Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
27143
Views
10
Helpful
5
Replies

RADIUS authentication with local access at the same time

Beermania
Level 1
Level 1

‎03-31-2015 11:25 AM - edited ‎03-10-2019 10:36 PM

Hi Everyone,

 

Is there anyway i can configure RADIUS and local account authentication to work at the same time?

Here is the scenario.

Currently, access to all our cisco device is tied up using AD account via RADIUS with the fall back being the local authentication. It works perfectly fine. However, i have a requirement wherein i have specific users that will need to access the devices to run specific command. Ive been reading several thread saying to use privilege level 8 and specify the command that the user is only allowed to run .

 

!

username john privilege 8 password 0 john

privilege exec level 8 debug ip ospf adj

!

 

but what about  if the user needs to run more than one command? And how its going to work since the AAA authentication method will require to lookup to RADIUS first and only if the RADIUS is not reachable it will allow to authenticate using the local login.

 

Here is some of the current config i have.

!
aaa authentication login default group radius local
aaa authorization console
aaa authorization exec default group radius local if-authenticated
aaa authorization network default group radius local if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
!
aaa session-id common

!
username Jose privilege 15 password 7 022789034567244
username john privilege 8 password 0 john

 

line con 0
 exec-timeout 0 0
 logging synchronous


line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous

line vty 0 4

exec-timeout 30 0
 privilege level 15
 transport input telnet ssh


line vty 5 15
 exec-timeout 30 0
 privilege level 15
 transport input telnet ssh

 

 

Looking forward to your response guys.

 

 

 

2 people had this problem
Labels:
0 Helpful
5 Replies 5

David Johan Castro Fernandez
Level 3
Level 3

‎03-31-2015 12:19 PM

Hi, 

 

On this case a recommendation, would be to use the AAA authentication with Radius and the authorization list with Local database --> ASA.

 

Usually a best practice to manage Devices with certain commands is using TACACS+ that will create authorization for specific level of access and commands to be used. 

 

Another simple workaround, will be to set up, a range of Line VTY to use local authentication and local authorization, though depending on the lines you assigned you will need to wait till the pertinent lines get occupied and then used the other ones. The other lines will use radius Authentication and authorization. 

 

For example:

Local Database

 aaa authentication login LOCAL_AUTHEN local
 aaa authorization exec LOCAL_AUTHO local

 

line vty 0 4
 authorization exec LOCAL_AUTHO
 login authentication LOCAL_AUTHEN

 

Radius Database:

 aaa authentication login RADIUS group radius
 aaa authorization exec RADIUS_AUTHOR group radius

 

 

line vty 5 15
 authorization exec RADIUS_AUTHOR
 login authentication RADIUS

 

 

Please proceed to rate and mark as correct this Post!

 

David Castro,

 

Regards,

Beermania
Level 1
Level 1
In response to David Johan Castro Fernandez

‎04-01-2015 07:53 AM

Thank you all for your response.

I have checked the user is already in RADIUS with level 8 access, now how do i allow them to run specific command? Thanks

0 Helpful

Beermania
Level 1
Level 1
In response to Beermania

‎04-02-2015 11:10 AM

Hi All,

 

Just an update. I got it working now.

 

Configure the user privilege level on RADIUS server first. for example level 2.

Then add the specific command on the cisco device using this format.

 

privilege exec level 2  debug ip ospf adj - will allow the user with privilege level 2 access to run the ip ospf debug

 

privilege exec level 2  undebug ip ospf adj - will allow the user with privilege level 2 access to run undebug ip ospf ad

 

Just follow the same format specific command that you want the user to have access.

 

 

0 Helpful

Karsten Iwen
VIP
VIP

‎03-31-2015 04:05 PM

I'm not sure what you really want to achieve but perhaps there are some ways to achieve your goal ...

1) You can configure your router to first consult the local user-accounts and only if the user is not found, to ask the radius:

aaa authentication login LOC_RADIUS local group radius

With that, the local users need to have different usernames then the Radius-users.

2) When allowing multiple commands to different users, using role-based access-control (RBAC) is much easier then using the old privilege-levels.

shreyrai
Cisco Employee
Cisco Employee
In response to Karsten Iwen

‎03-05-2025 11:40 AM

Is there an XR equivalent of the "aaa authentication login default local group radius". for users to go for local login and also the radius login.

The above command has no effect and it is behaving still as if Radius authentication is taking precedence.

0 Helpful
Customers Also Viewed These Support Documents