07-17-2013 03:24 AM - edited 03-10-2019 08:39 PM
Hi All,
I have configured aaa on my cisco switch with the follwoing commands.
and i have been told that I have used few unnecessary commands which are not required.
what would be the effect I remove the lines in red ?
any help will be much appriciated.
aaa new-model
aaa authentication login default group radius local
aaa authentication login VTY group radius local
aaa authentication login ssh group radius
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization exec VTY group radius local
aaa accounting exec default start-stop group radius
line con 0
password Testing
line vty 0 4
access-class 1 in
authorization exec VTY
transport input telnet ssh
line vty 5 15
access-class 1 in
authorization exec VTY
transport input telnet ssh
Many thanks.
Solved! Go to Solution.
07-17-2013 03:47 AM
It would not create any issues with login because you already have "aaa authentication login default group radius local" which actually applies to all lines. The one you have highlighted are nothing but just method-list that you can create for different lines as per your need.
You may need this command, if you have some dial-in authentication configured.
aaa authentication ppp default if-needed group radius local
For example, if you want to authenticate ONLY console session with local database and vty lines via radius, you can add the below listed config.
aaa authentication login CON local
aaa authorization exec CON local
line console 0
login authentication CON
authorization exec CON
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 05:35 AM
If you talk about only aaa commands, then you should have below listed commands:
For SSH/Telnet the default command would work:
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
username
!
!
For authenticating users from console session, make sure you have below listed config.
aaa authentication login CON local
aaa authorization exec CON local
line console 0
login authentication CON
authorization exec CON
P.S: I've assumed you already have radius server and other required commands added and authentication is working with radius.
Hope this helps.
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 05:51 AM
You got it right.
The below listed commands have local keywords at the end. With that if radius goes down, you can login via local credentials defined in local database.
aaa authentication login default group radius local
aaa authorization exec default group radius local
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 03:47 AM
It would not create any issues with login because you already have "aaa authentication login default group radius local" which actually applies to all lines. The one you have highlighted are nothing but just method-list that you can create for different lines as per your need.
You may need this command, if you have some dial-in authentication configured.
aaa authentication ppp default if-needed group radius local
For example, if you want to authenticate ONLY console session with local database and vty lines via radius, you can add the below listed config.
aaa authentication login CON local
aaa authorization exec CON local
line console 0
login authentication CON
authorization exec CON
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 04:13 AM
Hi Jatin,
I just want to ssh into my switches using RADIUS and i am using AD user accounts and i have one local account on the switch just incase if the radius fails, so I could login using loacal account.
which commands you suggest for this scenerio ?
Many thanks.
07-17-2013 04:27 AM
Do you want to authenticate console session also from Radius session or from local database directly or you want no authentication for console session?
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 05:22 AM
Hi Jatin,
Local database directly.the user account created on the switch.
many thanks.
07-17-2013 05:35 AM
If you talk about only aaa commands, then you should have below listed commands:
For SSH/Telnet the default command would work:
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
username
!
!
For authenticating users from console session, make sure you have below listed config.
aaa authentication login CON local
aaa authorization exec CON local
line console 0
login authentication CON
authorization exec CON
P.S: I've assumed you already have radius server and other required commands added and authentication is working with radius.
Hope this helps.
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 05:43 AM
Hi Jatin,
So If I use these commands you suggested I should be able to ssh into my switch and if in future my RADIUS server fails I would be able to ssh using local user account.
many thanks.
07-17-2013 05:51 AM
You got it right.
The below listed commands have local keywords at the end. With that if radius goes down, you can login via local credentials defined in local database.
aaa authentication login default group radius local
aaa authorization exec default group radius local
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 05:54 AM
Thank you ever so much Jatin.
Much appriciated for your time.
regards,
Kamran.
07-17-2013 05:57 AM
yw
Have a nice one.
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide