Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
1
Helpful
4
Replies

AAA authentcation login

asdrewaqf
Level 1
Level 1

‎02-27-2024 07:10 AM

Hello Team, im working on a task to enable the aaa new-mode on our cisco switchs my question is 

what is the difference between the below commands?

#aaa authentication login default group rad-groups local

#aaa authentication login default local group rad-groups

 

Whenever I try to log in with a local user it lets me access and if i try to login with an AD user it also lets me access 

 i would need to set the sequence like that to check from the radius server and if it fails it shouldn't check the local users

i need it always to check from the radius as long as it can reach the server once the server is failed and can't be reached, now it can check the local users how could i do that? 

Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎02-27-2024 07:14 AM - edited ‎02-27-2024 07:18 AM

"" i would need to set the sequence like that to check from the radius server and if it fails it shouldn't check the local users""

Your requirements above need

#aaa authentication login default group rad-groups local

The fallback need radius dont have user in it db but if user found in radius db and failed then there is no fallback to local user.

Also the sw use local user db if the radius is dead' i.e. fallbacl to local when SW detect dead of radius.

To make SW faster detect dead of server you can use automate tester 

MHM

 

0 Helpful

asdrewaqf
Level 1
Level 1
In response to MHM Cisco World

‎02-27-2024 10:06 AM

Thank you, bro, I've resolved the issue just for reference should set 

#line vty 0 15

#login authentication default

MHM Cisco World
VIP
VIP
In response to asdrewaqf

‎02-27-2024 10:08 AM - edited ‎02-27-2024 11:00 AM

You are so welcome bro

Have a nice day 

please close this post. 

thanks

MHM

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎02-27-2024 10:23 AM

below config standard i use for working :

username balaji privilege 15 secre xxxxxxxxxxxxxx

enable secret  xxxxxxxxxxxxxxxxxxxxxx

aaa new-model
!
tacacs server SERVER1
address ipv4 10.10.10.100
key 0 xxxxxxxxxxxxxxxxx
tacacs server SERVER2
address ipv4 20.20.20.200
key 0 XXXXXXXXXXX


aaa group server tacacs+ SERVER_GROUP
server name SERVER1
server name SERVER2
aaa authentication login default group SERVER_GROUP local
aaa authentication enable default group SERVER_GROUP enable
aaa authorization config-commands
aaa authorization exec default group SERVER_GROUP local if-authenticated
aaa authorization commands 1 default group SERVER_GROUP if-authenticated
aaa authorization commands 15 default group SERVER_GROUP local if-authenticated
aaa accounting exec default start-stop group SERVER_GROUP
aaa accounting commands 1 default start-stop group SERVER_GROUP
aaa accounting commands 15 default start-stop group SERVER_GROUP

line vty 0 4
transport input ssh
line vty 5 15
transport input ssh

Then add the device to TACACS and test it

Note : make sure you add TACACS later after apply config if not you will lock yourself.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card