Solved: Re: local username not working on Catalyst 9000 - AAA works

Gainas · ‎07-09-2019

We have our first Catalyst 9200L switches. I am setting them up with SSH access using AAA

I am able to log in using console cable with the local username and password that I set up.

I can also log in via SSH using AAA as well.

I can't log in via SSH using the local username and password. I am getting "access denied".

We have used 2960x switches for years. We use telnet and are able to use both AAA and local username (if needed).

With the 9000L series we are trying to start off right by using only SSH. I also wanted to use a different algorithm for the password. After reading this scrypt for cisco password storage

I set up the username and password like this: username <user> privilege 15 algorithm-type scrypt secret <password>

Like I said, AAA works fine, as does console log in. Can someone please check the code and let me know what I missed?

Thank you!

!
!
version 16.9
no service pad
!
hostname Kxxxxx
!
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated 
!
!
!
aaa session-id common
switch 1 provision c9200l
!
!
!
!
ip domain name xxxx.org
!
username xxxxxxxx privilege 15 secret 9 xxxxxxxBb0euNxxxxxxxx
!
redundancy
 mode sso
!
interface GigabitEthernet1/1/4
 switchport mode trunk
!
ip default-gateway 10.xxxxxx
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
ip access-list extended AutoQos-4.0-Acl-Default

ip radius source-interface Vlan2 
logging host 192.xxxxxx
!
snmp-server community fuz RO
radius-server key 7 011C0xxxxx1E
!
radius server xxxxx
 address ipv4 192.xxxxx auth-port 364 acct-port 456
!
control-plane
 service-policy input system-cpp-policy
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh
!
!
mac address-table notification mac-move
!
!
end

balaji.bandi · ‎07-10-2019

Since you have not configured Console access to use AAA authentication, so it would give you local username access on the console.

line con 0
 stopbits 1

If you want to test local username working or not, i have given test method on other post.

As per your configuration, if the Radius not reachable only it will go to Local.

you can do 2 tests.

Test 1 :

aaa authentication login default group local radius  <<- this will do local authentication and radius nex.

Test 2 - Change the configuration back as below.

aaa authentication login default group radius local

1. Got to Radius server, Disable or remove the Switfch IP address from Radius client list.

2. Then loging using SSH from your PC using Putty or Security CRT

3. Now you should able to connect.

Any issue explain what you have tried ? where you failing.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎07-09-2019

This is order of operation for the below command :

aaa authentication login default group radius local

if no radius server reachanble only your local account works. so first preference is Radius.

to test local user working or not, try in the radius disable this IP from radius client list and test local username password.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Gainas · ‎07-09-2019

Thank you. This is already what I am using and am getting the access denied message via ssh (but can log in to console)

aaa authentication login default group radius local

Please let me know if I misunderstood your answer.

balaji.bandi · ‎07-10-2019

Since you have not configured Console access to use AAA authentication, so it would give you local username access on the console.

line con 0
 stopbits 1

If you want to test local username working or not, i have given test method on other post.

As per your configuration, if the Radius not reachable only it will go to Local.

you can do 2 tests.

Test 1 :

aaa authentication login default group local radius  <<- this will do local authentication and radius nex.

Test 2 - Change the configuration back as below.

aaa authentication login default group radius local

1. Got to Radius server, Disable or remove the Switfch IP address from Radius client list.

2. Then loging using SSH from your PC using Putty or Security CRT

3. Now you should able to connect.

Any issue explain what you have tried ? where you failing.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Gainas · ‎07-11-2019

Thank you very much. I am making progress. Following your advice I disabled the AAA entry on the radius server and tested. I was then able to log in with the local username.

AAA config is: aaa authentication login default group radius local

However when I try to get to the enable prompt I receive: % Error in authentication

I see solutions on the web for this issue. I have not tried any yet.

If you are able to offer any help please let me know.

My original issue does appear resolved with your help.

Gainas · ‎07-11-2019

'error in authentication' is resolved now.

I just did enable secret **password**

too easy