Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1485
Views
1
Helpful
8
Replies

Local Authentication to Network Devices

fmugambi
VIP
VIP

‎09-18-2023 11:23 PM

Hello Team,

I have configured aaa on my devices- using ISE --- this works well.

Have as well configured local users/passwords with Privilege 15 --- somehow these users are not able to ssh.

What would i be missing?

Labels:
0 Helpful
8 Replies 8

ilay
VIP
VIP

‎09-19-2023 12:27 AM

Usually the device can only use the first valid identity source for authentication.
Now ISE authentication is actived, then all credentials will be sent to ISE for authentication. When you type local account, ise cannot verify the credentials normally and returns an authentication failure result.

When the ise is offline or the device loses the connection to the ise, the local account can be used as a fallback login method to login the device.

----

Take the following configuration as an demo
Only when both ISEs in the radius group are in the fail state, the local account can be used to login.

---- config start ----

aaa authentication login VTY group ISE local
aaa authorization exec VTY group ISE local
username localadmin secret xxxxx
!
radius server ise1
address ipv4 10.0.0.1 auth-port 1645 acct-port 1646
key xxxx
!
radius server ise2
address ipv4 10.0.0.2 auth-port 1645 acct-port 1646
key xxxx
!
aaa group server radius ISE
server name ise1
server name ise

!

line vty 0 4
authorization exec VTY
login authentication VTY
transport input all
line vty 5 15
authorization exec VTY
login authentication VTY
transport input ssh

---- config end ----

HTH.

0 Helpful

fmugambi
VIP
VIP
In response to ilay

‎09-21-2023 01:51 AM

no way both can work at the same time?

0 Helpful

fmugambi
VIP
VIP

‎09-21-2023 01:52 AM

again, say ise is online, but authentication for ldap functionality has an issue. will the network devices know to expect local credentials?

0 Helpful

ilay
VIP
VIP
In response to fmugambi

‎09-21-2023 03:38 AM - edited ‎09-21-2023 03:43 AM

ISE will return auth failure when LDAP has issue.  device can use local credentials only if ISE is unresponsive or fails.

You can create a local account on ISE, then change policy sets to allow "Internal Users" authentication. In this way, even if there is a problem with LDAP, you can still use the local account of ise to login the device. When ISE fails, use the local account of the device.

---

By the way, ISE Internal User Identity may have multiple accounts, you can change the authorization rules to limit who can successfully log into the device.

fmugambi
VIP
VIP
In response to ilay

‎09-21-2023 03:42 AM

so for local account to be used, ise has to fail, from only  a network layer ie. be unreachable over network by network devices? if i get you right.

0 Helpful

ilay
VIP
VIP
In response to fmugambi

‎09-21-2023 06:14 AM

yes, network unreachable or block services port can achieve this effect

In this case, there may still be a slow response when using a local account. It takes some time for the device to mark ISE as failed. you can aslo find some relevant messages in syslog.

0 Helpful

fmugambi
VIP
VIP

‎09-25-2023 02:28 AM

will test this out and update. thank you.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎09-25-2023 04:04 AM 

Have as well configured local users/passwords with Privilege 15 --- somehow these users are not able to ssh.

this only works when the ISE failes to respond or failed to contact. (generally used for fall back)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents