Hi All,

I'm trying to configure a local user on a C9300-24P switch operating in 'INSTALL' mode & running IOS version 17.06.05.

Below is an extract of 'show-run' for AAA:

aaa authentication login default local
aaa authentication login AUTHEN-EU-ISE-ADMIN group EU-ISE local
aaa authentication dot1x default group EU-ISE
aaa authorization exec default local
aaa authorization exec AUTHZ-EU-ISE-ADMIN group EU-ISE local if-authenticated
aaa authorization network default group EU-ISE
aaa authorization console
aaa accounting exec ACC-EU-ISE-ADMIN start-stop group EU-ISE
aaa accounting Identity default start-stop group EU-ISE
aaa accounting update newinfo periodic 2880

!
username recovery privilege 15 secret 9 $9$jQb1k9oWgH4XOk$tgl7LDLHFJgGdmYjSW.xvpDHWLYWQXduBYHY4ClmkCg
!
aaa server radius dynamic-author
client xxx.xxx.xxx.xxx server-key 7 120A0802150C000138
client xxx.xxx.xxx.xxx server-key 7 0317561E01082D495C
client xxx.xxx.xxx.xxx server-key 7 15010619032D27213A
!
!
radius server RNPS02
address ipv4 xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
key 7 0317561E01082D495C
!
radius server RNPS01
address ipv4 xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
key 7 0832415B0E1E091200
!
radius server ENPS01
address ipv4 xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
key 7 15010619032D27213A
!
radius-server dead-criteria time 5 tries 3
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 5
!
aaa group server radius EU-ISE
server name ENPS01
server name RNPS02
server name RNPS01
deadtime 5
!
!
!
!
aaa new-model
aaa session-id common
!
!
ip radius source-interface Vlan30


However, if I try to login using 'recovery' user; my login fails. Login via RADIUS user works.

Debugging logs from the switch:

001802: Jan 13 2025 09:25:30.058 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: recovery] [Source: xxx.xxx.xxx.xxx] [localport: 22] [Reason: Login Authentication Failed] at 10:25:30 CET Mon Jan 13 2025
001803: Jan 13 2025 09:25:30.058 UTC: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from xxx.xxx.xxx.xxx (tty = 1) using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256' Failed
001804: Jan 13 2025 09:25:30.058 UTC: %SSH-5-SSH2_CLOSE: SSH2 Session from xxx.xxx.xxx.xxx (tty = 1) for user '' using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256' closed
001805: Jan 13 2025 09:26:35.904 UTC: %SSH-5-SSH2_SESSION: SSH2 Session request from xxx.xxx.xxx.xxx (tty = 1) using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256' Succeeded
001806: Jan 13 10:26:39.394 CET: RADIUS/ENCODE(0000007F): ask "Password: "
001807: Jan 13 10:26:39.394 CET: RADIUS/ENCODE(0000007F): send packet; GET_PASSWORD
001808: Jan 13 10:26:48.358 CET: RADIUS/ENCODE(0000007F):Orig. component type = Exec
001809: Jan 13 10:26:48.358 CET: RADIUS/ENCODE(0000007F): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
001810: Jan 13 10:26:48.358 CET: RADIUS(0000007F): Config NAS IP: xxx.xxx.xxx.xxx
001811: Jan 13 10:26:48.358 CET: vrfid: [65535] ipv6 tableid : [0]
001812: Jan 13 10:26:48.358 CET: idb is NULL
001813: Jan 13 10:26:48.358 CET: RADIUS(0000007F): Config NAS IPv6: ::
001814: Jan 13 10:26:48.358 CET: RADIUS/ENCODE(0000007F): acct_session_id: 4117
001815: Jan 13 10:26:48.358 CET: RADIUS(0000007F): sending
001816: Jan 13 10:26:48.358 CET: RADIUS: Long password processing
001817: Jan 13 10:26:48.358 CET: RADIUS(0000007F): Send Access-Request to xxx.xxx.xxx.xxx:1812 id 1645/92, len 88
001818: Jan 13 2025 09:26:50.375 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: recovery] [Source: xxx.xxx.xxx.xxx] [localport: 22] [Reason: Login Authentication Failed] at 10:26:50 CET Mon Jan 13 2025
001819: Jan 13 10:26:50.389 CET: RADIUS/ENCODE(0000007F): ask "Password: "
001820: Jan 13 10:26:50.389 CET: RADIUS/ENCODE(0000007F): send packet; GET_PASSWORD

Could someone help with what could be missing here..? We want to have a local backup user available in case of RADIUS failures.

Thanks..!!

Kind Regards,
Saurabh.