Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7295
Views
15
Helpful
6
Replies

How to test local ssh/console credentials when switch is authenticating to RADIUS?

Go to solution
rweir0001
Level 1
Level 1

‎08-03-2015 06:33 AM - edited ‎03-10-2019 12:32 PM

The login to our switches authenticate with RADIUS. If for some reason our RADIUS server is down we still want to be able to ssh or console in to the switches with a local username and password. How can I test if the local passwords will work even though the RADIUS server is up and running? I want to make sure that they will still allow us into the switches if RADIUS is down. I tried the ssh -l command but we can't login with the local creds. I'm assuming that is due to the "aaa authentication login" commands that are forcing us to login with RADIUS as long as it is up. Am I off-base with this?

Below is our configuration:

username admin privilege 15 secret 5 *************************

aaa group server radius RADIUS-GROUP
server xx.xxx.xxx.xxx
!
aaa authentication login default group RADIUS-GROUP local
aaa authorization exec default group RADIUS-GROUP local


line con 0
exec-timeout 0 0
privilege level 15
password 7 *******************
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
password 7 ******************
logging synchronous
length 0
transport input ssh
line vty 5 15
password 7 ********************
logging synchronous
transport input ssh

 

So my question is....if RADIUS is down will we still be able to console or ssh in with the admin credentials we have configured on the switch?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎08-04-2015 03:10 AM

To answer your question, yes. With your configuration once the RADIUS requests have timed out to each server defined in your server-group it will use the local user database.

 

If you wanted to test it, remove the server definitions from 'aaa group server radius RADIUS-GROUP', then from another terminal attempt to log into your switch.

You will get an warning:

%RADIUS-3-NOSERVERS: No Radius hosts configured or no valid server present in the server group...

 

So make sure you add the servers back to the group.

 

cheers,

Seb.

 

View solution in original post

6 Replies 6

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎08-04-2015 03:10 AM

To answer your question, yes. With your configuration once the RADIUS requests have timed out to each server defined in your server-group it will use the local user database.

 

If you wanted to test it, remove the server definitions from 'aaa group server radius RADIUS-GROUP', then from another terminal attempt to log into your switch.

You will get an warning:

%RADIUS-3-NOSERVERS: No Radius hosts configured or no valid server present in the server group...

 

So make sure you add the servers back to the group.

 

cheers,

Seb.

 

Go to solution
Traian Bratescu
Level 1
Level 1
In response to Seb Rupik

‎08-04-2015 03:32 AM

you could disable the client on the server side;that way if the local account is not functional you can still get access via Radius by re-enabling it.

Traian

Go to solution
rweir0001
Level 1
Level 1
In response to Traian Bratescu

‎08-04-2015 05:43 AM

Thanks!

0 Helpful

Go to solution
JJay
Level 1
Level 1
In response to rweir0001

‎11-10-2015 08:28 AM

When testing the local username I just made an ACL blocking the radius IP.

0 Helpful

Go to solution
rweir0001
Level 1
Level 1
In response to Seb Rupik

‎08-04-2015 05:43 AM

Thanks. I figured that was probably the way to test it.

0 Helpful

Go to solution
mpofut0901
Level 1
Level 1
In response to Seb Rupik

‎01-17-2019 03:33 AM

Just to add, to test the enable secret password with radius active:

CiscoDevice#enable 0
CiscoDevice>
CiscoDevice>enable
Password:[Enter Enable Secret Password]

 

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card