cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
843
Views
0
Helpful
9
Replies

Configuring AAA

kamrannaseem
Level 1
Level 1

Hi All,

I have configured aaa on my cisco switch with the follwoing commands.

and i have been told that I have used few unnecessary commands which are not required.

what would be the effect I remove the lines in red ?

any help will be much appriciated.

 

aaa new-model

aaa authentication login default group radius local

aaa authentication login VTY group radius local

aaa authentication login ssh group radius

aaa authentication ppp default if-needed group radius local

aaa authorization exec default group radius local

aaa authorization exec VTY group radius local

aaa accounting exec default start-stop group radius

line con 0

password Testing

line vty 0 4

access-class 1 in

authorization exec VTY

transport input telnet ssh

line vty 5 15

access-class 1 in

authorization exec VTY

transport input telnet ssh

Many thanks.

3 Accepted Solutions

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

It would not create any issues with login because you already have "aaa authentication login default group radius local" which actually applies to all lines. The one you have highlighted are nothing but just method-list that you can create for different lines as per your need.

You may need this command, if you have some dial-in authentication configured.

aaa authentication ppp default if-needed group radius local

For example, if you want to authenticate ONLY console session with local database and vty lines via radius, you can add the below listed config.

aaa authentication login CON local

aaa authorization exec CON local

line console 0

login authentication CON

authorization exec CON

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

If you talk about only aaa commands, then you should have below listed commands:

For SSH/Telnet the default command would work:

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

aaa accounting exec default start-stop group radius

username privilege 15 password

!

!

For authenticating users from console session, make sure you have below listed config.

aaa authentication login CON local

aaa authorization exec CON local

line console 0

login authentication CON

authorization exec CON

P.S: I've assumed you already have radius server and other required commands added and authentication is working with radius.

Hope this helps.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

You got it right.

The below listed commands have local keywords at the end. With that if radius goes down, you can login via local credentials defined in local database.

aaa authentication login default group radius local

aaa authorization exec default group radius local

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

9 Replies 9

Jatin Katyal
Cisco Employee
Cisco Employee

It would not create any issues with login because you already have "aaa authentication login default group radius local" which actually applies to all lines. The one you have highlighted are nothing but just method-list that you can create for different lines as per your need.

You may need this command, if you have some dial-in authentication configured.

aaa authentication ppp default if-needed group radius local

For example, if you want to authenticate ONLY console session with local database and vty lines via radius, you can add the below listed config.

aaa authentication login CON local

aaa authorization exec CON local

line console 0

login authentication CON

authorization exec CON

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Hi Jatin,

I just want to ssh into my switches using RADIUS and i am using AD user accounts and i have one local account on the switch just incase if the radius fails, so I could login using loacal account.

which commands you suggest for this scenerio ?

Many thanks.

Do you want to authenticate console session also from Radius session or from local database directly or you want no authentication for console session?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Hi Jatin,

Local database directly.the user account created on the switch.

many thanks.

If you talk about only aaa commands, then you should have below listed commands:

For SSH/Telnet the default command would work:

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

aaa accounting exec default start-stop group radius

username privilege 15 password

!

!

For authenticating users from console session, make sure you have below listed config.

aaa authentication login CON local

aaa authorization exec CON local

line console 0

login authentication CON

authorization exec CON

P.S: I've assumed you already have radius server and other required commands added and authentication is working with radius.

Hope this helps.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Hi Jatin,

So If I use these commands you suggested I should be able to ssh into my switch and if in future my RADIUS server fails I would be able to ssh using local user account.

many thanks.

You got it right.

The below listed commands have local keywords at the end. With that if radius goes down, you can login via local credentials defined in local database.

aaa authentication login default group radius local

aaa authorization exec default group radius local

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Thank you ever so much Jatin.

Much appriciated for your time.

regards,

Kamran.

yw

Have a nice one.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin