Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
0
Replies

Local account access

fdogarcia
Level 1
Level 1

‎03-08-2011 11:34 AM - edited ‎03-06-2019 03:58 PM

1.  Radius authentication works fine over the network.  I can log in with my network user-name and password, no problem.

2.  WIth my laptop connected to the console, and the switch connected to the network, if I log in with my network login, I get to the ">" prompt.  Then I have to enter the ENABLE PASSWORD that is configured on the switch to get to the # prompt.  I don't know why that is, because I have the command "aaa authorization exec default group radius local" configured, as well as "aaa authorization network default group radius".  So not sure why my network password doesn't work.

3.  WIth my laptop connected to the console port, and the switch DISCONNECTED from the network, I logged in with the local account configured on the switch "pts-admin".  Again, it brings me to the > prompt.  If I type "en", and enter the ENABLE PASSWORD configured on the switch, I get to the # prompt.  But I want to use the password that's configured for the local username pts-admin.  Why doesn't that give me the # prompt?  I configured the local account with:username pts-admin privilege 15 password pts;admin.  (Since it didn't work before with "secret", I just tried "password", but it appears to have the same symptoms either way).

To recap, I would like to use RADIUS, both for network access to the switch, and also on the console, but if the RADIUS server is down, I want to ensure we can still access the switch, both through the network and via the console, with a local account.

PTS_SPARE_2960#sh run
Building configuration...

Current configuration : 6117 bytes
!
! Last configuration change at 13:37:25 EST Tue Mar 8 2011 by WDunford
! NVRAM config last updated at 13:37:26 EST Tue Mar 8 2011 by WDunford
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname PTS_SPARE_2960
!
boot-start-marker
boot-end-marker
!
logging console critical
enable secret 5 $1$xb51$Usc7pbsIZcoot.MVw1uGm1
!
username pts-admin privilege 15 password 7 06161B32174F0D140C19
aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius local
aaa authorization network default group radius local
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
vtp domain PTS_ASH
vtp mode transparent
ip subnet-zero
!
!
no ip domain-lookup
ip domain-name PTS_ASHBURNHAM
!
!
crypto pki trustpoint TP-self-signed-1570874368
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1570874368
revocation-check none
rsakeypair TP-self-signed-1570874368
!
!
crypto pki certificate chain TP-self-signed-1570874368
certificate self-signed 01
  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31353730 38373433 3638301E 170D3933 30333031 30303030
  35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35373038
  37343336 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D695 74D83473 020C29D1 43949375 C41611DE 5CEBF3EE 28C6512B A467C325
  FD615FF1 2C85605B 3306C425 1F28B3F9 53066037 9A4589D5 741F6C63 2B2F27BD
  2FC0FE2F A03C0C33 14094290 F5073EEC B63926D3 7CEDFB7B C2E34CC0 BCD4C397
  EE8D4DB8 9BA60122 B743E7AF 7CA77C24 372EA282 ABCE2217 6776E44A A7433EF4
  511D0203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
  551D1104 21301F82 1D505453 5F535041 52455F32 3936302E 5054535F 41534842
  55524E48 414D301F 0603551D 23041830 1680148A 0149327A 0F73F744 194EA8B0
  EF867F61 556A5730 1D060355 1D0E0416 04148A01 49327A0F 73F74419 4EA8B0EF
  867F6155 6A57300D 06092A86 4886F70D 01010405 00038181 002944C4 FA9FFB91
  228BA5B1 88F124F4 03664C80 544159C8 D982F6DA 5001163E E0191547 ADE9185D
  EC89E17E C890E854 7502BF20 C6F8A520 F49F8BD1 89643F65 7D808EDB 7BB8E1C8
  EF54AA0F 82A2BF0D FB952420 36CE35D0 D59E4C46 43A755B3 D429EA19 6D17B200
  27474D38 311105F0 8870CADD A82CF479 4D04934B 0278C954 05
  quit
!
!
dot1x system-auth-control
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 600
name ASH_MGMT_NETWORK
!
vlan 608
name ASH_WKSTN_NETWORK
!        
!
!
interface FastEthernet0/1
description CONNECT_TO_HEAD_3750
switchport trunk allowed vlan 600,605,608
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
!
interface FastEthernet0/2
description CONNECT_TO_LAPTOP
switchport access vlan 608
speed 100
duplex full
!
interface FastEthernet0/3
description TEST_FOR_DOT1X
switchport mode access
authentication port-control auto
dot1x pae authenticator
!
interface FastEthernet0/4
switchport access vlan 608
!
interface FastEthernet0/5
switchport access vlan 608
!
interface FastEthernet0/6
switchport access vlan 608
!
interface FastEthernet0/7
switchport access vlan 608
!
interface FastEthernet0/8
switchport access vlan 608
!
interface FastEthernet0/9
switchport access vlan 608
!
interface FastEthernet0/10
switchport access vlan 608
!
interface FastEthernet0/11
switchport access vlan 608
!        
interface FastEthernet0/12
switchport access vlan 608
!
interface FastEthernet0/13
switchport access vlan 608
!
interface FastEthernet0/14
switchport access vlan 608
!
interface FastEthernet0/15
switchport access vlan 608
!
interface FastEthernet0/16
switchport access vlan 608
!
interface FastEthernet0/17
switchport access vlan 608
!
interface FastEthernet0/18
switchport access vlan 608
!
interface FastEthernet0/19
switchport access vlan 608
!
interface FastEthernet0/20
switchport access vlan 608
!
interface FastEthernet0/21
switchport access vlan 608
!
interface FastEthernet0/22
switchport access vlan 608
!
interface FastEthernet0/23
switchport access vlan 608
!
interface FastEthernet0/24
switchport access vlan 608
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan600
ip address 172.20.0.46 255.255.255.0
no ip route-cache
!
ip default-gateway 172.20.0.100
no ip http server
ip http secure-server
logging trap critical
logging 172.20.1.241
access-list 1 remark SNMP & MRTG Monitoring
access-list 1 permit 172.20.1.241
access-list 1 permit 172.20.1.242
access-list 10 remark VTY_ACCESS
access-list 10 permit 172.20.1.9 log
access-list 10 permit 172.25.0.100 log
access-list 10 permit 172.20.0.100 log
access-list 10 permit 172.20.5.0 0.0.0.255 log
access-list 10 permit 172.25.5.0 0.0.0.255 log
access-list 10 deny   any log
snmp-server community pu1nms RO 1
snmp-server location Ashburnham Data Centre
snmp-server enable traps stpx root-inconsistency loop-inconsistency
snmp-server host 172.20.1.241 pu1nms
snmp ifmib ifindex persist
radius-server host 172.20.1.34 auth-port 1812 acct-port 1813 key 7 0509140E2F48570B0C061C425B
radius-server retransmit 1
radius-server timeout 3
!
control-plane
!
banner exec ^CC### WARNING: NO UNAUTHORIZED ACCESS PERMITTED ### ^C
banner login ^CC ### NO UNAUTHORIZED ACCESS PERMITTED ### ^C
banner motd ^CC ### WARNING: NO UNAUTHORIZED ACCESS PERMITTED ### ^C
!
line con 0
exec-timeout 9 0
logging synchronous
line vty 0 4
access-class 10 in
exec-timeout 9 0
logging synchronous
transport input ssh
line vty 5 15
access-class 10 in
exec-timeout 9 0
logging synchronous
transport input ssh
!
ntp clock-period 36028962
ntp server 192.168.38.50
end

PTS_SPARE_2960#

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card