Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2668
Views
5
Helpful
7
Replies

cisco 3650 fallback radius and local access

johnblack2045
Level 1
Level 1

‎08-11-2020 08:23 AM

hello

 

i m triying to use aaa with fallback radius and  local

here is my configuration on my switch

 


aaa authentication login AUTH1 group radius local
aaa authorization exec AUTH1 group radius local
aaa authorization network AUTH1 group radius local
aaa authentication dot1x AUTH1 group radius
aaa accounting dot1x AUTH1 start-stop group radius

 

line con 0
exec-timeout 15 0
stopbits 1
line aux 0
exec-timeout 15 0
stopbits 1
transport input none
line vty 0 15
exec-timeout 15 0
transport input ssh
login authentication AUTH1
authorization exec AUTH1

 

when i use ssh on my switch

-with a radius account it 's OK

-with a local account on switch -> I get : access denied

 

It looks fine for me

Is there any missing thing on my configuration ? 

 

Thanks for your help

Best regards

 

 

Labels:
0 Helpful
7 Replies 7

Jatin Katyal
Cisco Employee
Cisco Employee

‎08-11-2020 10:59 AM

Per my experience, we see "access denied" when local keyword is missing from the login command, However, it seems you have that defined in your case. Can you run the debugs and capture the output while you are testing with local username / password. - show aaa servers - debug radius - debug aaa authentication Please explain how exactly are you trying to interrupt the connectivity between Radius server and switch ?
~Jatin
0 Helpful

johnblack2045
Level 1
Level 1
In response to Jatin Katyal

‎08-12-2020 03:18 PM

Hello

I Want to test fallback fonction.

I unplugg my câble on radius port and reboot my switch .i simulate my connections to freeradius Is down. I reboot then my switch and use a computer and ssh wiith my local database account and lts password.

I get Access denied

Best regards

 

0 Helpful

johnblack2045
Level 1
Level 1
In response to johnblack2045

‎08-12-2020 03:27 PM

I understood my problème.my test is bad

I need my port radius connected and stop m'y freeradius service for fallback

 

0 Helpful

paul
Level 10
Level 10

‎08-11-2020 01:40 PM

What you are seeing is correct.  If the RADIUS servers are operational the switch with always use them.  ONLY when the RADIUS servers are down will you be able to use the local account.

johnblack2045
Level 1
Level 1
In response to paul

‎08-12-2020 10:12 AM

Hello

Thanks for your answer.

Fyi 

i test with my admin account in my local database on my switch .it has a password

And i unplugg my câble port to simulate a disconnected freeradius and reboot my switch.so freeradius Is down

And my ssh gives me "Access denied

For me fallback doesn t work

it makes no sense for me

Best regards

 

 

 

 

0 Helpful

johnblack2045
Level 1
Level 1
In response to johnblack2045

‎08-12-2020 03:31 PM

I think my test is bad and do not unplugg my câble port but stop m'y freeradius service.

I think it s a better test to use fallback fonction

Best regards

 

 

0 Helpful

johnblack2045
Level 1
Level 1
In response to johnblack2045

‎08-13-2020 09:28 AM

Hello

I did my second test and get the same

message  with my admin local account. Access denied

 

Is it a bug in Cisco 3650? My version is 16.6.05.

Best regards

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents