08-03-2015 06:33 AM - edited 03-10-2019 12:32 PM
The login to our switches authenticate with RADIUS. If for some reason our RADIUS server is down we still want to be able to ssh or console in to the switches with a local username and password. How can I test if the local passwords will work even though the RADIUS server is up and running? I want to make sure that they will still allow us into the switches if RADIUS is down. I tried the ssh -l command but we can't login with the local creds. I'm assuming that is due to the "aaa authentication login" commands that are forcing us to login with RADIUS as long as it is up. Am I off-base with this?
Below is our configuration:
username admin privilege 15 secret 5 *************************
aaa group server radius RADIUS-GROUP
server xx.xxx.xxx.xxx
!
aaa authentication login default group RADIUS-GROUP local
aaa authorization exec default group RADIUS-GROUP local
line con 0
exec-timeout 0 0
privilege level 15
password 7 *******************
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
password 7 ******************
logging synchronous
length 0
transport input ssh
line vty 5 15
password 7 ********************
logging synchronous
transport input ssh
So my question is....if RADIUS is down will we still be able to console or ssh in with the admin credentials we have configured on the switch?
Solved! Go to Solution.
08-04-2015 03:10 AM
To answer your question, yes. With your configuration once the RADIUS requests have timed out to each server defined in your server-group it will use the local user database.
If you wanted to test it, remove the server definitions from 'aaa group server radius RADIUS-GROUP', then from another terminal attempt to log into your switch.
You will get an warning:
%RADIUS-3-NOSERVERS: No Radius hosts configured or no valid server present in the server group...
So make sure you add the servers back to the group.
cheers,
Seb.
08-04-2015 03:10 AM
To answer your question, yes. With your configuration once the RADIUS requests have timed out to each server defined in your server-group it will use the local user database.
If you wanted to test it, remove the server definitions from 'aaa group server radius RADIUS-GROUP', then from another terminal attempt to log into your switch.
You will get an warning:
%RADIUS-3-NOSERVERS: No Radius hosts configured or no valid server present in the server group...
So make sure you add the servers back to the group.
cheers,
Seb.
08-04-2015 03:32 AM
you could disable the client on the server side;that way if the local account is not functional you can still get access via Radius by re-enabling it.
Traian
08-04-2015 05:43 AM
Thanks!
11-10-2015 08:28 AM
When testing the local username I just made an ACL blocking the radius IP.
08-04-2015 05:43 AM
Thanks. I figured that was probably the way to test it.
01-17-2019 03:33 AM
Just to add, to test the enable secret password with radius active:
CiscoDevice#enable 0
CiscoDevice>
CiscoDevice>enable
Password:[Enter Enable Secret Password]
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide