Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


cisco 3650 fallback radius and local access



i m triying to use aaa with fallback radius and  local

here is my configuration on my switch


aaa authentication login AUTH1 group radius local
aaa authorization exec AUTH1 group radius local
aaa authorization network AUTH1 group radius local
aaa authentication dot1x AUTH1 group radius
aaa accounting dot1x AUTH1 start-stop group radius


line con 0
exec-timeout 15 0
stopbits 1
line aux 0
exec-timeout 15 0
stopbits 1
transport input none
line vty 0 15
exec-timeout 15 0
transport input ssh
login authentication AUTH1
authorization exec AUTH1


when i use ssh on my switch

-with a radius account it 's OK

-with a local account on switch -> I get : access denied


It looks fine for me

Is there any missing thing on my configuration ? 


Thanks for your help

Best regards



Jatin Katyal
Cisco Employee

Per my experience, we see "access denied" when local keyword is missing from the login command, However, it seems you have that defined in your case. Can you run the debugs and capture the output while you are testing with local username / password. - show aaa servers - debug radius - debug aaa authentication Please explain how exactly are you trying to interrupt the connectivity between Radius server and switch ?


I Want to test fallback fonction.

I unplugg my câble on radius port and reboot my switch .i simulate my connections to freeradius Is down. I reboot then my switch and use a computer and ssh wiith my local database account and lts password.

I get Access denied

Best regards


I understood my problè test is bad

I need my port radius connected and stop m'y freeradius service for fallback



What you are seeing is correct.  If the RADIUS servers are operational the switch with always use them.  ONLY when the RADIUS servers are down will you be able to use the local account.


Thanks for your answer.


i test with my admin account in my local database on my switch .it has a password

And i unplugg my câble port to simulate a disconnected freeradius and reboot my freeradius Is down

And my ssh gives me "Access denied

For me fallback doesn t work

it makes no sense for me

Best regards





I think my test is bad and do not unplugg my câble port but stop m'y freeradius service.

I think it s a better test to use fallback fonction

Best regards




I did my second test and get the same

message  with my admin local account. Access denied


Is it a bug in Cisco 3650? My version is 16.6.05.

Best regards






Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube