Skip to main content

21 Messages

 • 

320 Points

Wed, May 6, 2020 1:51 PM

Answered

ICX SWITCH LOCAL ACCOUNT USER

After configuring aaa on my icx 7450 switch, I can't login on switch any more using the local account user.
The logging request is rejected by SSH, How can I solve this please?

Responses

Employee

 • 

129 Messages

 • 

46 Points

7 months ago

Can you show us your 'aaa authentication' statement in your configuration?

Support - 1-855-782-5871
https://support.ruckuswireless.com/contact-us

21 Messages

 • 

320 Points

7 months ago

sure, here it is:
aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode
aaa accounting commands 0 default start-stop radius
aaa accounting exec default start-stop radius
aaa accounting system default start-stop radius

Employee

 • 

129 Messages

 • 

46 Points

7 months ago

"aaa authentication login default radius local"

This statement makes radius the first authentication method. You will need to use an account defined on your radius server. The local accounts will only be backup in case radius fails. 

Support - 1-855-782-5871
https://support.ruckuswireless.com/contact-us

21 Messages

 • 

320 Points

7 months ago

but the local account is created on the icx switch...  Do you think that I have to create it on radius server preferably? cause if the connection is lost with radius sever, and the account is defined on it, we will don't have any backup account to login on icx switch. What do you think?

Employee

 • 

129 Messages

 • 

46 Points

7 months ago

Yes, you will need to create the accounts on the radius server. Those accounts will then be used to log in to the switch. With your current configuration, the local user accounts are only backup if radius fails. If you prefer to use local accounts, you would need to change your statement to something like this:

aaa authentication login default local

Support - 1-855-782-5871
https://support.ruckuswireless.com/contact-us

21 Messages

 • 

320 Points

7 months ago

The thing is, we would like to have a backup local user account if radius fails. But normally, we use radius authentication with windows account to login on icx switch all the time. Now, is there something that I have to modify on aaa statement to have these two options working, please?

Employee

 • 

129 Messages

 • 

46 Points

7 months ago

You won't be able to have them both actively working at the same time. The first authentication method would need to fail before the second can be used. Your initial configuration statement is pretty common. If your radius server ever goes down or becomes unreachable, you will then be able to use your local accounts. 

Support - 1-855-782-5871
https://support.ruckuswireless.com/contact-us

21 Messages

 • 

320 Points

7 months ago

Ok now I would like to test the connection to the switch using the local account user created on the switch without using radius authentication, but it's not working. So if radius server fails, we will have big trouble.... Here is our problem...

Employee

 • 

129 Messages

 • 

46 Points

7 months ago

How are you testing it? Are you removing the radius server from the network or shutting it down?

Support - 1-855-782-5871
https://support.ruckuswireless.com/contact-us

21 Messages

 • 

320 Points

7 months ago

no, the server is still working  on the network while I'm testing. 

Employee

 • 

129 Messages

 • 

46 Points

7 months ago

You will need to simulate a radius failure (disconnect server, make it unreachable, etc.) to test your local user accounts with your current configuration. 

Support - 1-855-782-5871
https://support.ruckuswireless.com/contact-us

21 Messages

 • 

320 Points

7 months ago

okay, I will do this test and will let you know ..... 

Thanks again