Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
813
Views
5
Helpful
5
Replies

iOS Login fails after aaa configuration

lsuetterle
Level 1
Level 1

ā€Ž09-29-2015 12:07 AM - edited ā€Ž03-05-2019 02:24 AM

Got kind of a weird case today when I was about to configure a switch (3560cg, iOS version 15.2(2)E2) for RADIUS authentication on switchports to only grant domain devices access to our network. I already tested this on another 3560cg with the iOS version 12.2(55)EX2 a couple of months ago and I was able to authenticate switch ports over RADIUS authentication, but the SSH and Serial login was still possible with the configured credentials and local user on the switch. However, if I use this exact same configuration on the newer iOS version and I end the current session and try to access the switch, I cannot get into EXEC mode with my usual, local credentials, it would just say "Access denied". If I connect to the serial port, the serial password won't be accepted either. I wonder if the switch tries to replace all of its authentications with a RADIUS authentication, but I only want it to authenticate ports over RADIUS.

I used these commands for the RADIUS configuration, though our auth port is 1813: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_010000.html#ID1547

 

I wonder if anyone else has seen something like this happening before and could help me out with a hint or solution.

 

Thanks!

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

ā€Ž09-29-2015 04:24 AM

You tell us that it is the same config. But I suspect that it is not quite exactly the same. The aaa part may be same but I suspect that there may be differences in how the vty are configured that could explain the difference.

 

It is nice to know what example you followed. But to really help you identify the issue you should post what you actually configured.

 

HTH

 

Rick

HTH

Rick
0 Helpful

lsuetterle
Level 1
Level 1
In response to Richard Burts

ā€Ž09-29-2015 05:21 AM

The vty are configured almost equally, except that the failing switch has "login local" in its vty configuration, which should not matter in my opinion, from what I know it should even do the opposite thing and point the vty line to use the user and password specified in the local database which I also have. The local user for SSH has the privilege level 15 which should bring me right into EXEC mode on login, but suddenly fails after the AAA config with the "access denied" error.

The AAA config was the following:

aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host x.x.x.x auth-port 1813 acct-port 1646 key <shared secret>

and for the port config it is:

authentication port-control auto
dot1x pae authenticator
0 Helpful

juagonz2
Cisco Employee
Cisco Employee

ā€Ž09-29-2015 04:31 AM

Sounds like a cool case. Richard's input is valid. Try running a diff on the running config against a known good config. Another command that is helpful when trying to t-shoot AAA is 

 

test aaa group radius %user %password legacy

 

The results of the above command may be helpful in diagnosing your issue. 

lsuetterle
Level 1
Level 1
In response to juagonz2

ā€Ž09-29-2015 05:24 AM

Since the switch I'm currently trying to deploy this on is in "production" and used by some other colleagues aswell, therefore I'll try your advice with the test command tomorrow when I do not disturb anyone else.

But thanks in advance!

0 Helpful

juagonz2
Cisco Employee
Cisco Employee
In response to lsuetterle

ā€Ž09-29-2015 05:26 AM

Thanks for the update. Let us know how things work out for you. 

Good luck,

 

Juan Gonzalez 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card