cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9955
Views
10
Helpful
8
Replies

Cisco Switch: Create a new local SSH account while still being able to auth to AD

John Stevens
Level 1
Level 1

Hello

 

I have a few Cisco switchs at my site, 37xx and 65xx's and they all auth to my network AD for access.  I want to set up a local SSH account with Priv 15 on the switches as well for local log in incase AD is down or if for some reason the switch is unable to access my AD.  My question is how do I create this local account for SSH Priv15 without affecting the AD authification?

 

Thanks

1 Accepted Solution

Accepted Solutions

John

 

If you get that line into your config then yes the switches would have both AD/Radius and local authentication. AD/Radius would authenticate when you login using a normal user ID and local database would authenticate when you login using SSHUser.

 

The order of parameters that I suggested is a more common way to do it, using local authentication as a fallback method when AD/Radius is not available (and I thought that was what you were suggesting in your original post). One result is that if you attempt to login as SSHUser when AD/Radius is working then the login would fail. If you want login as SSHUser to always succeed then the order that John suggested would be more appropriate

aaa authentication login default local group radius

 

HTH

 

Rick

HTH

Rick

View solution in original post

8 Replies 8

John Blakley
VIP Alumni
VIP Alumni

If you use a local account on the router, you can change the authentication order. Let's say that you're using radius for authentication against AD and you want to create a user in the local database for SSH. You would change your authentication line to check the local account first and then radius second:

aaa authentication login default local group radius

username SSHUser priv 15 sec SSHUser

If you log in with the SSHUser account, you'll be able to get connected via the local database. If you log in with anything else that doesn't exist in the local database, it will fail over to the radius server.

HTH,

John

HTH, John *** Please rate all useful posts ***

Thanks for the reply.  So would i just do the normal local config for the local account if i set it up to verify local first then AD?

 

aaa new-model

aaa authentication login default local enable

username jdoe privilege 15 password cisco

line vty 0 4

login local

Yes, but the config that you posted won't authenticate against AD. How are you doing that now? The aaa auth line that you have will use the local first (in this case jdoe) and, if the username doesn't exist, fail over to the enable password. I don't see anything in your config that will authenticate against AD which usually is a tacacs or radius server.

HTH,

John

HTH, John *** Please rate all useful posts ***

The switch currently has the following config:

aaa auth login defualt group radius

aaa auth login console line

aaa auth enable default enable

aaa auth default group radius

aaa auth exe console none

radius-server host 10.x.x.x auth-post xxxx acc-post xxxx key FAxxxxx.

 

I didnt know if i could just add the following to my switch and it would allow both AD and local logins or if entering the following CLI would break my AD/Raduis.

 

aaa new-model

aaa authentication login default local enable

username jdoe privilege 15 password cisco

line vty 0 4

login local

I am not clear what you are suggesting. Are you suggesting that you replace this

aaa auth login defualt group radius

with this

aaa authentication login default local enable

which would definitely break your current AD/Radius method.

Or are you suggesting that you would try to have both? Just adding the second line would not work because it would, in fact, replace the first line with the second.

If we follow John's suggestion you would want something like this

aaa authentication login default local group radius

or I would suggest using something like this (which is similar but a bit different)

aaa authentication login default group radius local

John's suggestion would check the local database first and if it did not match the ID would then check AD/Radius. My suggestion would check AD/Radius first and if Radius is not working then would check the local database as a backup.

 

HTH

 

Rick

HTH

Rick

Rick, thanks for the response and sorry for the confusion.

I meant to add it to my existing config.  So if I understand you correctly, I should just add the following to my existing config with is currently set up for AD/Radius: 

 

aaa authentication login default group radius local

username SSHUser priv 15 sec SSHUser <- create the new local user account)

 

and this would allow me to have both AD/Radius and local auth for SSH access correct?  I am just trying to confirm the CLI for what I would need to add to my current setup to allow both AD/radius & local log in.

John

 

If you get that line into your config then yes the switches would have both AD/Radius and local authentication. AD/Radius would authenticate when you login using a normal user ID and local database would authenticate when you login using SSHUser.

 

The order of parameters that I suggested is a more common way to do it, using local authentication as a fallback method when AD/Radius is not available (and I thought that was what you were suggesting in your original post). One result is that if you attempt to login as SSHUser when AD/Radius is working then the login would fail. If you want login as SSHUser to always succeed then the order that John suggested would be more appropriate

aaa authentication login default local group radius

 

HTH

 

Rick

HTH

Rick

Christory
Level 1
Level 1

Hi @John Stevens could you try this and ping a reply

Local access creds required even when AD server available
aaa authentication login L_AUTH local
aaa authorization exec L_AUTH local if-authenticated
aaa authorization console


username localadmin privilege 15 secret chris
line console 0
login authentication L_AUTH
authorization exec L_AUTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: