ā06-14-2016 03:49 AM - edited ā03-08-2019 06:11 AM
How to achieve the above in CLI for Cisco Catalyst 2960x?
Grp A users - Use Radius Authentication only
Grp B users- Use Local Authentication only
ā06-14-2016 04:18 PM
Hi
To achieve what you're asking, there are many ways.
I'll give you 2 of them that don't need to play with Radius authentication results:
1. You can configure your aaa command to look on local database and then to radius like:
aaa authentication login GRP-LOCAL-RADIUS local group radius
2. you can configure multiple aaa authentication (1 looking only on local database and 1 on radius) then assign them to different lines (not the best)
Local:
aaa authentication login LOCAL-AUTH local
!
line vty 0 4
login authentication LOCAL-AUTH
Radius:
aaa authentication login RADIUS-AUTH group radius
!
line vty 5 15
login authentication RADIUS-AUTH
If you want to play with Radius.
Configure a standard aaa looking into Radius and then in local:
aaa authentication login RADIUS group RADIUS-SRV local
On the authentication rule, you need to send a DROP action when User not found
Hope this helps.
PS: If this solved your issue, please don't forget to rate and mark as correct answer
Thanks
ā06-14-2016 06:50 PM
the 3rd method of using radius first then local seems to meet my requirements.
I implemented the commands below:
aaa authentication login default group radius local
aaa authentication login CONSOLE local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
Current behavior for the above configuration:
For users that do not exist in local, as long Radius return Access-Accept reply message, they are able to login via ssh, but they need to key in the "enable" and login again.
For users that exists in local, again the Radius will take some time(depends on the configuration) before authenticating locally, after that the user will be in privileged mode.
Is there any way to authorize the radius users? ie. if the user account do not exist in cisco switch, deny access.
ā06-14-2016 06:50 PM
When you say authorize radius server means priviledge mode? If yes, you need to create an authorization profile pushing priviledge 15 (if this the right priviledge you want).
when the radius dropping packets and falling back to the switch, people who don't have credentials, can't access.
PS: if this solved your issue, please don't forget to rate and mark as correct answer
thanks
ā06-14-2016 09:08 PM
On the authentication rule, you need to send a DROP action when User not found
Scenario: User A username does not exist in switch, Radius return Access-Accept.
How to do a drop command in CLI?
ā06-15-2016 03:57 AM
Hi
It's on you radius server, on the authentication rule
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide