Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5444
Views
0
Helpful
17
Replies

Radius Authentication & Console

Jay_F
Level 1
Level 1

‎11-12-2018 02:59 AM

Hi,

Dont know if anyone can help. I've set up RADIUS authentication on a test switch and started implementing it in the live environment. We're using an windows NPS server for the authentication part which works well. Although I am a little confused of how it should work if the NPS server is unavailable. It seems to me (maybe my config is wrong) but the NPS server has to be down in order to log in. Even if there is communication with the NPS server, but maybe a config setting is wrong it still attempts to login via radius. If I connect in via console cable it still attempts to connect to the NPS server. So say, for some reason hypothetically a config setting in NPS isnt quite right and prevents logging in via RADIUS, even though there is connectivity it attempt to authenticate. How can I login locally via the console cable and prevent it from using RADIUS ?

Thanks

Labels:
0 Helpful
17 Replies 17

Richard Burts
Hall of Fame
Hall of Fame
In response to Jay_F

‎11-22-2018 07:55 AM

You would add this to your config:

aaa authentication login console local (if you want to use local configured user id) or

aaa authentication login console line (if you want to use the configured line password)

and you would need to add in the config for the console the command for the console to use the console authentication method

line con 0

login authentication console

 

You can find some helpful discussion and examples in this link

https://community.cisco.com/t5/switching/how-to-define-login-local-for-console-0/td-p/2949493

 

If you have done the second part that is very good. If you have done it as I suggested by having your server define two groups, associating user id to the appropriate group, and defining which commands each group is allowed to use, then it does not matter whether users in the technician group and use the enable command (and in fact you probably did not give them access to that command in your list of allowed commands for that group) because even if they did get into full privilege mode they would not be authorized to execute the full set of commands.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Jay_F
Level 1
Level 1
In response to Richard Burts

‎11-27-2018 06:40 AM

ok thankyou for your help. I think this may require some further testing with your potential solution. Thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jay_F

‎11-27-2018 07:47 AM

Yes there are some complexities in this kind of solution and they need careful and extensive testing. Let us know how the testing is going and if there is anything else we can help you with.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card