11-12-2018 02:59 AM
Hi,
Dont know if anyone can help. I've set up RADIUS authentication on a test switch and started implementing it in the live environment. We're using an windows NPS server for the authentication part which works well. Although I am a little confused of how it should work if the NPS server is unavailable. It seems to me (maybe my config is wrong) but the NPS server has to be down in order to log in. Even if there is communication with the NPS server, but maybe a config setting is wrong it still attempts to login via radius. If I connect in via console cable it still attempts to connect to the NPS server. So say, for some reason hypothetically a config setting in NPS isnt quite right and prevents logging in via RADIUS, even though there is connectivity it attempt to authenticate. How can I login locally via the console cable and prevent it from using RADIUS ?
Thanks
11-22-2018 07:55 AM
You would add this to your config:
aaa authentication login console local (if you want to use local configured user id) or
aaa authentication login console line (if you want to use the configured line password)
and you would need to add in the config for the console the command for the console to use the console authentication method
line con 0
login authentication console
You can find some helpful discussion and examples in this link
https://community.cisco.com/t5/switching/how-to-define-login-local-for-console-0/td-p/2949493
If you have done the second part that is very good. If you have done it as I suggested by having your server define two groups, associating user id to the appropriate group, and defining which commands each group is allowed to use, then it does not matter whether users in the technician group and use the enable command (and in fact you probably did not give them access to that command in your list of allowed commands for that group) because even if they did get into full privilege mode they would not be authorized to execute the full set of commands.
HTH
Rick
11-27-2018 06:40 AM
ok thankyou for your help. I think this may require some further testing with your potential solution. Thanks
11-27-2018 07:47 AM
Yes there are some complexities in this kind of solution and they need careful and extensive testing. Let us know how the testing is going and if there is anything else we can help you with.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide