ldap and local authentication
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2024 08:35 AM
On a MDS9124 SAN switch,
we want to login using LDAP and still be able to login with a local user - even if the ldap server is reachable.
We configured
aaa authentication login default group cisco-group
with "cisco-group" containing LDAP-server and search base.
Debugging shows: LDAP server can be connected and binding works fine. But login with local user "admin" is not permitted.
How can we configure that
1. LDAP server checks if the given user is configured there - nope, it is not
2. then check local database for user "admin" -> grant access
Cheers
- Labels:
-
Network Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2024 09:06 AM
ello,
You need to add the "local" keyword to the command. Basically it checks in order. First check the servers, if they are unavailable then default to local, but it needs to be configured.
aaa authentication login default group cisco-group local
All LDAP servers configured need to be unreachable before local takes affect.
-David
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2024 10:24 PM
Hi David,
thanks for your answer, but that ("All LDAP servers configured need to be unreachable before local takes affect.") is not what I am looking for. I'd like to get:
"If LDAP fails for any reason, it then authenticates against the local user database"
If I try to login with a user from my local database who ist not configured in AD Server I still want to grant access.
Is this not possible with CISCO switches?
Cheers
Astrid
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2024 04:47 AM
Can you specify what you mean by fails?
For instance, if the LDAP database is corrupt but the Cisco device can still reach (ping) the LDAP server then as far as the Cisco device is concerned its up and functioning and will use it to authenticate. The server needs to be unreachable for AAA to fail over.
-David
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2024 05:37 AM
Okay, then local users cannot login if the ldap server ist reachable.
Not what I want