ICX SWITCH LOCAL ACCOUNT USER

  • 1
  • Question
  • Updated 3 months ago
  • Answered
After configuring aaa on my icx 7450 switch, I can't login on switch any more using the local account user.
The logging request is rejected by SSH, How can I solve this please?
Photo of WS

WS

  • 17 Posts
  • 1 Reply Like

Posted 3 months ago

  • 1
Photo of Ben

Ben, Employee

  • 98 Posts
  • 33 Reply Likes
Can you show us your 'aaa authentication' statement in your configuration?
Photo of WS

WS

  • 17 Posts
  • 1 Reply Like
sure, here it is:
aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode
aaa accounting commands 0 default start-stop radius
aaa accounting exec default start-stop radius
aaa accounting system default start-stop radius

Photo of Ben

Ben, Employee

  • 98 Posts
  • 33 Reply Likes
"aaa authentication login default radius local"

This statement makes radius the first authentication method. You will need to use an account defined on your radius server. The local accounts will only be backup in case radius fails. 
Photo of WS

WS

  • 17 Posts
  • 1 Reply Like
but the local account is created on the icx switch...  Do you think that I have to create it on radius server preferably? cause if the connection is lost with radius sever, and the account is defined on it, we will don't have any backup account to login on icx switch. What do you think?
(Edited)
Photo of Ben

Ben, Employee

  • 98 Posts
  • 33 Reply Likes
Yes, you will need to create the accounts on the radius server. Those accounts will then be used to log in to the switch. With your current configuration, the local user accounts are only backup if radius fails. If you prefer to use local accounts, you would need to change your statement to something like this:

aaa authentication login default local
Photo of WS

WS

  • 17 Posts
  • 1 Reply Like
The thing is, we would like to have a backup local user account if radius fails. But normally, we use radius authentication with windows account to login on icx switch all the time. Now, is there something that I have to modify on aaa statement to have these two options working, please?
Photo of Ben

Ben, Employee

  • 98 Posts
  • 33 Reply Likes
You won't be able to have them both actively working at the same time. The first authentication method would need to fail before the second can be used. Your initial configuration statement is pretty common. If your radius server ever goes down or becomes unreachable, you will then be able to use your local accounts. 
Photo of WS

WS

  • 17 Posts
  • 1 Reply Like
Ok now I would like to test the connection to the switch using the local account user created on the switch without using radius authentication, but it's not working. So if radius server fails, we will have big trouble.... Here is our problem...
Photo of Ben

Ben, Employee

  • 98 Posts
  • 33 Reply Likes
How are you testing it? Are you removing the radius server from the network or shutting it down?
Photo of WS

WS

  • 17 Posts
  • 1 Reply Like
no, the server is still working  on the network while I'm testing. 
Photo of Ben

Ben, Employee

  • 98 Posts
  • 33 Reply Likes
You will need to simulate a radius failure (disconnect server, make it unreachable, etc.) to test your local user accounts with your current configuration. 
Photo of WS

WS

  • 17 Posts
  • 1 Reply Like
okay, I will do this test and will let you know ..... 

Thanks again