ldap and local authentication

astrid-schwab · ‎08-14-2024

On a MDS9124 SAN switch,

we want to login using LDAP and still be able to login with a local user - even if the ldap server is reachable.

We configured

aaa authentication login default group cisco-group

with "cisco-group" containing LDAP-server and search base.

Debugging shows: LDAP server can be connected and binding works fine. But login with local user "admin" is not permitted.

How can we configure that

1. LDAP server checks if the given user is configured there - nope, it is not

2. then check local database for user "admin" -> grant access

Cheers

David Ruess · ‎08-14-2024

ello,

You need to add the "local" keyword to the command. Basically it checks in order. First check the servers, if they are unavailable then default to local, but it needs to be configured.

aaa authentication login default group cisco-group local

All LDAP servers configured need to be unreachable before local takes affect.

-David

astrid-schwab · ‎08-14-2024

Hi David,

thanks for your answer, but that ("All LDAP servers configured need to be unreachable before local takes affect.") is not what I am looking for. I'd like to get:

"If LDAP fails for any reason, it then authenticates against the local user database"

If I try to login with a user from my local database who ist not configured in AD Server I still want to grant access.

Is this not possible with CISCO switches?

Cheers

Astrid

David Ruess · ‎08-15-2024

Can you specify what you mean by fails?

For instance, if the LDAP database is corrupt but the Cisco device can still reach (ping) the LDAP server then as far as the Cisco device is concerned its up and functioning and will use it to authenticate. The server needs to be unreachable for AAA to fail over.

-David

astrid-schwab · ‎08-15-2024

Okay, then local users cannot login if the ldap server ist reachable.
Not what I want but it is how it is