Solved: RADIUS Fallback Local account not working

kamrannaseem · ‎07-03-2013

Hi all,

I have a RADIUS server running on windows 2003. I am using cisco 2960 switch, everything is working fine but i need to test the local user account on the switch so that i dont lock myself out if the radius server is not available.

which command shall i enter to enable that ?

any help will be much appricated.

many thanks,

Kamran.

kcnajaf · ‎07-03-2013

Hi,

If you look at my previous post i have asked you to remove the CONSOLE group from line VTY 0 4.

line vty 0 4

no login authentication CONSOLE

By the by how are you testing this? I mean how are you making radius server un reachable? Hope you already have a local username and password configured?

Regards

Najaf

Please rate when applicable or helpful !!!

View solution in original post

Przemyslaw Konitz · ‎07-03-2013

hi,

any logs? are u writing about administration access to switch or dot1x?

check docs about AAA on switch

second method is reached if the 1st is unreachable

aaa authentication login default group radius local

regards

kcnajaf · ‎07-03-2013

Hi Kamran,

How is your current aaa configuration looking like?

If you have console access to device you can check the local username and password using console as below.

aaa authentication login CONSOLE local

line console 0

login authentication CONSOLE

Please ensure that you have a local username and password is configured/.

Hope that helps

Regards

Najaf

Please rate when applicable or helpful !!!

kamrannaseem · ‎07-03-2013

Hi Najaf,

Thanks for your help.

what about if i want to ssh into my device ?

many thanks,

kamran.

kcnajaf · ‎07-03-2013

Hi,

The above suggestion was to test if local credentials are working...

So now are you looking for how to enable ssh in to your devices? Or you want to test the how the radius fall back will work for ssh?

Sorry i didnt really get your question :-(

Regards

Najaf

Please rate when applicable or helpful !!!

kamrannaseem · ‎07-03-2013

Hi Najaf,

Yes I want to have access to switch if the radius server is not available.

many thanks.

kcnajaf · ‎07-03-2013

Hi Kamran,

Could you please share your exsisting aaa configuration?

If you want to test if your configuration is working, then try replacing the exsisting radius server ip (on your switch configuration through console) with a dummy ip address. Then radius server will not respond and then u can try ssh to device using your local credentials..Easiest way to make radius server un available other wise would be to shut the port where radius server is connected. In that case you will have trouble in accessing other devices if local logins are not working :-(

Regards

Najaf

Please rate when applicable or helpful !!!

kamrannaseem · ‎07-03-2013

Hi Najaf,

aaa new-model

aaa authentication login default group radius

aaa authentication login VTY group radius local

aaa authentication login ssh group radius

aaa authentication login CONSOLE local

aaa authentication ppp default if-needed group radius local

aaa authorization exec default group radius local

aaa authorization exec VTY group radius local

aaa accounting exec default start-stop group radius

many thanks.

kcnajaf · ‎07-03-2013

Hi Kamran,

Try this

aaa authentication login default group radius local

This will fall back to local authentication if your radius server is not reachable.

Hope you are not currently calling any specific group under your line 0 4. If it is there remove it...

Hope that helps

Regards

Najaf

Please rate when applicable or helpful !!!

kamrannaseem · ‎07-03-2013

Hi Najaf,

The console bit u mentioned earlier should i remove that from aaa and from lines.

line con 0

login authentication CONSOLE

line vty 0 4

access-class 1 in

authorization exec VTY

login authentication CONSOLE

transport input telnet ssh

line vty 5 15

access-class 1 in

authorization exec VTY

login authentication CONSOLE

transport input telnet ssh

many thanks.

kcnajaf · ‎07-03-2013

Hi Kamran

Try this..

line vty 0 4

access-class 1 in

authorization exec VTY

transport input telnet ssh

Hope that helps

Regards

Najaf

Please rate when applicable or helpful !!!

kamrannaseem · ‎07-03-2013

Hi Najaf,

No its not letting me in through RADIUS.

Should i remove the following lines from my configuration:

aaa authentication login CONSOLE local

line con 0

login authentication CONSOLE

line vty 0 4

login authentication CONSOLE

line vty 5 15

login authentication CONSOLE

many thanks,

kcnajaf · ‎07-03-2013

Hi,

If you look at my previous post i have asked you to remove the CONSOLE group from line VTY 0 4.

line vty 0 4

no login authentication CONSOLE

By the by how are you testing this? I mean how are you making radius server un reachable? Hope you already have a local username and password configured?

Regards

Najaf

Please rate when applicable or helpful !!!

kamrannaseem · ‎07-03-2013

Hi Najaf,

Thank you ever so much its working !!!

much appricated for your time.

how long you been working on cisco devices ?

kind regards,

kamran

dheeraj.gautam · ‎07-24-2019

Hi,

I have also similar configuration on my Cisco 2960 switch where i am unable to logging using by my local account. i can login switch using by my radius account but not local switch account, configuration is below:

aaa new-model

aaa group server radius RADIUS-SERVER
server-private 10.200.62.xx key abcdefghijkl123

aaa authentication login default group RADIUS-SERVER local

aaa authorization exec default group RADIUS-SERVER local

aaa accounting exec default start-stop group RADIUS-SERVER

************************
line vty 0 4

authorization exec default

transport input telnet ssh

line vty 5 15

authorization exec default

transport input telnet ssh

Could you please give me some suggestion why it is not working for me.