Solved: Re: Radius + local accounts and privilege

gahe · ‎10-11-2023

Hej,

I am trying to configure authentication so that at any time I can authenticate using either Radius or a local admin account. When someone logins with radius, I expect him to be with regular low privilege (prompt '>') and have to type 'enable' to get higher privilege. When authenticating with local account 'admin' I want to login directly with privilege 15 in enable mode with prompt '#'

At the moment authentication works both with radius and local 'admin' account. But I get the '>' prompt with 'admin' and have to type 'enable' to get higher privilege despite the privilege 15 in username command line.

What am I doing wrong please ?

Here is my config:

enable secret 9 xxxx

aaa new-model
aaa authentication login default local group radius

username admin privilege 15 secret xxxx

line vty 0 4
transport input ssh
line vty 5 15
transport input ssh

Thanks!

Colby LeMaire · ‎10-12-2023

In order to dump a user into a specific privilege level, you need to authorize the EXEC session. The command would be aaa authorization exec default group radius local. However, I don't think that what you are trying to do specifically is possible with a simple straightforward AAA setup. The way the AAA method list works is that the device will try the first method such as radius and if there is no response from radius, then it falls back to the next method of local. Local only comes into play if the radius server does not respond at all. Chances are it will respond with a reject for the local account since the radius server doesn't know the local account. Even if you could switch the order to local first, local will always be available so the device would never use radius. And since the radius user does not exist in the local database, you get % Authorization failed %.

You could get fancy and use the "rotary" command and Telnet on a specific VTY line such as vty 15. "rotary 5" would allow you to Telnet to the device on port "3005". And then you assign a specific AAA method list to this VTY line only that only checks the local database. Rotary only works with Telnet. Which leads me to overall security and your approach.

Telnet is obviously not a good idea. The benefit of using AAA with an external server is that you increase security and ease of management by centralizing your policy on an authentication server. And if a bad person keeps attempting to access your device, all of those attempts are logged on the server, away from the device. If the bad person were successful after hundreds of attempts, they could just erase that information on the device and do whatever bad stuff they want such as locking you out of the device. And if it were local authentication, it would be hard to know what really happened and why you can't get into your device anymore. Assuming that the device is not sending syslog messages to an external server.

The solution that most organizations use is to configure an account on the Radius server that is local to the Radius server and not in AD or some other external identity source. That allows you to connect if the Radius server is unable to reach AD. If the Radius server goes down, then you have a local account on the device that you can use. Since Radius is down, the local device account works. Then you can obviously configure your console port to only use local or no authentication at all as a last resort. But you would want to ensure that the device is physically secure where only certain people have physical access to the device.

HTH,

Colby

View solution in original post

marce1000 · ‎10-12-2023

- Could you also
add aaa authorization exec default group radius local

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

gahe · ‎10-12-2023

Thanks for your help. I added "aaa authorization exec default group radius local" and now:

when I try to login with local 'admin' account I get "% Authorization failed. Connection to xxx closed"
when I try with a radius account I get "Line has invalid autocommand " ppp negotiate" Connection to xxx closed"

PS: I don't have any config line with "ppp" or "negotiate".

marce1000 · ‎10-12-2023

- As per https://community.cisco.com/t5/network-access-control/line-has-invalid-autocommand-quot-ppp-negotiate-quot/m-p/737030#M420861
This may be caused by settings on the radius server ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

gahe · ‎10-12-2023

The behavior I am trying to change is for when the local 'admin' account is used.
When I added the line to suggested, I got a "Authorization failed" for local 'admin' account.

When I use a radius account it already behaves as I expect now.

Gopinath_Pigili · ‎10-12-2023

line vty 0 15

login authentication default

you should execute the above command under line vty mode....

Best regards
******* If This Helps, Please Rate *******

gahe · ‎10-12-2023

Hi,

I added the line as you suggested:

switch(config)#line vty 0 15
switch(config-line)#login authentication default

But it still behaves the same as in the original situation, that is : I get '>' prompt whether I login with local 'admin' account or a radius account.

Gopinath_Pigili · ‎10-12-2023

Here is the sample configuration...

username admin password cisco

aaa new-model

radius-server host x.x.x.x auth-port 1812 key xyz123

aaa authentication login default group radius local line

line vty 0 15

login authentication default

---------------------------------

aaa authentication login default local group radius

could you please replace the above command with aaa authentication login default group local radius

Best regards
******* If This Helps, Please Rate *******

gahe · ‎10-12-2023

Will that enable the local account 'admin' to login into privilege 15 (with prompt '#') directly when login in ?
Because - I am a cisco beginner but - I don't see how in the config lines.

Gopinath_Pigili · ‎10-12-2023

yes..try and check....

Colby LeMaire · ‎10-12-2023

In order to dump a user into a specific privilege level, you need to authorize the EXEC session. The command would be aaa authorization exec default group radius local. However, I don't think that what you are trying to do specifically is possible with a simple straightforward AAA setup. The way the AAA method list works is that the device will try the first method such as radius and if there is no response from radius, then it falls back to the next method of local. Local only comes into play if the radius server does not respond at all. Chances are it will respond with a reject for the local account since the radius server doesn't know the local account. Even if you could switch the order to local first, local will always be available so the device would never use radius. And since the radius user does not exist in the local database, you get % Authorization failed %.

You could get fancy and use the "rotary" command and Telnet on a specific VTY line such as vty 15. "rotary 5" would allow you to Telnet to the device on port "3005". And then you assign a specific AAA method list to this VTY line only that only checks the local database. Rotary only works with Telnet. Which leads me to overall security and your approach.

Telnet is obviously not a good idea. The benefit of using AAA with an external server is that you increase security and ease of management by centralizing your policy on an authentication server. And if a bad person keeps attempting to access your device, all of those attempts are logged on the server, away from the device. If the bad person were successful after hundreds of attempts, they could just erase that information on the device and do whatever bad stuff they want such as locking you out of the device. And if it were local authentication, it would be hard to know what really happened and why you can't get into your device anymore. Assuming that the device is not sending syslog messages to an external server.

The solution that most organizations use is to configure an account on the Radius server that is local to the Radius server and not in AD or some other external identity source. That allows you to connect if the Radius server is unable to reach AD. If the Radius server goes down, then you have a local account on the device that you can use. Since Radius is down, the local device account works. Then you can obviously configure your console port to only use local or no authentication at all as a last resort. But you would want to ensure that the device is physically secure where only certain people have physical access to the device.

HTH,

Colby

gahe · ‎10-13-2023

Thanks for the detailed and clear answer. That explains that what I was trying to achieve is not possible "as such".

I'll workaround it based on your suggestions.