12-24-2019 08:29 AM - edited 12-24-2019 08:46 AM
Hi there,
Usually, after I entered login info, It took like 1 sec to login. But after my cowork enable ssh v2 to login switch remotely, my domain network admin account cannot be login anymore. According to debug info, it kept to timeout by radius. It was normal to login switch via telnet. The domain network admin user is authenticated by radius server. When I tried to use local user account to login switch, it took me almost 20 second to login (it's 1 sec beofre). so the issues I have now are 1. radius server not response 2. it takes too long login the switch. Can someone explain the potential causes for both issues? Thank you.
12-24-2019 08:45 AM
Hi,
What happens if you disable SSH completely? Does it go back to normal login (1 sec)?
Sometimes, enabling different features triggers a bug and if you disable and than enable it again, it goes away. If it persist after enabling it again, it may be bug in the IOS you are running.
HTH
12-24-2019 02:39 PM
Thank you. I can try it later.
12-24-2019 01:47 PM
Can You share:
sh run | inc aaa
sh run | sec line
12-24-2019 02:40 PM
sh run | i aaa
aaa new-model
aaa authentication login default group radius local
aaa authentication login console local
aaa authorization exec default group radius local
aaa session-id common
sh run | sec line
line con 0
password 7 xxxxxxxx
transport preferred none
stopbits 1
line aux 0
transport input all
stopbits 1
line vty 0 4
password 7 xxxxxxxx
transport preferred none
transport input ssh
line vty 5 15
12-24-2019 02:50 PM
Hello,
have you tried to reload the switch ?
12-24-2019 03:52 PM
Hello
Have you tried setting the Radius timeout to a low value
radius-server timeout xxx
12-26-2019 11:02 AM
There are things about this environment that we do not know and that prevents us from being able to fully explain the issues. Was authentication using Radius added as part of implementing SSHv2? Does the Radius server respond to the switch for anything?
I believe that we can explain the delay when you attempt to login using the local account. In the partial config that was posted we see this
aaa authentication login default group radius local
This says that for any authentication try the Radius server first and if it does not respond then use local authentication. So when you attempt to login using the local account it first sends its request to the Radius server. Then it waits for a response. If the Radius server does not respond the switch waits for the timeout interval before it then uses authentication with the local user ID and password.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide