AAA authentication login default command

117222400 · ‎02-23-2024

Hi Experts

Recently we upgraded Catalyst c9200-48P to 17.9.04a which is the recommended version.

But the strange is that it seems the radius authentication failed when login to SSH by Putty.

Before upgrade, it is working, when login by an AD account, it prompts below and works good. Also the local user is also working good.

Using username "domainadm".
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server

After upgrade, it didn't prompt, just like below, and also the password is incorrect and login failed.

Using username "domainadm".
domainadm@10.2.5.7's password:

But if I use a local user to login, it prompts and I can use the local username and password to login.

login as: SFnet
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server

There isn't any change about the aaa authentication configurations. And both radius user login and local user login are good working before upgrade.

aaa authentication login default local group SF_CISCO_ISE
aaa authentication dot1x default group SF_CISCO_ISE
aaa authorization exec default local group SF_CISCO_ISE
aaa authorization network default group SF_CISCO_ISE
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group SF_CISCO_ISE
aaa accounting exec default start-stop group SF_CISCO_ISE
aaa accounting network default start-stop group SF_CISCO_ISE
aaa accounting connection default start-stop group SF_CISCO_ISE
aaa accounting system default start-stop group SF_CISCO_ISE

Also I am a little confused about the command : aaa authentication login default local group SF_CISCO_ISE ,

Why it allows both local user and the radius user as default? how 2x defaults? who has higher priority?

And the prompts: Keyboard-interactive authentication prompts from server: Is it for radius users only? or for all users?

What configurations should I check? or is there a bug ?

Thanks

Best regards

George

MHM Cisco World · ‎02-23-2024

can I see radius server config in SW

MHM

117222400 · ‎02-23-2024

Thanks for your reply, and the below is radius config:

aaa group server radius SF_CISCO_ISE
server name SF3-ISE01
server name SF4-ISE01
ip radius source-interface Loopback0
timeout 30

radius server SF3-ISE01
address ipv4 10.2.5.33 auth-port 1812 acct-port 1813
key 7 073B746A4D2C4C2439391A261133077020
!
radius server SF4-ISE01
address ipv4 10.2.20.33 auth-port 1812 acct-port 1813
key 7 046F5E200C04196F2732143D0712205022
!
!

MHM Cisco World · ‎02-23-2024

This behavior explains by one statement

Aaa new-model

Command is missing after upgrading

Why the local can access?

I think this is defualt for vty line.

So check aaa new-model command

MHM

Ruben Cocheno · ‎02-23-2024

@117222400

that is the order of authentication, so local happens first and if the account is not found locally then use ISE to authenticate.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Aref Alsouqi · ‎02-23-2024

I was looking at the same thing. The line "aaa authentication login default local group SF_CISCO_ISE" should be changed imo to this:

aaa authentication login default group SF_CISCO_ISE local

The keyword default in that line refers to the default method list, think about it as a name rather than as a default setting.

When you place the "local" keyword at the end it means the switch will try first to authenticate the users via RADIUS, and only if RADIUS server is unavailable it will then authenticate the users against the local database.

I think the keyboard interactive message is applicable to any connection to the switch, and I believe the keyword "server" in that message refers to the switch itself not to the RADIUS server.

liviu.gheorghe · ‎02-23-2024

Hello @117222400 ,

the correct way to configure this is aaa authentication login default group SF_CISCO_ISE local

The rule is as follows: the device tries the first authentication method, in your case local, and IF that method is unavailable, that is not responsive, it goes to the second method - ISE server.

In case one of the method responds that it doesn't know the user or the password is incorrect, it DOESN'T go the check other methods.

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

117222400 · ‎02-23-2024

Thanks Aref and Liviu

I have only one local user SFnet on the SW, so if it is a method list, then put "local" in the front might be faster response.

But still not sure why it didn't prompt message and can't log in by the AD user, should I check something on the ISE (radius server) or change the key to re-connect the ISE?

Aref Alsouqi · ‎02-23-2024

Putting "local" before the RADIUS group would allow the switch to check the local users database first, and if the user is not found locally, it will "fall-back" to the RADIUS group. I don't believe there is nothing to be changed on ISE. One thing you can do is enabling aaa authentication debugs "deb aaa authentication" and see if the output gives anything interesting.

liviu.gheorghe · ‎02-23-2024

The ideea îs that the local authentication method is always available, so if you don't have the user you are trying to authenticate defined on the local switch, domainadm, it won't go to the second method - SF_CISCO_ISE.

That is the reason we suggested putting the group SF_CISCO_ISE first and local second.

Regards, LG
*** Please Rate All Helpful Responses ***

Aref Alsouqi · ‎02-23-2024

Understanding an AAA Authentication Command on a Cisco IOS Device - Cisco

Same concept applies for RADIUS.

liviu.gheorghe · ‎02-23-2024

I stand corrected - if user is not present in local database, it will go to the next authentication method.

Regards, LG
*** Please Rate All Helpful Responses ***