AAA - Local authentication problem

bapatsubodh · ‎09-20-2012

We have following configuration

aaa new-model

aaa authentication login default local group radius

aaa authentication enable default enable

aaa authorization exec default group radius local

aaa session-id common

authentication preference is local and then it's radius.

Currently Radius is reachable but we need to test the local username and passsowrds.

But when local username and passwords are given switch still contacts RADIUS and then access is denied.

Looking for way to test the local username and passwords.

Please share the experience.

Cheers.

- Subodh

Tarik Admani · ‎09-20-2012

Hi,

You can try setting up an ACL on the svi that belongs to the radius server and just deny it from ths host.

Thanks,

Tarik Admani
*Please rate helpful posts*

hkhrais · ‎09-20-2012

Hi ,

You defined local meyhod as the 1'st method in auth. However in autho u defined the AAA server.

In my prespective this is a logical error because when the autho request recieved ,the server will say u didn't authenticated to begin with since auth. Was local.

To achieve ur goal

==================

-make the first authentication method is AAA server

-break the connectivity to that server or change the IP address that defined on the router/switch to something else.so the router\switch will assume the server is down. Then test

Sent from Cisco Technical Support Android App

nkarthikeyan · ‎09-22-2012

I guess u need to make the authorization also set to local and then radius to check it.

By

Karthik

bapatsubodh · ‎09-24-2012

Thanks guys!

Same configuration is working on another switch with different IOS veriosn. So I guess it's related to this IOS.

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)

BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

Is it a known bug/cavet in this version?

Please share the experience.

Cheers..

Subodh

hkhrais · ‎09-24-2012

Hi ,

In the switch that is working fine , would u pls double check the method order for authenticatin and authorization

Sent from Cisco Technical Support Android App

bapatsubodh · ‎09-26-2012

Here is the output for which the local user works

Switch1#sh running-config | inc aaa

aaa new-model

aaa authentication login default local group radius

aaa authentication enable default enable

aaa authorization exec default group radius if-authenticated

aaa session-id common

Here is the switch where it's not working, it's the same, only difference in these switches is IOS veriosn.

aaa new-model

aaa authentication login default local group radius

aaa authentication enable default enable

aaa authorization exec default group radius if-authenticated

aaa session-id common

hkhrais · ‎09-26-2012

Hi ,

Can u make your IOS image as the working one then test again.

Note

In auhtentication . U stated the local as the first method and RADIUS as the second one. Pls note the switch will NOT failover to radius. Because if the local database is down this mean your switch is totally down.

HTH

Sent from Cisco Technical Support Android App