cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
920
Views
0
Helpful
4
Replies
Beginner

Access a switch via telnet or ssh when Cisco Ise is down, or not on network

I access on switches via ssh , over ISE, but when cisco ise is down or not on network, I cannot access on cisco switches. Can anyone help. This is my configuration

aaa new-model

aaa group server radius ISE

server xxx.xxx.xxx.xx

server xxx.xxx.xxx.xx

 

aaa authentication login VTY group ISE local

aaa authorization exec VTY group ISE local if-authenticated

aaa accounting exec default start-stop group ISE            

4 REPLIES
VIP Rising star

Re: Access a switch via telnet or ssh when Cisco Ise is down, or not on network

Do you have a local username and password configured on the switch or router?

 

Beginner

Re: Access a switch via telnet or ssh when Cisco Ise is down, or not on network

Yes I have, username xxx privilege 15 secret xxx. But that doesn t work.

 

ip domain-name xxx      

crypto key generate rsa        

ip ssh time-out 120            

ip ssh authentication-retries 3

ip ssh version 2

 

aaa new-model

aaa group server radius ISE

server xxx.xxx.xxx.xx

server xxx.xxx.xxx.xx

 aaa authentication login VTY group ISE local

aaa authorization exec VTY group ISE local if-authenticated

aaa accounting exec default start-stop group ISE          

 

radius-server host xxx.xxx.xxx.xx key 0 xxx

radius-server host xxx.xxx.xxx.xx key 0 xxx

 

line vty 0 15

transport input ssh

login authentication VTY

authorization exec VTY    

this is my configuration on swith. I have policy on ISE , and I login over ssh with my admin domain username and password. When ISE is not on network, I cannot login on switch. Maybe is problem with this command:

aaa authentication login VTY group ISE local ?

 

VIP Advisor

Re: Access a switch via telnet or ssh when Cisco Ise is down, or not on network

Hi

Heres a working one of mine when  ACS or ISE are not working it still authenticates off local DB in device , you must have enable after local too

 

aaa new-model
!
!
aaa group server tacacs+ AAA
 server-private X.X.X.X key 7 04564E3C3D6444170B4E534A414A284F1B7F650F1D
 server-private X.X.X.X key 7 1308522839490C7329737E6E6663374C2757407177
 ip tacacs source-interface XXXXXXXXXX
!
aaa authentication login default group AAA local enable
aaa authentication enable default group AAA enable
aaa authorization exec default group AAA local
aaa accounting exec default start-stop group AAA
aaa accounting commands 0 default start-stop group AAA
aaa accounting commands 1 default start-stop group AAA
aaa accounting commands 15 default start-stop group AAA
aaa accounting network default start-stop group AAA
aaa accounting connection default start-stop group AAA
aaa accounting system default start-stop group AAA

Beginner

Re: Access a switch via telnet or ssh when Cisco Ise is down, or not on network

Thanks, I try this in Wednesday. I want to try on real system, to unplugged net cable from ise, and than to try. I will inform you, about results. :)

CreatePlease to create content
Ask the Expert- MPLS troubleshooting