yeah ok:

aaa new-model

aaa group server radius RAD_SERVERS

server-private [ip of NPS server] auth-port 1812 acct-port 1813 key [shared secret key]

aaa authentication login default group RAD_SERVERS local

aaa authorization exec default group RAD_SERVERS local if-authenticated

aaa authorization console

If I am not mistaking you need to add line after local to this:

aaa authentication login default group RAD_SERVERS local

Couple of years ago I had the exact same issue, and I think this fixed it for me.. if I am not mistaking. 

Change it to:

aaa authentication login default group RAD_SERVERS local line

Can you show us your console config as well? I think you need to remove if-authenticated from this command:

aaa authorization exec default group RAD_SERVERS local if-authenticated

Hi, I tried what you suggested by adding the line:

aaa authentication login default group RAD_SERVERS local line

but it was still trying to authenticate to radius server when connecting in via console cable. Also tried what you suggested by taking out the if-authenticated and that didnt work either.

As I said, I am not completely sure which one solved mine, but hopefully someone else would be able to help you.

I am a bit confused about what is working and what is not working. I also think that there may be issues about authentication and also about authorization. I suggest that we try to work on them one at a time. 

In terms of authentication if you have this in your configuration

aaa authentication login default group RAD_SERVERS local line

then when you attempt to login at the console it will always attempt to authenticate using radius and will use local id and password and line password as backups. In an earlier post you seem to say that your login is only successful if it is not authenticating with radius and using the local id as backup. If that is the case it suggests that the user id you are attempting to use is not set up correctly in radius. Is that the case? If not then please clarify what is happening when you attempt to authenticate on the console port.

HTH

Rick

Hi,

I am using aaa authentication login default group RAD_SERVERS local and say if I log in via console cable and disconnect my test switch from the network it attempts to authenticate by radius and after a few attempts of not receiving comms back from the radius server it allows me to log in locally. My issue was how about the fact there might be a configuration issue within NPS and because the switch can communicate with the server continues to attempt to login via radius authentication. I have to disconnect the switch from the network if I want to connect in locally via console cable.

I suppose what I am asking can you use radius authentication just for telnet / ssh connections and use console cable to connect in locally ?

The other point I wanted to ask about was privilege levels. I have set up 2x security groups in AD, 1x for our Admins and the other for service desk technicians. Admins have level 15 and so far I only set technicians as 1. When I test and log in as a technician user with privelege level 1 should when i access privileged exec mode %error in authentication% or should it allow me to access but with the local enable password?

Thanks

You are asking two questions, the first is easy and the second less so. So lets start with easy. Yes you can use Radius to authenticate ssh and telnet and use the console to authenticate with the local id and password. To do this you would create two aaa authentication commands. You probably would want to use your existing aaa authentication command that uses Radius for ssh and telnet. Then configure a second aaa authentication to specify an authentication method that uses just the local id and specify an authentication method on the console port that uses this method.

If you want to operate with 2 groups where one group (admins) has full level 15 access and the second group (technicians) has restricted access you do not do this in authentication.  You accomplish this using authorization. On the server you associate user id with the appropriate group, and then for each group you specify the commands that they are allowed to execute. Doing this can be pretty complicated.

HTH

Rick

Thanks - I am using the following to allow radius authentication although it doesnt allow me if I connect in via console cable to connect in locally. That is what i'm trying to achieve if as you say it is possible what would i need to add into this code:

aaa new-model

aaa group server radius RAD_SERVERS

server-private [ip of NPS server] auth-port 1812 acct-port 1813 key [shared secret key]

aaa authentication login default group RAD_SERVERS local

aaa authorization exec default group RAD_SERVERS local if-authenticated

aaa authorization console

The 2nd part which you say is complicated I have already done. The question I was asking however, was if as I have set the technicians group with privilege 1, should they be allowed to type 'enable' and get to the privileged exec command ? and if so (which my test seems to do) why would it ask for local password and not the AD authenticated password if using SSH. Seems pointless, means I would have to change all the local passwords.