04-04-2013 06:13 AM - edited 03-07-2019 12:38 PM
Hi
I'd like to confirm that the behaviour of my radius configuration is what I'm expecting based on my configuration.
What I expect is that I use my AD account information to authenticate into a switch. If the radius servers are unavailable then I can use a local account to authenticate into the switch. Currently, the radius servers are up and I'm able to authenticate as expected(using AD account)
Based on the configuration below, if I lost connectivity to the radius server from the switch, should I be able to login with the local account? Is there anything else I need to enable that functionality?
The majority of the models used are C2960's with 12.2(50 or 55) SE5 IOS.
Here's the config, ip's and account information have been removed.
username <userid> privilege 15 password 7 <password>
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization network default group radius local
radius-server host <ip address> auth-port 1645 acct-port 1646
radius-server host <ip address> auth-port 1445 acct-port 1646
radius-server key 7 <radius secret>
line con 0
line vty 0 4
access-class 50 in
password 7 <password>
transport input ssh
line vty 5 15
access-class 50 in
transport input ssh
Thanks
John
04-04-2013 06:15 AM
Hi,
there's nothing more to do, if you can't contact the radius server then the device will try the fallback method which is local user database.
Regards
Alain
Don't forget to rate helpful posts.
04-17-2013 05:24 AM
Hi
There's a switch I'm attempting to get into that has the same configuration as above, except the radius-server key is missing. This morning I disconnected the 2 RADIUS servers NIC, so they are unreachable, so I could use the local user ID to access the switch to set the key. I received an authentication failed error message as well the following:
%RADIUS-4-RADIUS_RADIUS_DEAD: RADIUS server
%RADIUS-4-RADIUS_RADIUS_ALIVE: RADIUS server
The above message is repeated for both servers, 1 server is physical and the ethernet cable was removed, the other is a VM with the NIC properties disconnected.
This switch has servers connected into it that will be challanging to schedule an outage.
any ideas?
thanks
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide