Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1008
Views
0
Helpful
5
Replies

3750's AAA setup

HWangLoyalty_2
Level 1
Level 1

‎02-23-2009 01:41 PM - edited ‎03-06-2019 04:11 AM

We use IAS for win2k as our radius server to authenticate users. In our Cat3750 switch to configure the following command:

================

aaa new-model

aaa authentication login default group radius local

aaa authentication login ConsoleAuth local

line con 0

logging synchronous

login authentication ConsoleAuth

==========

I think we should access this switch with local account when we tried to console in. But we have to provide the raidus account, and then access it sucessfully. Could you tell me the reason please?

I think authentication process should be followed the spcified list-name,right?

Thanks for your help!

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎02-23-2009 01:55 PM

Huan

I do not see a problem in your config. Is there a user ID and password configured on the switch which can be used for authentication?

One way to investigate this would be to run debug aaa authentication, attempt login through the console, and post all debug output.

HTH

Rick

HTH

Rick
0 Helpful

mike.cadwgan
Level 1
Level 1
In response to Richard Burts

‎02-23-2009 03:35 PM

I think the problem may lie in your order of authentication as your authentication is looking for radius first and then local. This would be pretty normal as you will authenticate with your radius username but if you were not able to get to the radius server it would then drop to the local login.

if you do want local username try removing the group radius from the line or moving it to after the local login.

aaa authentication login default local group radius

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to mike.cadwgan

‎02-23-2009 09:05 PM

Michael

As a CCIE I would hope that you would have read more carefully the original post. The default login authentication does use Radius with local as a backup method. But clearly the config that was posted uses a different named authentication method for the console. So your suggestion of changing the default authentication method would not have any effect on authentication for the console.

HTH

Rick

HTH

Rick
0 Helpful

HWangLoyalty_2
Level 1
Level 1
In response to Richard Burts

‎02-23-2009 06:36 PM

Thanks for your suggestions. I would try it again with eable debug aaa.

0 Helpful

Danilo Dy
VIP Alumni
VIP Alumni

‎02-23-2009 10:15 PM

I have similar setup (IAS/Win2003) and I'm able to login to console using local account.

I make sure that local and radius account are different. You will have problem trying to login using local account if you have the same account in radius (but different password) when radius is still reachable.

My Cat3750 aaa configuration is a little bit different than your configuration. I can't remember whether I encountered a problem with the "default".

================

aaa new-model

aaa authentication login ConsoleAuth group radius local

line con 0

login authentication ConsoleAuth

================

The login using local account is slower than the login using radius account because the system will try to contact radius first (reachable or not) - so be patient.

Its good to turn on aaa debug as Rick recommended to find out whats going on.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card