lots of thanks dear

sorry i have only 2 other questions pleas answer me

1-if i create separate authentication as YOU said above can i connect to console

both when Network cable is plugin and when ever i have physical access to it without any Network(i mean Switche No connect to Network or my Active Directory for authenticate)

???????

-------------------------

2-what is the meaning of %backup authentication

 how i should solve it?

when ever i telnet to this Switch(that i explained for you)from anywhere By CMD windows

i face to this error %backup Authentication 

unfortunately i have multiple line vty  

i do below task for all:

e.g :line vty 0 3

no login

no transport input

-----

line vty 4

no login

no tran input

--------

and just type:

line vty 0 4 AND line vty 5 15

login authentication default

transport input telnet 

but again i have that problem

what should i do

really thanks <3

:)

Hi;

Please find below answer of your queries:

1. If you create separate profile for console like I mentioned in email, then in all means whether your switch is on network or out of network the console access is always use local password.

aaa authentication login console local

line con 0

 login authentication console

2. You should always use as a Backup authentication server, in case of failure of AD/Tacacs the user will be authenticate with Backup authentication Server (either its local, enable & etc).

For e.g: aaa authentication login default group ABCD local

Where ABCD is your AD Server (Primary Authentication Server)

While local is your Backup Authentication Server.

Due to you using default profile which is automatically applied on the switch lines (vty/con/aux ports).

It’s always recommended to use separate profile (console authentication to local & AD/Tacacs authentication for telnet/SSH) instead of using default profile.

Normally companies using Telnet/SSH for switch management/any configuration change. Console will only use in case of some troubleshooting (i.e hardware failure, switch is out of network authentication or you can’t manage switch remotely etc) if you put authentication as follows:

AD/Tacacs only - then you can’t access the switch.

Primary AD/ Tacacs & Secondary local – Switch first try to authenticate first AD/Tacacs & in case of failure it will authenticate locally.

And if you also using authorization at same time then users each command need to be authorize from AD/Tacacs & then local and as result in case of failure you feel slowness and took lot of time.

Thanks & Best regards;

WooooooW

lots of thanks engineer really best info for me and surely for other

best regard

thanks a lot

Helle @paul driver

Hello,

I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable.
To do my test after installing the account, I realize that the switch takes priority over the SSH connection as long as the radius is available.
Use
#no aaa authentication login RADIUSLOGON group radius local
#no aaa authorization exec RADIUSLOGON group radius local
#aaa authentication login default local
#aaa authentication exec default local
#username localadmin privilege 15 secret azertytest

I've temporarily disabled access to the radius from the switch and I'm able to connect to localadmin().

Is there a way to make the switch offer me to use either radius (ssh) or localadmin (console port 0) without having to disable radius?

Thanks for your feedback

I would have thought that authentication login RADIUSLOGON group radius local would have accomplished what you want. If it does not then perhaps posting more of the config might shed some light on the issue.

It might also shed light on the issue if you access the switch using SSH/telnet (authenticating with the server or not), run debug for aaa authentication, attempt to login on console, and post the debug output.

Hello @Richard Burts, Here is the basic conf I got on every boxes

username local priv 15 secret azerty
aaa new-model
!
aaa authentication login RADIUSLOGON group radius local
aaa authorization enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec RADIUSLOGON group radius local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
line con 0
timeout login response 60
authorization exec RADIUSLOGON
login synchronous
login authentication RADIUSLOGON
stopbits 1

line vty 0 4
access-class 20 in
exec-timeout 5 0
timeout login response 60
authorization exec RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
transport input ssh

line vty 5 15
access-class 20 in
exec-timeout 5 0
timeout login response 60
authorization exec RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
transport input ssh

Thanks for the additional information. My first suggestion would be to either remove this command

aaa authorization console

or else to add some parameters to define the processing desired such as  group radius local

If that does not improve things then we need some additional troubleshooting. I am not clear whether the issue is with authentication or with authorization. One way to check on that would be to run debug aaa for authentication and for authorization, attempt access to console, and post debug output.

Another approach would be to remove the aaa commands from the console and then add them back one at a time noting any changes in behavior.

