We help IT Professionals succeed at work.

How can I get Cisco switch to default to local login when RADIUS is down?

I have setup a test switch here with RADIUS authentication that is working well and now passing all of the authentication to LDAP via my NPS box. However, if I had a switch outage how can I get it to default back to the local login that I used before?

When I setup the aaa stuff on the switch I used:
"aaa authentication login default group radius local"

which I though would go back to local after it tried the radius login, but that's not the case. Do I have to create a local login account for this to work?
Comment
Watch Question

Jimmy Larsson, CISSP, CEHNetwork and Security consultant
Commented:
Yes, if you have not already created at least one local user, do that:

username cisco password mysecretpassword

If that doesnt help, turn on "debug aaa authen" and investigate the output (or post it here). But a local user is indeed needed.

Best regards
Kvistofta

Author

Commented:
okay. I created a new user with:

user test priv 15 password whatever

but when I login and it asks for the username password it doesn't accept that one. I'll get the debug and put it up, but since that's not a radius user I figured it would default to local and then accept that....

Author

Commented:
I can see in the NPS logs that it's tried to use the DOMAIN\test as the user in the Radius and denied it (which it should), but then it seems that it's not trying it as local.

Author

Commented:
how do I show the debugging info for the aaa stuff too? I enabled it but I'm not sure how to see the output. Thanks.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Is the switch disconnected from the network? As long as it can communicate with radius, it will not use the local login.

Author

Commented:
I shut down the radius box to test so that it couldn't get in contact with it...do I actually need to physically unplug it?
SouljaSr.Net.Eng
Top Expert 2011

Commented:
No, post your config.

Author

Commented:
hmm...I may have found an issue here. I was messing around with 802.1x port authentication before and I see this when I do the show run:

aaa new-model
aaa authentication login default group radius local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization network default group radius

But just for the authentication to get into the switch I only need the first line basically, right?
Sr.Net.Eng
Top Expert 2011
Commented:
Change:
aaa authentication enable default enable

to

aaa authentication enable default group radius enable

See if that works.



The dot1x would only apply if you have it enabled on the switch port.
Most Valuable Expert 2015

Commented:
aaa authentication login default local group radius

It would help if you could post all of your aaa commands.

Author

Commented:
Those were all the aaa commands I have on that switch.

The first one from Soulja:
aaa authentication enable default group radius enable

seems to have gotten past the first login and it brought up the "Switch>" prompt, but then the enable fails.

I'll adjust it based on what you have there above and see if that fixed it 100%.

Author

Commented:
okay, now it's locked me out of the switch. When I get to the 'enable' part it's asking for just a password but the old one doesn't work. None of the passwords work and I've only ever set 3 on this when I was configuring it.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Please post your entire config. It looks like you didn't configure a secret on the switch.

Author

Commented:
There was one...but it's not working like before.

I would love to show you the running config but I can't get into privileged mode anymore because it's locked beyond the first level....
Hi,

try the following:

aaa authentication login default group radius local
aaa authorization exec default group radius local

Author

Commented:
oooh....those look like config commands. I can't get into privileged mode anymore. :)

I even have a copy of the config from before and I can see the enable password, but it doesn't work anymore.
When did the privilege mode stop working?
SouljaSr.Net.Eng
Top Expert 2011

Commented:
do you have console access to the switch? If so, go through the rommon mode then


flash_init
load_helper

then

rename flash:/config.text flash:/config.old

reload

then

one back in

rename flash:/config.old flash:/config.text

copy start run

Author

Commented:
looks like I'll have to go through the whole password reset procedure to get it back. This might take me a few minutes. :)
Jimmy Larsson, CISSP, CEHNetwork and Security consultant

Commented:
Still: Do you have any local users created?

/Kvistofta

Author

Commented:
yeah, I have a local one.

Author

Commented:
anyway, I reset the switch back to defaults and then I did the following:

setup the ip address for vlan1, enable password and telnet password. Then:

Switch(config)#user admin priv 15 password <password>

Switch(config)# aaa new-model
Switch(config)# radius-server host <ipaddress> auth-port 1812 acct-port 1813 key <shared_secret>
Switch(config)# ip radius source-interface Vlan1
Switch(config)# aaa authentication login default group radius local

That seems to have worked and I don't know why it locked me out yesterday, but it's good now.

Thanks.