Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3195
Views
0
Helpful
4
Replies

Unable to login local after radius server down

Grupo Internet
Level 1
Level 1

‎06-28-2013 06:15 AM - edited ‎03-10-2019 08:35 PM

Hi all,

I am unable to login with local user when radius server is down.

This is the switch configuration :

aaa new-model

aaa authentication login default group radius local

aaa authentication login remote group radius local

aaa authentication enable default enable

aaa session-id common                   

radius-server host 192.168.150.22

radius-server deadtime 5

radius-server key 7 XXXXXXXXXXXXXXXXXX

line con 0

exec-timeout 5 0

line vty 0 4

access-class 101 in

exec-timeout 5 0

login authentication remote

transport input ssh

line vty 5 15

access-class 101 in

exec-timeout 5 0

login authentication remote

transport input ssh

Output debug AAA and radius when radius server is down

9w0d: AAA/AUTHEN/LOGIN (000002B3): Pick method list 'remote'

9w0d: RADIUS/ENCODE(000002B3): ask "Password: "

9w0d: RADIUS/ENCODE(000002B3): send packet; GET_PASSWORD

9w0d: RADIUS/ENCODE(000002B3):Orig. component type = Exec

9w0d: RADIUS:  AAA Unsupported Attr: interface         [221] 4   75560408

9w0d: RADIUS/ENCODE(000002B3): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

9w0d: RADIUS(000002B3): Config NAS IP: 0.0.0.0

9w0d: RADIUS(000002B3): Config NAS IPv6: ::

9w0d: RADIUS/ENCODE(000002B3): acct_session_id: 681

9w0d: RADIUS(000002B3): sending

9w0d: RADIUS/ENCODE: Best Local IP-Address 192.168.172.249 for Radius-Server 192.168.150.22

9w0d: RADIUS(000002B3): Sending a IPv4 Radius Packet

9w0d: RADIUS(000002B3): Send Access-Request to 192.168.150.22:1645 id 1645/79,len 82

9w0d: RADIUS:  authenticator 12 78 F8 39 D5 B0 12 F4 - 18 7E 38 AC 59 3B CD F4

9w0d: RADIUS:  User-Name           [1]   8   "tatari"

9w0d: RADIUS:  Reply-Message       [18]  12 

9w0d: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]

9w0d: RADIUS:  User-Password       [2]   18  *

9w0d: RADIUS:  NAS-Port            [5]   6   2                        

9w0d: RADIUS:  NAS-Port-Id         [87]  6   "tty2"

9w0d: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

9w0d: RADIUS:  NAS-IP-Address      [4]   6   192.168.172.249          

9w0d: RADIUS(000002B3): Started 5 sec timeout

9w0d: RADIUS(000002B3): Request timed out!

9w0d: RADIUS: Retransmit to (192.168.150.22:1645,1646) for id 1645/79

9w0d: RADIUS(000002B3): Started 5 sec timeout

9w0d: RADIUS(000002B3): Request timed out!

9w0d: RADIUS: Retransmit to (192.168.150.22:1645,1646) for id 1645/79

9w0d: RADIUS(000002B3): Started 5 sec timeout

9w0d: RADIUS(000002B3): Request timed out!

9w0d: RADIUS: Retransmit to (192.168.150.22:1645,1646) for id 1645/79

9w0d: RADIUS(000002B3): Started 5 sec timeout

9w0d: RADIUS(000002B3): Request timed out!

9w0d: RADIUS: No response from (192.168.150.22:1645,1646) for id 1645/79

9w0d: RADIUS/DECODE: No response from radius-server; parse response; FAIL

9w0d: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

Why aaa don´t try to local authentication?.

Best regards

Labels:
0 Helpful
4 Replies 4

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-28-2013 06:35 AM

The authentication request is not even trying local auth method?

Have you tried alone with local authentication only? Does that work?

Could you please provide show version from the device.

Jatin Katyal

- Do rate helpful posts -

~Jatin
0 Helpful

Grupo Internet
Level 1
Level 1
In response to Jatin Katyal

‎06-28-2013 06:52 AM

aaa authentication login only_local local

line vty 0 4

access-class 101 in

exec-timeout 5 0

login authentication only_local

transport input ssh

With this configuration work fine with local user but I need radius also.

And the show version output :

Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 15.0(2)SE2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 05-Feb-13 12:21 by prod_rel_team

ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(35r)SE2, RELEASE SOFTWARE (fc1)

INSWTRIV02 uptime is 9 weeks, 23 hours, 27 minutes
System returned to ROM by power-on
System restarted at 16:21:52 GMT+2 Thu Apr 25 2013
System image file is "flash:/c3560-ipbasek9-mz.150-2.se2.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C3560-8PC (PowerPC405) processor (revision C0) with 131072K bytes of memory.
Processor board ID FOC1327W73D
Last reset from power-on
2 Virtual Ethernet interfaces
8 FastEthernet interfaces
1 Gigabit Ethernet interface
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 00:26:52:A4:96:80
Motherboard assembly number     : 73-10612-07
Power supply part number        : 341-0207-01
Motherboard serial number       : FOC13281794
Power supply serial number      : LIT13120986
Model revision number           : C0
Motherboard revision number     : C0
Model number                    : WS-C3560-8PC-S
System serial number            : FOC1327W73D
Top Assembly Part Number        : 800-28131-02
Top Assembly Revision Number    : A0
Version ID                      : V02
CLEI Code Number                : COMN400CRA
Hardware Board Revision Number  : 0x01


Switch Ports Model              SW Version            SW Image                
------ ----- -----              ----------            ----------              
*    1 9     WS-C3560-8PC       15.0(2)SE2            C3560-IPBASEK9-M        


Configuration register is 0xF

0 Helpful

myanuary
Level 1
Level 1

‎07-02-2013 06:43 PM

maybe you need to wait until 5 minutes because of "radius-server deadtime 5", default is 0...

you set it to "5", so the switch will waiting for 5 minutes if RADIUS unreachable...

see below :

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swauthen.html#wp1091663

0 Helpful

Peter Koltl
Level 7
Level 7
In response to myanuary

‎08-31-2014 05:49 AM

Please use

debug aaa subsys

debug aaa authentication

to make sure the switch really does not attempt local authentication. Do you have local users defined?

 

It is strongly recommended to add

aaa authorization exec default group radius local

too.

0 Helpful
Customers Also Viewed These Support Documents