Hi Reza,

Thanks for responding so quickly. I apologize, I should have also included some background info on the scenario. The switch is live (in production). Also, I am remote and it is an impossibility to physically access it. Would your suggestion in any way, jeopordize remote access to the switch via SSH / Putty? Thanks!

Hi Seb,

Thanks for responding so quickly. I apologize, I should have also included some background info on the scenario. The switch is live (in production). Also, I am remote and it is an impossibility to physically access it. Would your suggestion in any way, jeopordize remote access to the switch via SSH / Putty? Thanks!

I am slightly puzzled. In the original post I thought you were pretty clear about what you wanted to accomplish "So ultimately the switch can only be logged into with an account that only exists on said switch" 

The switch is currently configured so that access to the vty requires SSH and is authenticated using Radius with local authentication as a backup in the event that Radius is not available. Your objective in the original post would need for you to remove the Radius authentication and use only local authentication. (I note that currently the config has a single user ID configured). This change would certainly have an impact on remote access. Assuming that currently there are multiple people who access the switch and that each person has their own user ID and password through Radius after the change every one would need to use the single ID that is configured - or you need to add additional user IDs to the configuration.

For a switch that is deployed in a production network changing it to use only a locally configured user ID would seem to be a pretty drastic step. 

“I am slightly puzzled. In the original post I thought you were pretty clear about what you wanted to accomplish "So ultimately the switch can only be logged into with an account that only exists on said switch"”

-Yes, that would be the ultimate objective. I understand why you are confused. There are some aspects to my situation that I did not mention. Essentially, we need what you have described done. The trick is, I need to make sure that the local accounts are setup correctly before removing the ability to access the switch via RADIUS. The switches are located offsite and there are no personnel at that location who we can work with, should an access issue occur.

I was hoping to create the local user account and test local access before cutting RADIUS access. If something with the local account is wrong and I cut RADIUS, it’s basically good game.

“The switch is currently configured so that access to the vty requires SSH and is authenticated using Radius with local authentication as a backup in the event that Radius is not available.”

-I concur sir

“Your objective in the original post would need for you to remove the Radius authentication and use only local authentication. (I note that currently the config has a single user ID configured). This change would certainly have an impact on remote access.”

-Is there any way we can implement a local access configuration and test said access before completely cutting RADIUS?

“Assuming that currently there are multiple people who access the switch and that each person has their own user ID and password through Radius after the change every one would need to use the single ID that is configured - or you need to add additional user IDs to the configuration.”

-Correct, that is essentially what we are looking at. But this becomes moot due to anyone that has RADIUS with our company will have no business logging into the switch, since it will not be part of our environment anymore.

“For a switch that is deployed in a production network changing it to use only a locally configured user ID would seem to be a pretty drastic step.”

-I totally agree but this is based on a scenario where the remote site is being separated entirely from our main office. They are effectively to be treated as a separate company. As such, we must remove RADIUS and some other configurations for security reasons.

Hi there,

The two aaa methods you have configured are only concerned with the initial login and permission to start an EXEC shell. Once you are logged in it *should* be safe to adjust those aaa methods without affecting your current session. Perhaps try it on a dev switch.

Also i would reset the local password just so you know what it is!!

I also echo @Richard Burts comment about this being a backward step for a production switch, but then again it is yours to configure!

cheers,

Seb.

Hi Seb, thanks for your response.

"The two aaa methods you have configured are only concerned with the initial login and permission to start an EXEC shell. Once you are logged in it *should* be safe to adjust those aaa methods without affecting your current session."

- That seems to be at odds with what Richard mentioned. My take away from him is that once I make the change, I immediately lose the RADIUS connection. Or perhaps I read too much into that. I wonder if it would keep the current session live and prevent RADIUS login for any future connection attempts. Thoughts?

"Also i would reset the local password just so you know what it is!!"

-lol I agree. I know precisely what it is so we are good there.

"I also echo @Richard Burts comment about this being a backward step for a production switch, but then again it is yours to configure!"

-I can understand that. There are some particulars associated with the switch. I mentioned them in my response to his post. Though, almost right after you posted lol.

- That seems to be at odds with what Richard mentioned. My take away from him is that once I make the change, I immediately lose the RADIUS connection. Or perhaps I read too much into that. I wonder if it would keep the current session live and prevent RADIUS login for any future connection attempts. Thoughts?

Once you are logged in and have your EXEC shell, those two aaa methods have served their purpose, your session should not have any further interaction with them. Therefore if you remove the RADIUS group elements it should not affect your current session, but it will prevent any subsequent attempts to log in with RADIUS backed credentials.

Once you have adjusted the aaa methods, start up a concurrent SSH session and check you can successfully login before you exit your original session.

cheers,

Seb.

If the original poster thinks I was saying that his session would be terminated if the Radius configuration was removed then he was reading too much into my response. I agree with Seb that once a SSH session is logged in and authenticated then that session will continue until the user logs out, the session times out, or some other event like that terminates the session.

I note that the configuration uses access-class on the vty to control the source of SSH sessions. The content of the acl was redacted so we do not know what is in it. If this office is to be separated you probably will need to revise that acl.

Hi Seb,

Thanks for the reply. My apologies for just getting back to you. I was putting out too many fires to respond in a timely manner. I will follow through with you and Richard's suggestion tonight. I'll update you no later than tomorrow.

Hey Seb, looks like this worked. Thanks for the info!

Thanks for the update. Glad to know that now it is working.