA server

-break the connectivity to that server or change the IP address that defined on the router/switch to something else.so the router\switch will assume the server is down. Then test

Sent from Cisco Technical Support Android App

Re:AAA - Local authentication problem

nkarthikeyan — Sat, 22 Sep 2012 20:44:46 GMT

I guess u need to make the authorization also set to local and then radius to check it.

Karthik

Re:AAA - Local authentication problem

bapatsubodh — Mon, 24 Sep 2012 13:19:34 GMT

Thanks guys!

Same configuration is working on another switch with different IOS veriosn. So I guess it's related to this IOS.

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)

BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

Is it a known bug/cavet in this version?

Please share the experience.

Cheers..

Subodh

Re:AAA - Local authentication problem

hkhrais — Mon, 24 Sep 2012 20:43:23 GMT

Hi ,

In the switch that is working fine , would u pls double check the method order for authenticatin and authorization

Sent from Cisco Technical Support Android App

Re:AAA - Local authentication problem

bapatsubodh — Wed, 26 Sep 2012 14:58:45 GMT

Here is the output for which the local user works

Switch1#sh running-config | inc aaa

aaa new-model

aaa authentication login default local group radius

aaa authentication enable default enable

aaa authorization exec default group radius if-authenticated

aaa session-id common

Here is the switch where it's not working, it's the same, only difference in these switches is IOS veriosn.

aaa new-model

aaa authentication login default local group radius

aaa authentication enable default enable

aaa authorization exec default group radius if-authenticated

aaa session-id common

Re:AAA - Local authentication problem

hkhrais — Wed, 26 Sep 2012 17:49:52 GMT

Hi ,

Can u make your IOS image as the working one then test again.

Note

In auhtentication . U stated the local as the first method and RADIUS as the second one. Pls note the switch will NOT failover to radius. Because if the local database is down this mean your switch is totally down.

HTH

Sent from Cisco Technical Support Android App