Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3822
Views
9
Helpful
5
Replies

Local Access router/switch if Radius Server Fails

vikas kumar
Level 1
Level 1

‎02-15-2013 11:55 AM - edited ‎03-10-2019 08:05 PM

Dear all

I have configured Windows IAS server to access Cisco devices.

this is workiing fine, i can access switch console Using Local user.

when i put "login authentication local_access"  under line vty 0 4, i cant access switch using radius user or local user.

hostname testswitch

!

enable secret 5 $1$fQM/$IkFh3yroQSiLqIENeTC54.

!

username cisco privilege 15 secret 5 $1$inf9$FU643jV1F/fOZmeQuHDmg/

aaa new-model

aaa authentication login default group radius

aaa authentication login local_access local

aaa authorization exec default group radius

!

radius-server host 172.22.2.1 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key cisco1234

!

control-plane

!

!

line con 0

privilege level 2

login authentication local_access

line vty 0 4

line vty 5 15

!

end      

please assist

Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎02-15-2013 08:24 PM

Hello Vikash-

You have the following command:

     aaa authentication login local_access local

Which is instructing the NAD (your switch) to look at the loacal database for an authenticating user. If you want the NAD to look to the AAA (your IAS server) server then you need to:

1. Change the rule above rule to include radius as a valid method:

     aaa authentication login local_access radius local

OR

2. You can use the other aaa rule (aaa authentication login default group radius)

that you have configured for your vty access. So you would do this:

     line vty 0 4

    no login authentication local_access

     login authentication default

Hope this helps!

Thank you for rating helpful answers!

vikas kumar
Level 1
Level 1
In response to nspasov

‎02-15-2013 10:51 PM

HI Neno,

thanks for reply.

I tried command but  my AAA autentication is working fine.

only local user cant telnet switch.

Username: cisco

Password:

% Authentication failed.

i need both users (radius and Local) sould work same time.

please assist.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to vikas kumar

‎02-16-2013 08:21 AM

You cannot make both of them to work at the same time.When you have this command "aaa authentication login local_access radius local" you are essentially creating a "login" group that will instruct the switch to query radius authentications. Only if the radius server is "down/dead" the switch would look in the next method, which in your case is the local database.

Thank you for rating helpful answers!

0 Helpful

vikas kumar
Level 1
Level 1
In response to nspasov

‎02-16-2013 08:40 AM

hi Neno

thanks so much fo cliearification

now it is working

regards

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to vikas kumar

‎02-17-2013 07:00 PM

You are welcome Vikas! Glad I was able to help. If your issue was resolved please mark the thread as "answered/closed"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents