ā08-07-2016 05:51 AM - edited ā03-08-2019 06:54 AM
hi friends
i config below commands to configure AAA authenticate with Microsoft Active Directory 2008(CIsco Device Integrate with AD microsoft for telnet and ssh and both can login to console by AD and local username)
but while i unplugged Cisco Devices(Router and switches)from Network
i can't login to console
it's better to say i don't know how to login into cosole line whenever i don't connect to AD for Authenticate
aaa new-model
aaa group server radius ABCD
server-private 10.10.10.10 auth-port 1645 acc-port 1646 key KEYPASS (where 10.10.10.10 is AD ip adn KEYPASS is my shared key)
aaa authentication login default group ABCD
aaa authorization exec default group ABCD
!
line vty 0 4
login authentication default
transport input telnet ssh
!
line console 0
????????????????
i only type it----> login authentication default
so i want any times that i don't connect to My AD or Network and physically access To Switches Or Router
i connect Console Port and without Looking Up To Active Directory Users i can Log into Console
so could you please help me which command shoud I type to do that ?
thanks a lot
ā08-07-2016 07:23 AM
Hi,
For console you need to create a separate authentication profile or modify existing one.
aaa authentication login default group ABCD local
(OR)
aaa authentication login console local
line con 0
login authentication console
Thanks & Best regards
ā08-07-2016 08:12 AM
lots of thanks dear
sorry i have only 2 other questions pleas answer me
1-if i create separate authentication as YOU said above can i connect to console
both when Network cable is plugin and when ever i have physical access to it without any Network(i mean Switche No connect to Network or my Active Directory for authenticate)
???????
-------------------------
2-what is the meaning of %backup authentication
how i should solve it?
when ever i telnet to this Switch(that i explained for you)from anywhere By CMD windows
i face to this error %backup Authentication
unfortunately i have multiple line vty
i do below task for all:
e.g :line vty 0 3
no login
no transport input
-----
line vty 4
no login
no tran input
--------
and just type:
line vty 0 4 AND line vty 5 15
login authentication default
transport input telnet
but again i have that problem
what should i do
really thanks <3
:)
ā08-07-2016 09:57 AM
Hi;
Please find below answer of your queries:
aaa authentication login console local
line con 0
login authentication console
For e.g: aaa authentication login default group ABCD local
Where ABCD is your AD Server (Primary Authentication Server)
While local is your Backup Authentication Server.
Due to you using default profile which is automatically applied on the switch lines (vty/con/aux ports).
Itās always recommended to use separate profile (console authentication to local & AD/Tacacs authentication for telnet/SSH) instead of using default profile.
Normally companies using Telnet/SSH for switch management/any configuration change. Console will only use in case of some troubleshooting (i.e hardware failure, switch is out of network authentication or you canāt manage switch remotely etc) if you put authentication as follows:
AD/Tacacs only - then you canāt access the switch.
Primary AD/ Tacacs & Secondary local ā Switch first try to authenticate first AD/Tacacs & in case of failure it will authenticate locally.
And if you also using authorization at same time then users each command need to be authorize from AD/Tacacs & then local and as result in case of failure you feel slowness and took lot of time.
Thanks & Best regards;
ā08-07-2016 10:15 AM
WooooooW
lots of thanks engineer really best info for me and surely for other
best regard
thanks a lot
ā08-08-2016 05:23 AM
Hello
If you using the deafut aaa group for authentication/authorization then as stated this will apply to you console login also.
However this can be negated entirely if need be EVEN when your AD is available and changed to either having no access or use the local user database or even a special keyboard character (ios ver applicable)
No access creds required even when AD server available
aaa authentication login NOAUTH none
aaa authorization exec NOAUTH none
aaa authorization console
line console 0
privilege level 15
login authentication NOAUTH
authorization exec NOAUTH
Local access creds required even when AD server available
aaa authentication login L_AUTH local
aaa authorization exec L_AUTH local if-authenticated
aaa authorization console
username stan privilege 15 secret stan
line console 0
login authentication L_AUTH
authorization exec L_AUTH
Local access via a keyboard character "@"
aaa authentication login NOAUTH none
aaa authorization exec NOAUTH none
aaa authorization console
line console 0
privilege level 15
authorization exec NOAUTH
login authentication NOAUTH
activation-character 64
res
Paul
ā03-26-2024 04:57 AM
Helle @paul driver
Hello,
I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable.
To do my test after installing the account, I realize that the switch takes priority over the SSH connection as long as the radius is available.
Use
#no aaa authentication login RADIUSLOGON group radius local
#no aaa authorization exec RADIUSLOGON group radius local
#aaa authentication login default local
#aaa authentication exec default local
#username localadmin privilege 15 secret azertytest
I've temporarily disabled access to the radius from the switch and I'm able to connect to localadmin().
Is there a way to make the switch offer me to use either radius (ssh) or localadmin (console port 0) without having to disable radius?
Thanks for your feedback
ā03-27-2024 10:10 AM
I would have thought that authentication login RADIUSLOGON group radius local would have accomplished what you want. If it does not then perhaps posting more of the config might shed some light on the issue.
It might also shed light on the issue if you access the switch using SSH/telnet (authenticating with the server or not), run debug for aaa authentication, attempt to login on console, and post the debug output.
ā04-02-2024 06:44 AM
Hello @Richard Burts, Here is the basic conf I got on every boxes
username local priv 15 secret azerty
aaa new-model
!
aaa authentication login RADIUSLOGON group radius local
aaa authorization enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec RADIUSLOGON group radius local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
line con 0
timeout login response 60
authorization exec RADIUSLOGON
login synchronous
login authentication RADIUSLOGON
stopbits 1
line vty 0 4
access-class 20 in
exec-timeout 5 0
timeout login response 60
authorization exec RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
transport input ssh
line vty 5 15
access-class 20 in
exec-timeout 5 0
timeout login response 60
authorization exec RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
transport input ssh
ā04-03-2024 07:28 AM
Thanks for the additional information. My first suggestion would be to either remove this command
aaa authorization console
or else to add some parameters to define the processing desired such as group radius local
If that does not improve things then we need some additional troubleshooting. I am not clear whether the issue is with authentication or with authorization. One way to check on that would be to run debug aaa for authentication and for authorization, attempt access to console, and post debug output.
Another approach would be to remove the aaa commands from the console and then add them back one at a time noting any changes in behavior.
ā04-04-2024 05:43 AM
Good morning @Richard Burts
I have add some parameters such
then in line console 0, I remove the login authorization and authencation and replace with new command.
On the switch, when I connect the blue cable on the console port, I am able to connect either the localadmin account or the radius account.
The problem is when use the configuration on another same model switch, it doesn't really work.
Here is the current running configuration:
username localadmin privilege 15 secret 9 $$$
username localdmin privilege 15 secret 9 $9$C
aaa new-model
!
aaa authentication login default local group radius
aaa authentication login RADIUSLOGON group radius local
aaa authentication login L_AUTH local
aaa authentication enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default group RADIUSLOGON local if-authenticated
aaa authorization exec RADIUSLOGON group radius local
aaa authorization exec L_AUTH local if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3560cx-12pd-s
system mtu routing 1500
!
!
line con 0
exec-timeout 9 0
privilege level 15 password azerty
stopbits 1
line vty 0 4
access-class 20 in
exec-timeout 5 0
timeout login response 60
authorization exec RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
transport input telnet ssh
line vty 5 15
access-class 20 in
exec-timeout 5 0
timeout login response 60
authorization exec RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
transport input telnet ssh
!
end
ā04-09-2024 10:38 AM
Thanks for the additional information. First let me ask about this "when use the configuration on another same model switch, it doesn't really work" Can you clarify what seems to work and what seems to not work?