Good morning @Richard Burts 

I have add some parameters such

1. aaa authentication login default local group radius
2. aaa authentication login L_AUTH local
3. aaa authorization exec default group RADIUSLOGON local if-authenticated
4. aaa authorization exec L_AUTH local if-authenticated

then in line console 0, I remove the login authorization and authencation and replace with new command.

On the switch, when I connect the blue cable on the console port, I am able to connect either the localadmin account or the radius account.

The problem is when use the configuration on another same model switch, it doesn't really work.

Here is the current running configuration:

username localadmin privilege 15 secret 9 $$$
username localdmin privilege 15 secret 9 $9$C
aaa new-model
!
aaa authentication login default local group radius
aaa authentication login RADIUSLOGON group radius local
aaa authentication login L_AUTH local
aaa authentication enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default group RADIUSLOGON local if-authenticated
aaa authorization exec RADIUSLOGON group radius local
aaa authorization exec L_AUTH local if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3560cx-12pd-s
system mtu routing 1500
!
!
line con 0
exec-timeout 9 0
privilege level 15 password azerty
stopbits 1
line vty 0 4
access-class 20 in
exec-timeout 5 0
timeout login response 60
authorization exec RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
transport input telnet ssh
line vty 5 15
access-class 20 in
exec-timeout 5 0
timeout login response 60
authorization exec RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
transport input telnet ssh
!
end

Thanks for the additional information. First let me ask about this "when use the configuration on another same model switch, it doesn't really work" Can you clarify what seems to work and what seems to not work?

I have a couple of things about the new config you show in the recent post.

- In earlier versions of config you had things on the console like this "login authentication RADIUSLOGON" which allows you to specify some alternatives for authentication (especially to specify an alternative method of authentication if the primary method does not work). In the new config there are no authentication commands under the console. I would expect in this case the locally configured user ID and password would be used but that it would not use Radius. Is that the case?

- I am surprised at this "aaa authentication login default local group radius". Typically you want to use Radius as the primary and local as the alternative. But this config will use the locally configured IDs as primary. Is that what you intended?

- in earlier versions of config you were using authorization commands on the console (as well as vty etc). I would be very cautious about authorization (especially on the console) because it has potential to lock you out of accessing the switch. Once you get everything working satisfactorily, you can try authorization.

Good morning @Richard Burts, and thank you for the feed back,

in fact, here is the initial configuration on all the switches(this configuration doesnt allow me to connect the adminlocal account to the console port): 

!
aaa authentication login ABCDLOGON group radius local
aaa authentication enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec ABCDLOGON group radius local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

!dius server RADIUS_2
address ipv4 10.135.24.43 auth-port 1812 acct-port 1813
timeout 3
retransmit 2
key 7 05

!
line con 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
stopbits 1
line vty 0 4
access-class 10 in
exec-timeout 5 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
transport input ssh
line vty 5 15
access-class 10 in
exec-timeout 5 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
transport input ssh

To perform my test on a cisco WS-C3560CX-12PD-S, I implemented the following configuration

When I implement this configuration on the same WS-C3560CX-12PD-S model, it doesn't work.
I'm forced to make further modifications, which doesn't seem logical enough:

!

username localadmin privilege 15 secret 9 $9$W1.99
username localdmin privilege 15 secret 9 $9$C8j8AR
aaa new-model
!
aaa authentication login default local group radius
aaa authentication login ABCDLOGON group radius local
aaa authentication login L_AUTH local
aaa authentication enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default group ABCDLOGON local if-authenticated
aaa authorization exec ABCDLOGON group radius local
aaa authorization exec L_AUTH local if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!

!
line con 0
exec-timeout 9 0
privilege level 15 password 7 106
stopbits 1
line vty 0 4
access-class 10 in
exec-timeout 5 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
transport input telnet ssh
line vty 5 15
access-class 10 in
exec-timeout 5 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
transport input telnet ssh
!

commands under the console. I would expect in this case the locally configured user ID and password would be used but that it would not use Radius. Is that the case? 

     -Yes, this is the case

- I am surprised at this "aaa authentication login default local group radius". Typically you want to use Radius as the primary and local as the alternative. But this config will use the locally configured IDs as primary. Is that what you intended?

   -Yes, absolutly right. This is what I want