Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1491
Views
5
Helpful
5
Replies

Radius authentication for some group of users and local authentication for another group of users

z080236
Level 1
Level 1

ā€Ž06-14-2016 03:49 AM - edited ā€Ž03-08-2019 06:11 AM

How to achieve the above in CLI for Cisco Catalyst 2960x?

Grp A users - Use Radius Authentication only

Grp B users- Use Local Authentication only

Labels:
0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

ā€Ž06-14-2016 04:18 PM

Hi

To achieve what you're asking, there are many ways.

I'll give you 2 of them that don't need to play with Radius authentication results:

1. You can configure your aaa command to look on local database and then to radius like:

aaa authentication login GRP-LOCAL-RADIUS local group radius

2. you can configure multiple aaa authentication (1 looking only on local database and 1 on radius) then assign them to different lines (not the best)

Local:

aaa authentication login LOCAL-AUTH local
!
line vty 0 4
login authentication LOCAL-AUTH

Radius:

aaa authentication login RADIUS-AUTH group radius
!
line vty 5 15
login authentication RADIUS-AUTH

If you want to play with Radius.

Configure a standard aaa looking into Radius and then in local:

aaa authentication login RADIUS group RADIUS-SRV local

On the authentication rule, you need to send a DROP action when User not found

Hope this helps.

PS: If this solved your issue, please don't forget to rate and mark as correct answer

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

z080236
Level 1
Level 1
In response to Francesco Molino

ā€Ž06-14-2016 06:50 PM

the 3rd method of using radius first then local  seems to meet my requirements.

I implemented the commands below:

aaa authentication login default group radius local
aaa authentication login CONSOLE local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local

Current behavior for the above configuration:

For users that do not exist in local, as long Radius return Access-Accept reply message, they are able to login via ssh, but they need to key in the "enable" and login again.

For users that exists in local, again the Radius will take some time(depends on the configuration) before authenticating locally, after that the user will be in privileged mode.

Is there any way to authorize the radius users? ie. if the user account do not exist in cisco switch, deny access.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to z080236

ā€Ž06-14-2016 06:50 PM

When you say authorize radius server means priviledge mode? If yes, you need to create an authorization profile pushing priviledge 15 (if this the right priviledge you want).

when the radius dropping packets and falling back to the switch, people who don't have credentials, can't access. 

PS: if this solved your issue, please don't forget to rate and mark as correct answer 

thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

z080236
Level 1
Level 1
In response to Francesco Molino

ā€Ž06-14-2016 09:08 PM

On the authentication rule, you need to send a DROP action when User not found

Scenario: User A username does not exist in switch, Radius return Access-Accept.

How to do a drop command in CLI?

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to z080236

ā€Ž06-15-2016 03:57 AM

Hi

It's on you radius server, on the authentication rule


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card