02-15-2013 11:55 AM - edited 03-10-2019 08:05 PM
Dear all
I have configured Windows IAS server to access Cisco devices.
this is workiing fine, i can access switch console Using Local user.
when i put "login authentication local_access" under line vty 0 4, i cant access switch using radius user or local user.
hostname testswitch
!
enable secret 5 $1$fQM/$IkFh3yroQSiLqIENeTC54.
!
username cisco privilege 15 secret 5 $1$inf9$FU643jV1F/fOZmeQuHDmg/
aaa new-model
aaa authentication login default group radius
aaa authentication login local_access local
aaa authorization exec default group radius
!
radius-server host 172.22.2.1 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key cisco1234
!
control-plane
!
!
line con 0
privilege level 2
login authentication local_access
line vty 0 4
line vty 5 15
!
end
please assist
02-15-2013 08:24 PM
Hello Vikash-
You have the following command:
aaa authentication login local_access local
Which is instructing the NAD (your switch) to look at the loacal database for an authenticating user. If you want the NAD to look to the AAA (your IAS server) server then you need to:
1. Change the rule above rule to include radius as a valid method:
aaa authentication login local_access radius local
OR
2. You can use the other aaa rule (aaa authentication login default group radius)
that you have configured for your vty access. So you would do this:
line vty 0 4
no login authentication local_access
login authentication default
Hope this helps!
Thank you for rating helpful answers!
02-15-2013 10:51 PM
HI Neno,
thanks for reply.
I tried command but my AAA autentication is working fine.
only local user cant telnet switch.
Username: cisco
Password:
% Authentication failed.
i need both users (radius and Local) sould work same time.
please assist.
02-16-2013 08:21 AM
You cannot make both of them to work at the same time.When you have this command "aaa authentication login local_access radius local" you are essentially creating a "login" group that will instruct the switch to query radius authentications. Only if the radius server is "down/dead" the switch would look in the next method, which in your case is the local database.
Thank you for rating helpful answers!
02-16-2013 08:40 AM
hi Neno
thanks so much fo cliearification
now it is working
regards
02-17-2013 07:00 PM
You are welcome Vikas! Glad I was able to help. If your issue was resolved please mark the thread as "answered/closed"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide