06-28-2013 06:15 AM - edited 03-10-2019 08:35 PM
Hi all,
I am unable to login with local user when radius server is down.
This is the switch configuration :
aaa new-model
aaa authentication login default group radius local
aaa authentication login remote group radius local
aaa authentication enable default enable
aaa session-id common
radius-server host 192.168.150.22
radius-server deadtime 5
radius-server key 7 XXXXXXXXXXXXXXXXXX
line con 0
exec-timeout 5 0
line vty 0 4
access-class 101 in
exec-timeout 5 0
login authentication remote
transport input ssh
line vty 5 15
access-class 101 in
exec-timeout 5 0
login authentication remote
transport input ssh
Output debug AAA and radius when radius server is down
9w0d: AAA/AUTHEN/LOGIN (000002B3): Pick method list 'remote'
9w0d: RADIUS/ENCODE(000002B3): ask "Password: "
9w0d: RADIUS/ENCODE(000002B3): send packet; GET_PASSWORD
9w0d: RADIUS/ENCODE(000002B3):Orig. component type = Exec
9w0d: RADIUS: AAA Unsupported Attr: interface [221] 4 75560408
9w0d: RADIUS/ENCODE(000002B3): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
9w0d: RADIUS(000002B3): Config NAS IP: 0.0.0.0
9w0d: RADIUS(000002B3): Config NAS IPv6: ::
9w0d: RADIUS/ENCODE(000002B3): acct_session_id: 681
9w0d: RADIUS(000002B3): sending
9w0d: RADIUS/ENCODE: Best Local IP-Address 192.168.172.249 for Radius-Server 192.168.150.22
9w0d: RADIUS(000002B3): Sending a IPv4 Radius Packet
9w0d: RADIUS(000002B3): Send Access-Request to 192.168.150.22:1645 id 1645/79,len 82
9w0d: RADIUS: authenticator 12 78 F8 39 D5 B0 12 F4 - 18 7E 38 AC 59 3B CD F4
9w0d: RADIUS: User-Name [1] 8 "tatari"
9w0d: RADIUS: Reply-Message [18] 12
9w0d: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
9w0d: RADIUS: User-Password [2] 18 *
9w0d: RADIUS: NAS-Port [5] 6 2
9w0d: RADIUS: NAS-Port-Id [87] 6 "tty2"
9w0d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
9w0d: RADIUS: NAS-IP-Address [4] 6 192.168.172.249
9w0d: RADIUS(000002B3): Started 5 sec timeout
9w0d: RADIUS(000002B3): Request timed out!
9w0d: RADIUS: Retransmit to (192.168.150.22:1645,1646) for id 1645/79
9w0d: RADIUS(000002B3): Started 5 sec timeout
9w0d: RADIUS(000002B3): Request timed out!
9w0d: RADIUS: Retransmit to (192.168.150.22:1645,1646) for id 1645/79
9w0d: RADIUS(000002B3): Started 5 sec timeout
9w0d: RADIUS(000002B3): Request timed out!
9w0d: RADIUS: Retransmit to (192.168.150.22:1645,1646) for id 1645/79
9w0d: RADIUS(000002B3): Started 5 sec timeout
9w0d: RADIUS(000002B3): Request timed out!
9w0d: RADIUS: No response from (192.168.150.22:1645,1646) for id 1645/79
9w0d: RADIUS/DECODE: No response from radius-server; parse response; FAIL
9w0d: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
Why aaa don´t try to local authentication?.
Best regards
06-28-2013 06:35 AM
The authentication request is not even trying local auth method?
Have you tried alone with local authentication only? Does that work?
Could you please provide show version from the device.
Jatin Katyal
- Do rate helpful posts -
06-28-2013 06:52 AM
aaa authentication login only_local local
line vty 0 4
access-class 101 in
exec-timeout 5 0
login authentication only_local
transport input ssh
With this configuration work fine with local user but I need radius also.
And the show version output :
Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 15.0(2)SE2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 05-Feb-13 12:21 by prod_rel_team
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(35r)SE2, RELEASE SOFTWARE (fc1)
INSWTRIV02 uptime is 9 weeks, 23 hours, 27 minutes
System returned to ROM by power-on
System restarted at 16:21:52 GMT+2 Thu Apr 25 2013
System image file is "flash:/c3560-ipbasek9-mz.150-2.se2.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco WS-C3560-8PC (PowerPC405) processor (revision C0) with 131072K bytes of memory.
Processor board ID FOC1327W73D
Last reset from power-on
2 Virtual Ethernet interfaces
8 FastEthernet interfaces
1 Gigabit Ethernet interface
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:26:52:A4:96:80
Motherboard assembly number : 73-10612-07
Power supply part number : 341-0207-01
Motherboard serial number : FOC13281794
Power supply serial number : LIT13120986
Model revision number : C0
Motherboard revision number : C0
Model number : WS-C3560-8PC-S
System serial number : FOC1327W73D
Top Assembly Part Number : 800-28131-02
Top Assembly Revision Number : A0
Version ID : V02
CLEI Code Number : COMN400CRA
Hardware Board Revision Number : 0x01
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 9 WS-C3560-8PC 15.0(2)SE2 C3560-IPBASEK9-M
Configuration register is 0xF
07-02-2013 06:43 PM
maybe you need to wait until 5 minutes because of "radius-server deadtime 5", default is 0...
you set it to "5", so the switch will waiting for 5 minutes if RADIUS unreachable...
see below :
08-31-2014 05:49 AM
Please use
debug aaa subsys
debug aaa authentication
to make sure the switch really does not attempt local authentication. Do you have local users defined?
It is strongly recommended to add
aaa authorization exec default group radius local
too.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide