cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
57541
Views
29
Helpful
14
Replies

How to define Login Local for Console 0?

zavira123
Level 1
Level 1

hi friends
i config below commands to configure AAA authenticate with Microsoft Active Directory 2008(CIsco Device Integrate with AD microsoft for telnet and ssh and both can login to console by AD and local username)
but while i unplugged Cisco Devices(Router and switches)from Network
i can't login to console
it's better to say i don't know how to login into cosole line whenever i don't connect to AD for Authenticate

aaa new-model
aaa group server radius ABCD
server-private 10.10.10.10 auth-port 1645 acc-port 1646 key KEYPASS (where 10.10.10.10 is AD ip adn KEYPASS is my shared key)

aaa authentication login default group ABCD
aaa authorization exec default group ABCD

!
line vty 0 4
login authentication default
transport input telnet ssh

!
line console 0
????????????????
i only type it----> login authentication default


so i want any times that i don't connect to My AD or Network and physically access To Switches Or Router
i connect Console Port and without Looking Up To Active Directory Users i can Log into Console




so could you please help me which command shoud I type to do that ?

thanks a lot

14 Replies 14

ahmedshoaib
Level 4
Level 4

Hi,

For console you need to create a separate authentication profile or modify existing one.

aaa authentication login default group ABCD local 

(OR)

aaa authentication login console local

line con 0

login authentication console

Thanks & Best regards

lots of thanks dear

sorry i have only 2 other questions pleas answer me

1-if i create separate authentication as YOU said above can i connect to console

both when Network cable is plugin and when ever i have physical access to it without any Network(i mean Switche No connect to Network or my Active Directory for authenticate)

???????

-------------------------

2-what is the meaning of %backup authentication

 how i should solve it?

when ever i telnet to this Switch(that i explained for you)from anywhere By CMD windows

i face to this error %backup Authentication 

unfortunately i have multiple line vty  

i do below task for all:

e.g :line vty 0 3

no login

no transport input

-----

line vty 4

no login

no tran input

--------

and just type:

line vty 0 4 AND line vty 5 15

login authentication default

transport input telnet 

but again i have that problem

what should i do

really thanks <3

:)

Hi;

Please find below answer of your queries:

 

  1. If you create separate profile for console like I mentioned in email, then in all means whether your switch is on network or out of network the console access is always use local password.

aaa authentication login console local

line con 0

 login authentication console

 

  1. You should always use as a Backup authentication server, in case of failure of AD/Tacacs the user will be authenticate with Backup authentication Server (either its local, enable & etc).

For e.g: aaa authentication login default group ABCD local

Where ABCD is your AD Server (Primary Authentication Server)

While local is your Backup Authentication Server.

 

Due to you using default profile which is automatically applied on the switch lines (vty/con/aux ports).

 

It’s always recommended to use separate profile (console authentication to local & AD/Tacacs authentication for telnet/SSH) instead of using default profile.

Normally companies using Telnet/SSH for switch management/any configuration change. Console will only use in case of some troubleshooting (i.e hardware failure, switch is out of network authentication or you can’t manage switch remotely etc) if you put authentication as follows:

AD/Tacacs only - then you can’t access the switch.

Primary AD/ Tacacs & Secondary local – Switch first try to authenticate first AD/Tacacs & in case of failure it will authenticate locally.

And if you also using authorization at same time then users each command need to be authorize from AD/Tacacs & then local and as result in case of failure you feel slowness and took lot of time.

 

Thanks & Best regards;

WooooooW

lots of thanks engineer really best info for me and surely for other

best regard

thanks a lot

Hello

If you using the deafut aaa group for authentication/authorization then as stated this will apply to you console login also.

However this can be negated entirely if need be EVEN when your AD is available and changed to either having no access or use the local user database or even a special keyboard character (ios ver applicable)

No access creds required even when AD server available
aaa authentication login NOAUTH none
aaa authorization exec NOAUTH none
aaa authorization console

line console 0
privilege level 15
login authentication NOAUTH 
authorization exec NOAUTH


Local access creds required even when AD server available
aaa authentication login L_AUTH local
aaa authorization exec L_AUTH local if-authenticated
aaa authorization console


username stan privilege 15 secret stan
line console 0
login authentication L_AUTH
authorization exec L_AUTH



Local access
  via a keyboard character "@"

aaa authentication login NOAUTH none
aaa authorization exec NOAUTH none
aaa authorization console

line console 0
privilege level 15
authorization exec NOAUTH
login authentication NOAUTH
activation-character 64

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Helle @paul driver

 

Hello,

I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable.
To do my test after installing the account, I realize that the switch takes priority over the SSH connection as long as the radius is available.
Use
#no aaa authentication login RADIUSLOGON group radius local
#no aaa authorization exec RADIUSLOGON group radius local
#aaa authentication login default local
#aaa authentication exec default local
#username localadmin privilege 15 secret azertytest

I've temporarily disabled access to the radius from the switch and I'm able to connect to localadmin().

Is there a way to make the switch offer me to use either radius (ssh) or localadmin (console port 0) without having to disable radius?

Thanks for your feedback

 

I would have thought that authentication login RADIUSLOGON group radius local would have accomplished what you want. If it does not then perhaps posting more of the config might shed some light on the issue.

It might also shed light on the issue if you access the switch using SSH/telnet (authenticating with the server or not), run debug for aaa authentication, attempt to login on console, and post the debug output.

HTH

Rick

Hello @Richard Burts, Here is the basic conf I got on every boxes

username local priv 15 secret azerty
aaa new-model
!
aaa authentication login RADIUSLOGON group radius local
aaa authorization enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec RADIUSLOGON group radius local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
line con 0
timeout login response 60
authorization exec RADIUSLOGON
login synchronous
login authentication RADIUSLOGON
stopbits 1

line vty 0 4
access-class 20 in
exec-timeout 5 0
timeout login response 60
authorization exec RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
transport input ssh

line vty 5 15
access-class 20 in
exec-timeout 5 0
timeout login response 60
authorization exec RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
transport input ssh

Thanks for the additional information. My first suggestion would be to either remove this command

aaa authorization console

or else to add some parameters to define the processing desired such as  group radius local

If that does not improve things then we need some additional troubleshooting. I am not clear whether the issue is with authentication or with authorization. One way to check on that would be to run debug aaa for authentication and for authorization, attempt access to console, and post debug output.

Another approach would be to remove the aaa commands from the console and then add them back one at a time noting any changes in behavior.

HTH

Rick

Good morning @Richard Burts 

I have add some parameters such

  1. aaa authentication login default local group radius
  2. aaa authentication login L_AUTH local
  3. aaa authorization exec default group RADIUSLOGON local if-authenticated
  4. aaa authorization exec L_AUTH local if-authenticated

then in line console 0, I remove the login authorization and authencation and replace with new command.

On the switch, when I connect the blue cable on the console port, I am able to connect either the localadmin account or the radius account.

The problem is when use the configuration on another same model switch, it doesn't really work.

Here is the current running configuration:

 

 

username localadmin privilege 15 secret 9 $$$
username localdmin privilege 15 secret 9 $9$C
aaa new-model
!
aaa authentication login default local group radius
aaa authentication login RADIUSLOGON group radius local
aaa authentication login L_AUTH local
aaa authentication enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default group RADIUSLOGON local if-authenticated
aaa authorization exec RADIUSLOGON group radius local
aaa authorization exec L_AUTH local if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3560cx-12pd-s
system mtu routing 1500
!
!
line con 0
exec-timeout 9 0
privilege level 15 password azerty
stopbits 1
line vty 0 4
access-class 20 in
exec-timeout 5 0
timeout login response 60
authorization exec RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
transport input telnet ssh
line vty 5 15
access-class 20 in
exec-timeout 5 0
timeout login response 60
authorization exec RADIUSLOGON
logging synchronous
login authentication RADIUSLOGON
transport input telnet ssh
!
end

Thanks for the additional information. First let me ask about this "when use the configuration on another same model switch, it doesn't really work" Can you clarify what seems to work and what seems to not work?

I have a couple of things about the new config you show in the recent post.

- In earlier versions of config you had things on the console like this "login authentication RADIUSLOGON" which allows you to specify some alternatives for authentication (especially to specify an alternative method of authentication if the primary method does not work). In the new config there are no authentication commands under the console. I would expect in this case the locally configured user ID and password would be used but that it would not use Radius. Is that the case?

- I am surprised at this "aaa authentication login default local group radius". Typically you want to use Radius as the primary and local as the alternative. But this config will use the locally configured IDs as primary. Is that what you intended?

- in earlier versions of config you were using authorization commands on the console (as well as vty etc). I would be very cautious about authorization (especially on the console) because it has potential to lock you out of accessing the switch. Once you get everything working satisfactorily, you can try authorization.

HTH

Rick

Good morning @Richard Burts, and thank you for the feed back,

in fact, here is the initial configuration on all the switches(this configuration doesnt allow me to connect the adminlocal account to the console port): 

!
aaa authentication login ABCDLOGON group radius local
aaa authentication enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec ABCDLOGON group radius local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

!dius server RADIUS_2
address ipv4 10.135.24.43 auth-port 1812 acct-port 1813
timeout 3
retransmit 2
key 7 05

!
line con 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
stopbits 1
line vty 0 4
access-class 10 in
exec-timeout 5 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
transport input ssh
line vty 5 15
access-class 10 in
exec-timeout 5 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
transport input ssh

 

 

To perform my test on a cisco WS-C3560CX-12PD-S, I implemented the following configuration

When I implement this configuration on the same WS-C3560CX-12PD-S model, it doesn't work.
I'm forced to make further modifications, which doesn't seem logical enough:

 

!

username localadmin privilege 15 secret 9 $9$W1.99
username localdmin privilege 15 secret 9 $9$C8j8AR
aaa new-model
!
aaa authentication login default local group radius
aaa authentication login ABCDLOGON group radius local
aaa authentication login L_AUTH local
aaa authentication enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default group ABCDLOGON local if-authenticated
aaa authorization exec ABCDLOGON group radius local
aaa authorization exec L_AUTH local if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!

!
line con 0
exec-timeout 9 0
privilege level 15 password 7 106
stopbits 1
line vty 0 4
access-class 10 in
exec-timeout 5 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
transport input telnet ssh
line vty 5 15
access-class 10 in
exec-timeout 5 0
timeout login response 60
authorization exec ABCDLOGON
logging synchronous
login authentication ABCDLOGON
transport input telnet ssh
!

commands under the console. I would expect in this case the locally configured user ID and password would be used but that it would not use Radius. Is that the case? 

     -Yes, this is the case

- I am surprised at this "aaa authentication login default local group radius". Typically you want to use Radius as the primary and local as the alternative. But this config will use the locally configured IDs as primary. Is that what you intended?

   -Yes, absolutly right. This is what I want

 

I apologize for having lost track of this discussion. And I am still not very clear about how you want this to work. The original config uses the same method to be used for console and for SSH/telnet on vty:

aaa authentication login ABCDLOGON group radius local

This uses radius as primary and the local configured ID/password as backup. then you add a line to specify a default method which the console will use, but SSH/telnet on vty will not: 

aaa authentication login default local group radius

This reverses the order so that local is preferred and Radius becomes the backup. If this accomplishes what you want then why not just make it part of your standard config?

I might suggest an alteration to the config. Instead of defining a default method to be used by console why not configure another method list (perhaps CONSOLE) and use it for the console and avoid changing default behaviors.

HTH

Rick

Hello


@zavira123 wrote:
I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable

username localadmin privilege 15 secret azertytes

aaa authentication login RADIUSLOGON group radius local

aaa authorization exec RADIUSLOGON group radius local if-authenticated
aaa authorization console

line vty 0 4
authorization exec RADIUSLOGON
login authentication RADIUSLOGON


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card