07-07-2013 10:48 PM - edited 03-10-2019 08:37 PM
Hello,
I have configured Cisco IOS to authenticate via RADIUS server (Cisco ISE). By mistakely I have set all authentication via RADIUS only.
Now, I am able to login via RADIUS but unable to login through Cisco IOS local Admin credetials and because of this I am not able to access the privilleged commands.
Is there any way to revert this so that login through admin (sadm) would be possible and not by RADIUS ?
I don't have access to "configure", "enable" commands for the radius user.
Solved! Go to Solution.
07-08-2013 03:52 AM
Was that working before? btw, what IOS code are you running?
What error you see on the IOS command line interface when ISE is DOWN and you try to login with local user account?
Did you set local authentication as a failover method? Do you have paper config of the IOS before you got locked out?
You can check the ISE live authentication logs whether user is being authenticated by the radius server. You need to use radius credentials and then go to ISE > operations > authentication > log messages.
Did you write the changes? If not, the last resort would be RELOAD.
~BR
Jatin Katyal
**Do rate helpful posts**
07-07-2013 11:10 PM
Could you please provide the running configuration from the IOS?
-- Show run
If you have radius as a primary authentication method and local as a secondary (failover - In case radius goes down, you may access to IOS via local database) then only radius authentication will work. The local credentials can only be used when the radius server is unreachable or down. In presence of radius server, local credentials won't work.
~BR
Jatin Katyal
**Do rate helpful posts**
07-08-2013 12:10 AM
Thanks Jatin,
show run command is not working. It is showing error: "% Unrecognized command"
I have tried this also, putting down RADIUS server (Cisco ISE server), But not able to login via admin(sadm).
Is there any configuration file which contains entry of RADIUS user and because of that authentication is via RADIUS not by local ?
07-08-2013 03:52 AM
Was that working before? btw, what IOS code are you running?
What error you see on the IOS command line interface when ISE is DOWN and you try to login with local user account?
Did you set local authentication as a failover method? Do you have paper config of the IOS before you got locked out?
You can check the ISE live authentication logs whether user is being authenticated by the radius server. You need to use radius credentials and then go to ISE > operations > authentication > log messages.
Did you write the changes? If not, the last resort would be RELOAD.
~BR
Jatin Katyal
**Do rate helpful posts**
07-16-2013 04:23 AM
Thanks Jatin,
Problem is resolved, Now I am able to login.
Thanks fro your help.
07-16-2013 04:41 AM
Yw, was there any miss or typo in the config from your side in the aaa authentication commands?
Sent from Cisco Technical Support Android App
07-16-2013 04:55 AM
Yes, there is a typo in aaa authentication commands, By mistakely I have typed wrong spelling.
Do you have any logs related to client provisioning and posture assesment in cisco ISE.?
07-16-2013 05:07 AM
I see, thats the only issue I could think of.
I would appreciate if you initiate a new discussion for ISE and mark this thread as Resolved.
~BR
Jatin Katyal
**Do rate helpful posts**
07-16-2013 05:33 AM
I have already opened another issue for the same:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide