I have the following configuration on a switch that I testing for RADIUS authentication:
aaa new-model
aaa authenticaton login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
enable secret 5 XXXXXXXXX
!
username admin secret 5 XXXXXXXXX
!
ip radius source-interface FastEthernet0/1
radius-server host XXX.XXX.XXX.XXX auth-port 1812 acct-port 1813 key XXXXXXXXX
radius-server retransmit 3
!
line con 0
line vty 5 15
Radius authentication is working just fine but if the server is not available I can not log into the router with the ADMIN account.
What's wrong there?
Thanks!
Seems correct to me. From Cisco site:
Maybe you have some kind of
under your line vty 0 X ?
In that case you shoud add a line:
or simply delete the
line from your conf.
The problem is that when you specify a tacacs or radius server first in your login method in your case the defualt method, it will never try the local username unless tacacs or radius is unreachable. So if you want to test your local login 1 of the following: 1. remove your device from radius (not good for production devices) 2. shut off the port that radius messages are received on 3. create another login method and test it on one of your other interfaces like your console port
For example: