In LAB i am working on Cisco authentication with freeradius and everything works but i want my cisco switch first lookup in radius and if user didn't find then it go to local database.
currently i am seeing cisco switch asking radius and if no-user found then its not looking into local database.
Reason i need local account incase anything go wrong with radius or any condition players not able to login, i want atleast admin can login on switch and perform network activity.
following is my config:
radius-server host 10.10.10.10 key 7 "supersecter" authentication accounting
aaa group server radius FREERADIUS
server 10.10.10.10
use-vrf management
source-interface mgmt0
in radius i have following config:
ops Cleartext-Password := 123456
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:roles=network-operator",
Cisco-AVPair += "shell:priv-lvl=1"
I am successfully able to login with ops account but not able to login with local account like admin.
EDIT: I have tested if radius is fail/dead then it will go to local account but i want both working together not just in dead senario.
is it possible or not to have fallback to local?
Best Answer
It's not possible to do that. You would have to set different authentication methods for different interfaces. Something like VTY 0-4 use RADIUS, VTY 5-15 use local accounts. Normally, you'd use RADIUS or similar for VTY but then leave Console to authenticate locally since you have to be physically at the device or connected through an IP KVM/KMM to use it.
For NX-OS, you can follow the steps in the guide found here. This article is for Nexus 9k devices but the steps are the same for other models. If you click on Configuring AAA, there is a sub-link to show you how to configure Console access to use local authentication.