I have a couple of things about the new config you show in the recent post.
- In earlier versions of config you had things on the console like this "login authentication RADIUSLOGON" which allows you to specify some alternatives for authentication (especially to specify an alternative method of authentication if the primary method does not work). In the new config there are no authentication commands under the console. I would expect in this case the locally configured user ID and password would be used but that it would not use Radius. Is that the case?
- I am surprised at this "aaa authentication login default local group radius". Typically you want to use Radius as the primary and local as the alternative. But this config will use the locally configured IDs as primary. Is that what you intended?
- in earlier versions of config you were using authorization commands on the console (as well as vty etc). I would be very cautious about authorization (especially on the console) because it has potential to lock you out of accessing the switch. Once you get everything working satisfactorily, you can try authorization.
ā04-10-2024 01:12 AM
Good morning @Richard Burts, and thank you for the feed back,
in fact, here is the initial configuration on all the switches(this configuration doesnt allow me to connect the adminlocal account to the console port):
!
aaa authentication login ABCDLOGON group radius local
aaa authentication enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec ABCDLOGON group radius local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!dius server RADIUS_2
address ipv4 10.135.24.43 auth-port 1812 acct-port 1813
timeout 3
retransmit 2
key 7 05
!
line con 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
stopbits 1
line vty 0 4
access-class 10 in
exec-timeout 5 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
transport input ssh
line vty 5 15
access-class 10 in
exec-timeout 5 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
transport input ssh
To perform my test on a cisco WS-C3560CX-12PD-S, I implemented the following configuration
When I implement this configuration on the same WS-C3560CX-12PD-S model, it doesn't work.
I'm forced to make further modifications, which doesn't seem logical enough:
!
username localadmin privilege 15 secret 9 $9$W1.99
username localdmin privilege 15 secret 9 $9$C8j8AR
aaa new-model
!
aaa authentication login default local group radius
aaa authentication login ABCDLOGON group radius local
aaa authentication login L_AUTH local
aaa authentication enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default group ABCDLOGON local if-authenticated
aaa authorization exec ABCDLOGON group radius local
aaa authorization exec L_AUTH local if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
!
line con 0
exec-timeout 9 0
privilege level 15 password 7 106
stopbits 1
line vty 0 4
access-class 10 in
exec-timeout 5 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
transport input telnet ssh
line vty 5 15
access-class 10 in
exec-timeout 5 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
transport input telnet ssh
!
commands under the console. I would expect in this case the locally configured user ID and password would be used but that it would not use Radius. Is that the case?
-Yes, this is the case
- I am surprised at this "aaa authentication login default local group radius". Typically you want to use Radius as the primary and local as the alternative. But this config will use the locally configured IDs as primary. Is that what you intended?
-Yes, absolutly right. This is what I want
ā04-17-2024 01:17 PM
I apologize for having lost track of this discussion. And I am still not very clear about how you want this to work. The original config uses the same method to be used for console and for SSH/telnet on vty:
aaa authentication login ABCDLOGON group radius local
This uses radius as primary and the local configured ID/password as backup. then you add a line to specify a default method which the console will use, but SSH/telnet on vty will not:
aaa authentication login default local group radius
This reverses the order so that local is preferred and Radius becomes the backup. If this accomplishes what you want then why not just make it part of your standard config?
I might suggest an alteration to the config. Instead of defining a default method to be used by console why not configure another method list (perhaps CONSOLE) and use it for the console and avoid changing default behaviors.
ā04-18-2024 01:14 AM
Hello
@zavira123 wrote:
I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable
username localadmin privilege 15 secret azertytes
aaa authentication login RADIUSLOGON group radius local
aaa authorization exec RADIUSLOGON group radius local if-authenticated
aaa authorization console
line vty 0 4
authorization exec RADIUSLOGON
login authentication RADIUSLOGON
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide