Solved: CISCO 3650 denali 16.3x authentication ldap then local database

johnblack2045 · ‎07-15-2019

hello

i m using a cisco switch 3650 denali 16.3.x

i would like to authenticate users with ldap and then local database to access on the switch

can the switch do it ?

how configure to achieve it ?

best regards

balaji.bandi · ‎07-16-2019

LDAP can not be Radius Server, To authenticate against LDAP/AD users, you need to use Radius to achieve this, this can be Freeradius or ACS or ISE.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Seb Rupik · ‎07-15-2019

Hi there,

You cannot authenticate directly against an LDAP datastore, it must be done via RADIUS. This service will typically be run on the same server. Take a look at freeradius.

As for thew config it will look like:

!
aaa new-model
!
aaa authentication login default group radius local
!
radius server R_SRV01
  address ipv4 192.168.1.1 auth-port 1812 acct-port 1813
  key some_secret_key
!

It is worth noting that the AAA method in the switch will only fallback to the local database if the radius servers are unreachable.

If you want a fallback method, then it will need to be implemented on the RADIUS server.

cheers,

Seb.

balaji.bandi · ‎07-16-2019

LDAP can not be Radius Server, To authenticate against LDAP/AD users, you need to use Radius to achieve this, this can be Freeradius or ACS or ISE.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help