- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2014 11:21 AM - edited 03-07-2019 09:43 PM
Hello
I have a few Cisco switchs at my site, 37xx and 65xx's and they all auth to my network AD for access. I want to set up a local SSH account with Priv 15 on the switches as well for local log in incase AD is down or if for some reason the switch is unable to access my AD. My question is how do I create this local account for SSH Priv15 without affecting the AD authification?
Thanks
Solved! Go to Solution.
- Labels:
-
Other Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2014 02:23 PM
John
If you get that line into your config then yes the switches would have both AD/Radius and local authentication. AD/Radius would authenticate when you login using a normal user ID and local database would authenticate when you login using SSHUser.
The order of parameters that I suggested is a more common way to do it, using local authentication as a fallback method when AD/Radius is not available (and I thought that was what you were suggesting in your original post). One result is that if you attempt to login as SSHUser when AD/Radius is working then the login would fail. If you want login as SSHUser to always succeed then the order that John suggested would be more appropriate
aaa authentication login default local group radius
HTH
Rick
Rick

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2014 12:08 PM
If you use a local account on the router, you can change the authentication order. Let's say that you're using radius for authentication against AD and you want to create a user in the local database for SSH. You would change your authentication line to check the local account first and then radius second:
aaa authentication login default local group radius
username SSHUser priv 15 sec SSHUser
If you log in with the SSHUser account, you'll be able to get connected via the local database. If you log in with anything else that doesn't exist in the local database, it will fail over to the radius server.
HTH,
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2014 02:28 PM
Thanks for the reply. So would i just do the normal local config for the local account if i set it up to verify local first then AD?
aaa new-model
aaa authentication login default local enable
username jdoe privilege 15 password cisco
line vty 0 4
login local

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2014 06:38 PM
Yes, but the config that you posted won't authenticate against AD. How are you doing that now? The aaa auth line that you have will use the local first (in this case jdoe) and, if the username doesn't exist, fail over to the enable password. I don't see anything in your config that will authenticate against AD which usually is a tacacs or radius server.
HTH,
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2014 08:43 AM
The switch currently has the following config:
aaa auth login defualt group radius
aaa auth login console line
aaa auth enable default enable
aaa auth default group radius
aaa auth exe console none
radius-server host 10.x.x.x auth-post xxxx acc-post xxxx key FAxxxxx.
I didnt know if i could just add the following to my switch and it would allow both AD and local logins or if entering the following CLI would break my AD/Raduis.
aaa new-model
aaa authentication login default local enable
username jdoe privilege 15 password cisco
line vty 0 4
login local
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2014 11:02 AM
I am not clear what you are suggesting. Are you suggesting that you replace this
aaa auth login defualt group radius
with this
aaa authentication login default local enable
which would definitely break your current AD/Radius method.
Or are you suggesting that you would try to have both? Just adding the second line would not work because it would, in fact, replace the first line with the second.
If we follow John's suggestion you would want something like this
aaa authentication login default local group radius
or I would suggest using something like this (which is similar but a bit different)
aaa authentication login default group radius local
John's suggestion would check the local database first and if it did not match the ID would then check AD/Radius. My suggestion would check AD/Radius first and if Radius is not working then would check the local database as a backup.
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2014 01:28 PM
Rick, thanks for the response and sorry for the confusion.
I meant to add it to my existing config. So if I understand you correctly, I should just add the following to my existing config with is currently set up for AD/Radius:
aaa authentication login default group radius local
username SSHUser priv 15 sec SSHUser <- create the new local user account)
and this would allow me to have both AD/Radius and local auth for SSH access correct? I am just trying to confirm the CLI for what I would need to add to my current setup to allow both AD/radius & local log in.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2014 02:23 PM
John
If you get that line into your config then yes the switches would have both AD/Radius and local authentication. AD/Radius would authenticate when you login using a normal user ID and local database would authenticate when you login using SSHUser.
The order of parameters that I suggested is a more common way to do it, using local authentication as a fallback method when AD/Radius is not available (and I thought that was what you were suggesting in your original post). One result is that if you attempt to login as SSHUser when AD/Radius is working then the login would fail. If you want login as SSHUser to always succeed then the order that John suggested would be more appropriate
aaa authentication login default local group radius
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2024 03:38 AM - edited 03-27-2024 03:41 AM
Hi @John Stevens could you try this and ping a reply
Local access creds required even when AD server available
aaa authentication login L_AUTH local
aaa authorization exec L_AUTH local if-authenticated
aaa authorization console
username localadmin privilege 15 secret chris
line console 0
login authentication L_AUTH
authorization exec L_AUTH
