Using local login while RADIUS is running

ekuvinka · ‎05-11-2011

Hello,

I would like to configure our switches to use the local login while RADIUS is working. Currently the switch just looks to the server to authenticate, so the local account will not work unless RADIUS is down. Here is our current config:

username networkteam privilege 15 password 7 0337572B035E95412B211F50
aaa new-model
aaa authentication login default local
aaa authentication login NetworkAuth group radius local
aaa authorization exec NetworkAuth group radius local
aaa session-id common

line vty 0 4
exec-timeout 30 0
privilege level 15
authorization exec NetworkAuth
logging synchronous
login authentication NetworkAuth
transport input ssh
line vty 5 15
transport input none

andamani · ‎05-11-2011

Hi,

I am not quite sure with the requirement. Do you want to change the login to Local and no more authenticate with Radius?

If yes, then you need to configure the following:

no aaa authentication login NetworkAuth group radius local
no aaa authorization exec NetworkAuth group radius local

aaa authentication login NetworkAuth local
aaa authorization exec NetworkAuth local

Or do you want your line "aaa authentication login default local " to take action.

If so, then you have configured line vty 0 4 for authentication to radius first then local.

i.e.line vty 0 4

login authentication NetworkAuth

So 5 sessions of login to switch do login authentication to radius server then local.

After the 5 sessions the login authentication will head to local because of the following configuration:

aaa authentication login default local

line vty 5 15
transport input none

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

ekuvinka · ‎05-12-2011

I want to be able to log in with the local username - networkteam while RADIUS is up. So the switch will go to RADIUS first and then when it doesn't authenticate it lets the networkteam login access. The way its set up now it will noe allow this.

andamani · ‎05-12-2011

Hi,

With the current configuration, for first 5 sessions of the ssh to the switch it will ask you for radius login credentials. after 5 sessions you can enter with the local credentials.

If you want to remove the Radius authentication completely, then you need to remove the following lines from the line vty.

login authentication NetworkAuth

authorization exec NetworkAuth

i.e. line vty 0 4

no login authentication NetworkAuth

no authorization exec NetworkAuth

Hope this helps.

Regards,

Anisha

P.S.:please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

ekuvinka · ‎05-12-2011

ok this is confusing. what do you mean after 5 sessions? when 5 people have connected to the switch at the same time the next person can use the local login? I thought the 0 4 means thats how many sessions you can have at one time, after that the next person could not login. Or do you mean after 5 attempts to login using the local login while RADIUS is running? That doesn't work either.

andamani · ‎05-12-2011

Hi,

lemme make it simple.

The following is your configuration :

aaa new-model

aaa authentication login default local

aaa authentication login NetworkAuth group radius local

aaa authorization exec NetworkAuth group radius local

aaa session-id common

line vty 0 4
authorization exec NetworkAuth
login authentication NetworkAuth
transport input ssh

line vty 5 15
transport input none

This means that When you try login to the switch, the first 5 sessions will head for authentication to radius server because of the following configuration:

aaa authentication login NetworkAuth group radius local

aaa authorization exec NetworkAuth group radius local

line vty 0 4
authorization exec NetworkAuth
login authentication NetworkAuth

But when you have a 5th Session for the switch the authentication will happen locally because of the following configuration:

aaa authentication login default local

The default method list gets applied to the line vty, console and auxillary if no specific method is mentioned.

hence you can use local authenticatin for the session after 5.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

Networker3 · ‎07-28-2022

remove SSH login authentication via RADIUS and set with local cisco account?

josbot5070 · ‎09-16-2022

What you are attempting to do is not possible reliably (as in every time) on the VTY lines making it so the network team can login with local while the RADIUS server is still up. One option is breaking up the VTY line like @andamani suggested but I don't see a way that will work every time unless you tie up VTY line 0 through 4 with a user/device and at that point you might as well use local login and forget the server. I do not know of a way to CHOOSE the VTY line you want to come in on. If there is a way I would like to know that as well.

If the RADIUS server can be pinged and all it has to do is be alive the switch will use RADIUS or TACACS+ once it is not able to be pinged it will fall back to local. The only alternative to reliably set this up and it is the same concept as @andamani is trying to do; however, you do that on the console port. This will require you to have a device that is plugged in the console ports of your devices and into the network like a fail safe and that choice is up to you. This is how you would do it.

aaa authentication login default group radius local.....sets up radius 1st then local

aaa authentication login CON local....is a group so that you can apply it to the console port so that port uses local login.

You then have to go to the interface and tell it to use that group CON

line con 0

login authentication CON

That setup will make it so if the radius server is messed up and you can't authenticate you but it is alive you can login from the console using local UN and PASS to keep working an outage. You can also maybe block the switch at the firewall or ACL from getting to the server and then the device will revert back to local, along with unplugging the trunk port locally will do the trick as well or the port out to the rest of the network.

Oemor · ‎08-02-2023

I'm sorry the short answer for this is that... your requirement is not possible. You can't login as local if the RADIUS server IP can be pinged or active.

Jonatan Jonasson · ‎08-02-2023

This is a really old thread that was replied to and came to the top of my feed, but in case someone else stumbles across this.

There are other threads on this forum regarding the same topic with a solution, for example, here:
https://community.cisco.com/t5/network-access-control/cisco-login-radius-and-local/td-p/2989344

In summary, what can be done is to reference local before the radius group within the aaa section, so local users are checked before radius.
This way local users work even when radius is responding.

Oemor · ‎08-02-2023

Thank you for this Jonatan, to the original OP I stand corrected.
I did test what was posted in https://community.cisco.com/t5/network-access-control/cisco-login-radius-and-local/td-p/2989344
on a Cisco C3560G switch and it worked, will test more on 2960 switches, i also tried it on a newer Cisco CBS350-24T-4X, it does not work on it, seems the syntax changed on the CBS350 or I may have not found the equivalent yet.