cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
822
Views
0
Helpful
5
Replies
Beginner

Using local login while RADIUS is running

Hello,

I would like to configure our switches to use the local login while RADIUS is working. Currently the switch just looks to the server to authenticate, so the local account will not work unless RADIUS is down. Here is our current config:

username networkteam privilege 15 password 7 0337572B035E95412B211F50
aaa new-model
aaa authentication login default local
aaa authentication login NetworkAuth group radius local
aaa authorization exec NetworkAuth group radius local
aaa session-id common

line vty 0 4
exec-timeout 30 0
privilege level 15
authorization exec NetworkAuth
logging synchronous
login authentication NetworkAuth
transport input ssh
line vty 5 15
transport input none

5 REPLIES 5
Cisco Employee

Re: Using local login while RADIUS is running

Hi,

I am not quite sure with the requirement. Do you want to change the login to Local and no more authenticate with Radius?

If yes, then you need to configure the following:

no aaa authentication login NetworkAuth group radius local
no aaa  authorization exec NetworkAuth group radius local

aaa authentication login NetworkAuth local
aaa  authorization exec NetworkAuth local

Or do you want your line "aaa authentication login default local " to take action.

If so, then you have configured line vty 0 4 for authentication to radius first then local.

i.e.line vty 0 4

     login authentication NetworkAuth

So 5 sessions of login to switch do login authentication to radius server then local.

After the 5 sessions the login authentication will head to local because of the following configuration:

aaa authentication login default local

line vty 5 15
transport input none

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Beginner

Re: Using local login while RADIUS is running

I want to be able to log in with the local username - networkteam while RADIUS is up. So the switch will go to RADIUS first and then when it doesn't authenticate it lets the networkteam login access. The way its set up now it will noe allow this.

Cisco Employee

Re: Using local login while RADIUS is running

Hi,

With the current configuration, for first 5 sessions of the ssh to the switch it will ask you for radius login credentials. after 5 sessions you can enter with the local credentials.

If you want to remove the Radius authentication completely, then you need to remove the following lines from the line vty.

login authentication NetworkAuth

authorization exec NetworkAuth

i.e. line vty 0 4

no login authentication NetworkAuth

no authorization exec NetworkAuth

Hope this helps.

Regards,

Anisha

P.S.:please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Beginner

Re: Using local login while RADIUS is running

ok this is confusing. what do you mean after 5 sessions? when 5 people have connected to the switch at the same time the next person can use the local login? I thought the 0 4 means thats how many sessions you can have at one time, after that the next person could not login. Or do you mean after 5 attempts to login using the local login while RADIUS is running? That doesn't work either.

Cisco Employee

Re: Using local login while RADIUS is running

Hi,

lemme make it simple.

The following is your configuration :

aaa new-model

aaa authentication login default local

aaa  authentication login NetworkAuth group radius local

aaa authorization  exec NetworkAuth group radius local

aaa session-id common

line vty 0 4
authorization exec  NetworkAuth
login authentication NetworkAuth
transport input ssh


line vty 5 15
transport input none

This means that When you try login to the switch, the first 5 sessions will head for authentication to radius server because of the following configuration:

aaa  authentication login NetworkAuth group radius local

aaa authorization  exec NetworkAuth group radius local

line vty 0 4
authorization exec  NetworkAuth
login authentication NetworkAuth

But when you have a 5th Session for the switch the authentication will happen locally because of the following configuration:

aaa authentication login default local

The default method list gets applied to the line vty, console and auxillary if no specific method is mentioned.

hence you can use local authenticatin for the session after 5.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.