09-20-2012 09:30 AM - edited 03-10-2019 07:34 PM
We have following configuration
aaa new-model
aaa authentication login default local group radius
aaa authentication enable default enable
aaa authorization exec default group radius local
aaa session-id common
authentication preference is local and then it's radius.
Currently Radius is reachable but we need to test the local username and passsowrds.
But when local username and passwords are given switch still contacts RADIUS and then access is denied.
Looking for way to test the local username and passwords.
Please share the experience.
Cheers.
- Subodh
09-20-2012 10:38 AM
Hi,
You can try setting up an ACL on the svi that belongs to the radius server and just deny it from ths host.
Thanks,
Tarik Admani
*Please rate helpful posts*
09-20-2012 02:13 PM
Hi ,
You defined local meyhod as the 1'st method in auth. However in autho u defined the AAA server.
In my prespective this is a logical error because when the autho request recieved ,the server will say u didn't authenticated to begin with since auth. Was local.
To achieve ur goal
==================
-make the first authentication method is AAA server
-break the connectivity to that server or change the IP address that defined on the router/switch to something else.so the router\switch will assume the server is down. Then test
Sent from Cisco Technical Support Android App
Sent from Cisco Technical Support Android App
09-22-2012 01:44 PM
I guess u need to make the authorization also set to local and then radius to check it.
By
Karthik
09-24-2012 06:19 AM
Thanks guys!
Same configuration is working on another switch with different IOS veriosn. So I guess it's related to this IOS.
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
Is it a known bug/cavet in this version?
Please share the experience.
Cheers..
Subodh
09-24-2012 01:43 PM
Hi ,
In the switch that is working fine , would u pls double check the method order for authenticatin and authorization
Sent from Cisco Technical Support Android App
09-26-2012 07:58 AM
Here is the output for which the local user works
Switch1#sh running-config | inc aaa
aaa new-model
aaa authentication login default local group radius
aaa authentication enable default enable
aaa authorization exec default group radius if-authenticated
aaa session-id common
Here is the switch where it's not working, it's the same, only difference in these switches is IOS veriosn.
aaa new-model
aaa authentication login default local group radius
aaa authentication enable default enable
aaa authorization exec default group radius if-authenticated
aaa session-id common
09-26-2012 10:49 AM
Hi ,
Can u make your IOS image as the working one then test again.
Note
In auhtentication . U stated the local as the first method and RADIUS as the second one. Pls note the switch will NOT failover to radius. Because if the local database is down this mean your switch is totally down.
HTH
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide