AAA Configuration on Cisco Switch

(Ori A) #11

Hi Rene !
What it’s means SwitchA(config)#aaa authentication dot1x default group radius
What is the default group ?

(Andrew P) #12

The term “default” does not reference the term “group” (so the two are unrelated). Instead, “Default” means “use the default dot1x settings for this particular port.”

The term “group” is associated with “radius”, so “group radius” is how you should think about it. This is what is called a method-list. In this context, it is saying, “use the radius server that has already been defined as the source of authentication.” You can have more than one method list–for example, if you wanted to use locally defined users on the switch, you could use the term “local” instead of “group radius”


(Parth P) #13


Can we change the time out period when 802.1x fails? for example- The client tries connecting for 802.1x but due to invalid credentials and request timeout. There has been a fallback mechanism to MAC authentication. But default timeout period is 30 seconds. Is there a way we can change this time period on cisco access switch in order to provide faster fallback?

Thank you

(Rene Molenaar) #14

Hi Parth,

There are two things you can try to speed this up:

  • dot1x timeout tx-period: this defines how often you send the Request Identity frame.
  • dot1x max-reauth-req: this defines how often you will resend the Request identity frame.

By reducing the number of tries and the number of seconds in between attempts, you should be able to make it fallback faster to another form of authentication.


(Parth P) #15

hi Rene,

Thank you for the clarifications. In the wired 802.1x design, we usually have fallback mechanism. If the user fails the 802.1x authentication multiple times than we can deploy the “AUTHENTICATION FAIL VLAN” and grant access to JUST internet rather than the Network resources. Because when user is sent into Authentication fail vlan, it gets EAP Success message from the authenticator. So the user assumes that it has the full access, but has only internet? This will continue until the re-authentication timer expires and user can have another chance to do 802.1x.

My question is-

The user will be confuse to not see the access to internal network resources but rather only internet usage. Is there a way where we can remove this confusion or allow the user to have a better experience while using the resources?

Thank you,

(Rene Molenaar) #16

Hi Parth,

If you use fallback then I think it will be difficult to notify the user somehow. After all, on their end the authentication looks “successful”.

Perhaps it would be an idea to intercept Internet traffic in the guest VLAN with a portal? At least you can then notify them that their access is restricted.


(Tayo A) #17

Hi Rene,

Can I configure both tacacs+ and radius on same device? My company uses Tacacs+ but a new client uses radius for their devices. I’m to find a way of having access sorted out for customer(radius) and msyelf?. Thanks in advance

(Rene Molenaar) #18

Hi Tayo,

You can configure both RADIUS and TACACS+ on the device yes. You could use RADIUS for one thing and TACACS+ for another.

AFAIK, you can’t use one and the other as fallback or something. When you specify a group, you have to pick one of the two:

Switch(config)#aaa authentication login default group ?
  WORD     Server-group name
  ldap     Use list of all LDAP hosts.
  radius   Use list of all Radius hosts.
  tacacs+  Use list of all Tacacs+ hosts.

You could however create one authentication list for TACACS+ and another one for RADIUS and use each for different purposes.


(Brian C) #20

First off if I post this in wrong place let me know and I will move the question to better forum area.

I am studying AAA Authentication. I keep hearing it stressed to be aware that its best practice to put “local” on the end of your lines in case your tacacs server or radius server goes down.

For example I setup switch and AAA Server and PC in Boson Simulator to play with and test:

username brian  password brian
aaa new-model
aaa authentication login auth group tacacs+ local
tacacs-server host 
line con 0
line aux 0
line vty 0 4

I created a tacacs+ server and added the user auth and created a password for him on the boson.

When I try to connect with the config above it asks for password and then gives login invalid.

So if I change the config for VTY to the following:

line vty 0 4
login authentication auth

It will connect using the authenticaton from the tacacs server and use that password so successful.

So now I wanted to test the “local” thing on the end right? I mean that’s best practices so its suppose to be there in case the tacacs server goes down. So I go into the interface that connects to the tacacs server (fast0/1) and shutdown.

I then try to connect with the Tacacs server down and it does not let me connect via “local” as I was led to belive but instead says:

Trying ...
% Destination unreachable; gateway or host down

so I cannot telnet if this had not been a test situation I would have been in big trouble with a remote switch or router and not able to reach it.

the AAA only works it seems if you set it up under VTY or Console ect… but the “local” backup command does not seem to work.

I know I can make it use telnet use local by telling it to and using login and a password or using login local but if I do that then that defeats purpose of having local on end of the AAA tacacs command.

I also did something like vty 0 2 and gave that login authentication auth and then vty 3-4 login authentication local. so if vty 0 2 did not work I could get in on vty 3-4.
That is not what they are talking about is it because I could do same thing without adding local to the end of the tacacs command.

Here is some documentation from an exam practice test:

now their lines of text was a bit different from what I was practicing up in my custom lab. they had:

aaa authentication login auth group tacacs+ local
aaa authentication login default group tacacs+ 

would love some help understanding this so it is actually feasible to use.



Ok I set this up on VIRL and it works… so the Boson simulator software is great for labs but you cannot deviate and go experimenting.

on my cisco VIRL lab I added the following syntax:

switchA#show run
Building configuration…

*Jul 4 00:27:09.870: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 2798 bytes
! Last configuration change at 00:27:09 UTC Tue Jul 4 2017
version 15.2

username brian password 0 brian
aaa new-model
aaa authentication login default group tacacs+ local

line con 0
line aux 0
line vty 0 4

note: I did not add anything to the line vty 0 4 it did not allow for it but I didn’t have to. I was able to telnet from my hostA to Switch A and it asked for username and password and I entered the local username and password and it worked!

To test this I removed the local from the end of syntax:

username brian password 0 brian
aaa new-model
aaa authentication login default group tacacs+

this time it gave me error and would not let me:

Trying … Open
% Authentication failed

% Authentication failed

% Authentication failed

[Connection to closed by foreign host]

I also tested this with “enable” and the “line” instead of “local” and it used the enable, and the line password and worked fine as well. =)

So it is working as intended the only difference is I don’t have to add the line VTY 0 4 commands they don’t exist on my VIRL switch. I don’t know if that’s because the Cisco VIRL is using a newer IOS than the one emulated in the BOSON software or something else but it does seem to be working as I would understand it to.

I love the boson software for pre configured labs but not for experimenting, have to create a cisco VIRL test lab for that. The reason I like the boson is its fast and easy but in the end its not the real stuff so you cannot go deviating much on it.

(Rene Molenaar) #21

Hi Brian,

Good to hear you figured it out. The output of your Boson simulator was indeed that it was unable to connect so this didn’t have anything to do with your AAA configuration :slight_smile: Boson is nice to practice commands but it’s only a simulator so you can’t really test things.

If you don’t add anything to your VTY line(s) then it will use the default AAA group. If you want to use RADIUS / TACACS+ authentication for some things but not for your VTY lines, then you can also create a second group and use that for the VTY lines. Something like this:

SW1(config)#aaa authentication login VTY local

SW1(config)#line vty 0 4
SW1(config-line)#login authentication VTY 

Also, when you are messing around with AAA…I like to enable debug AAA authentication:

SW1#debug aaa authentication 
AAA Authentication debugging is on

It will show you when it’s trying to reach the TACACS+ server and such, it’s pretty useful.

(Elia L) #22

Hey Rene, you wrote “In a production network you might already have a certificate authority within your network. I don’t care about certificates for this demonstration but we’ll generate them anyway in case you want to play with them sometime in the future.”

How do I use the digital certificates I generated, and not only username and password?


(Rene Molenaar) #23

Hi Elia,

It depends on the EAP type that you use. In this lesson, you can see this checkbox on the RADIUS server:

The RADIUS server generated a certificate and when the client connects, it checks the server certificate to see if it’s talking to the correct server. The client then sends a username/password to authenticate the client.

EAP-TLS allows you to use client certificates which is very safe, but does take time to setup (you need a client certificate for each user or device). I don’t have an example for AAA on a switch but I do have something for Wireless. Take a look at these examples:

I manually imported the client certificate on those devices, that’s great for a lab but a pain for production networks. There are solutions that allow you to generate and auto-enroll client certificates automatically.


1 Like
(Mitchell M) #24

Is there a serial for Elektron RADIUS software we can use?

(Lazaros Agapides) #25

Hello Mitchel

According to the following download site, Elektron RADIUS software is free to try for 30 days, so if you want to experiment with it, you can do so for several weeks.

I hope this has been helpful!


(Mitchell M) #26

Thanks Laz,

After installing and setting it up, it ask for a 30-day serial key and the site to generate one is out of business from the looks of it…

(Lazaros Agapides) #27

Hello Mitchell

Ah, I see. Not sure what’s happening with that. However, there is the option of Free Radius for Windows, which is FreeRADIUS software complied for the Windows OS. I haven’t personally tried it, but if you’re willing to work out the installation procedures, it may be worth a try.

I hope this has been helpful!


(Kenneth G) #28

For your example you are using VLAN 1, for other VLAN e.g. VLAN 10 do I just include:

SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10

SW1(config)#dot1x system-auth-control 
SW1(config)#interface fa0/1
SW1(config-if)#dot1x port-control auto
(Lazaros Agapides) #29

Hello Kenneth

The IP address configured on the VLAN1 interface of the switch is actually just used to communicate with the RADIUS server. It has no impact on what VLAN is configured on the port itself. You can make the switch have network connectivity with the RADIUS server via the VLAN10 SVI or the VLAN100 SVI, it doesn’t matter. As long as the switch, via any SVI, has network connectivity to the RADIUS server, the operation will function.

Once connectivity is achieved, you can then assign any VLAN to any interface you like, the system auth control will still work.

I hope this has been helpful!


(Kenneth G) #30

Hi lagapides,

I am referring to the configuration for interface that is connected to endpoints. For this case it is interface fa0/1, If I need VLAN 10 to be dynamically assign to port fa0/1 is there any additional configuration needed?

Also for the same interface fa0/1, can it be done for different computers when connected to the same interface (fa0/1), one computer get assigned VLAN 10 while the second computer get assigned VLAN20?

(Lazaros Agapides) #31

Hello Kenneth

The AAA configuration of an interface using 802.1X does have a feature that allows the RADIUS server to send VLAN assignment information to the port in question. This feature is enabled by default and does not require any additional configuration from the point of view of the switch port itself. A switch port will keep the VLAN assignment that is found in its configuration unless an authorized VLAN is specified in the RADIUS server database.

Specific platforms and IOS versions support this feature. You can find out more about it here:

I hope this has been helpful!