How can I get Cisco switch to default to local login when RADIUS is down?

okay. I created a new user with:

user test priv 15 password whatever

but when I login and it asks for the username password it doesn't accept that one. I'll get the debug and put it up, but since that's not a radius user I figured it would default to local and then accept that....

I can see in the NPS logs that it's tried to use the DOMAIN\test as the user in the Radius and denied it (which it should), but then it seems that it's not trying it as local.

how do I show the debugging info for the aaa stuff too? I enabled it but I'm not sure how to see the output. Thanks.

Is the switch disconnected from the network? As long as it can communicate with radius, it will not use the local login.

I shut down the radius box to test so that it couldn't get in contact with it...do I actually need to physically unplug it?

No, post your config.

hmm...I may have found an issue here. I was messing around with 802.1x port authentication before and I see this when I do the show run:

aaa new-model
aaa authentication login default group radius local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization network default group radius

But just for the authentication to get into the switch I only need the first line basically, right?

aaa authentication login default local group radius

It would help if you could post all of your aaa commands.

Those were all the aaa commands I have on that switch.

The first one from Soulja:
aaa authentication enable default group radius enable

seems to have gotten past the first login and it brought up the "Switch>" prompt, but then the enable fails.

I'll adjust it based on what you have there above and see if that fixed it 100%.

okay, now it's locked me out of the switch. When I get to the 'enable' part it's asking for just a password but the old one doesn't work. None of the passwords work and I've only ever set 3 on this when I was configuring it.

Please post your entire config. It looks like you didn't configure a secret on the switch.

There was one...but it's not working like before.

I would love to show you the running config but I can't get into privileged mode anymore because it's locked beyond the first level....

Hi,

try the following:

aaa authentication login default group radius local
aaa authorization exec default group radius local

oooh....those look like config commands. I can't get into privileged mode anymore. :)

I even have a copy of the config from before and I can see the enable password, but it doesn't work anymore.

When did the privilege mode stop working?

do you have console access to the switch? If so, go through the rommon mode then


flash_init
load_helper

then

rename flash:/config.text flash:/config.old

reload

then

one back in

rename flash:/config.old flash:/config.text

copy start run

looks like I'll have to go through the whole password reset procedure to get it back. This might take me a few minutes. :)

Still: Do you have any local users created?

/Kvistofta

yeah, I have a local one.

anyway, I reset the switch back to defaults and then I did the following:

setup the ip address for vlan1, enable password and telnet password. Then:

Switch(config)#user admin priv 15 password <password>

Switch(config)# aaa new-model
Switch(config)# radius-server host <ipaddress> auth-port 1812 acct-port 1813 key <shared_secret>
Switch(config)# ip radius source-interface Vlan1
Switch(config)# aaa authentication login default group radius local

That seems to have worked and I don't know why it locked me out yesterday, but it's good now.

Thanks.