CISCO 3650 AAA radius local fallback

johnblack2045 · ‎08-11-2020

hello

here is my configuration on switch 3650

aaa authentication login AUTH1 group radius local
aaa authorization exec AUTH1 group radius local
aaa authorization network AUTH1 group radius local
aaa authentication dot1x AUTH1 group radius
aaa accounting dot1x AUTH1 start-stop group radius

line con 0
exec-timeout 15 0
stopbits 1
line aux 0
exec-timeout 15 0
stopbits 1
transport input none
line vty 0 15
exec-timeout 15 0
transport input ssh
login authentication AUTH1
authorization exec AUTH1

i would like to use a fallback radius local

is there any missing thing ?

when i use SSH with a radius account -> OK

when i use SSh with a local account-> access denied

thanks for your help

Best Regards

marce1000 · ‎08-11-2020

- That is not a fallback test. The idea is that the local-account could be used if radius is unavailable and then only. Personally I advise to always use non-radius users for admin-access (and or let administrative access not depend on radius-setups)

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

balaji.bandi · ‎08-11-2020

you can only able to simulate the issue with Local ( since it is fall back, only if radius fails)

for testing go to radius server and change the secret and save and then it mismatch with a secret so it will allow local user access.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help