Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
129
Views
1
Helpful
3
Replies

Cisco 2960X - radius and local accounts

cscosw
Level 1
Level 1

‎04-30-2024 05:58 AM

Hello,
have radius in windows server. I configured radius login in Cisco 2960X. Login works fine with radius account but I can't login with local account.

Can anybody help me with this please? Want to have working radius and local login.

Thank you very much.

Spoiler
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname MYHOSTNAME
!
boot-start-marker
boot-end-marker
!
enable secret 5 **********
!
username myUser privilege 15 secret 5 **********
aaa new-model
!
!
aaa group server radius LOGIN-RAD
 server name RADIUS-SERVER
 ip radius source-interface Vlan200
 deadtime 5
!
aaa authentication login default group LOGIN-RAD local-case
aaa authentication login BACKDOOR local-case
aaa authorization exec default group LOGIN-RAD if-authenticated
!
!
aaa session-id common
clock timezone CET 1 0
clock summer-time summer recurring last Sun Mar 3:00 last Sun Oct 3:00
switch 1 provision ws-c2960x-48fps-l
!
!
ip domain-name intranet.mydomain.com
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
lldp run
!
!
interface FastEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet1/0/1
 switchport mode access
!
interface GigabitEthernet1/0/2
 switchport mode access
!
interface GigabitEthernet1/0/3
 switchport mode access
!
...
...
...
!
interface GigabitEthernet1/0/52
 switchport mode trunk
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan101
 ip address 192.168.10.9 255.255.255.0
!
ip default-gateway 192.168.10.1
!
no ip http server
no ip http secure-server
!
!
!
!
!
radius server RADIUS-SERVER
 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
 key 7 **********
!
!
line con 0
line vty 0 4
 exec-timeout 60 0
 logging synchronous
line vty 5 15
 transport input none
!
ntp server 192.168.1.1
ntp server pool.ntp.org
!
!

 

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎04-30-2024 06:03 AM

You can only use if radius fails and the use local account.

You can do testing changing the radius key, so that failes to connect to windows radius then you can use local account.

here is example :

aaa authentication login default group radius local

 Not sure what this means

aaa authentication login BACKDOOR local-case

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aref Alsouqi
VIP
VIP
In response to balaji.bandi

‎04-30-2024 06:20 AM

I think "local-case" is just to make the usernames case sensitive.

0 Helpful

Aref Alsouqi
VIP
VIP

‎04-30-2024 06:23 AM

As @balaji.bandi mentioned, you won't be able to access the device with a local user account as long as the RADIUS server is up/active, and I think changing the RADIU key wouldn't be enough to simulate a RADIUS server failure because I think as long as the switch can reach to the RADIUS server over L3 it won't fall back to the local database, at least this is what I came across previously. If you have a firewall in between, try to set a temporary rule that denies any RADIUS traffic from the switch, and then test the local access, it should work in that case.

0 Helpful
Customers Also Viewed These Support Documents