AAA server failure message

Unanswered Question
Feb 8th, 2007

Hi,

Is there a way to prompt/tell a user that Radius or TACACS authentication has failed i.e. fail as opposed to reject?

I have Radius with local fallback configured but think it would be nice to at least tell the user that Radius is broken and that they should try again with the Local user/password instead.

Without some clue a user has to guess that Radius is broken after several failed attempts, and only then would they 'know' to try the local userID instead.

I realise that the prompts can be changed generally, but I can't see a way of advising a user that an attempted Radius authentication failed because the server is unavailable for some reason.

Cheers,

-phil

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darpotter Thu, 02/08/2007 - 08:50

Phil

Generally TACACS will return ERROR if authentication could not be completed. As opposed to FAILED/REJECTED.

RADIUS should not return a result.. otherwise the access device will not failover.

With RADIUS this is kind of a limitation of the protocol.

pdotchon Thu, 02/08/2007 - 11:37

Hi,

Thanks for the reply.

My question is not really about the protocol or it's operation, it's more about how an IOS device (router/switch etc) behaves when an administrator logs-in via Telnet.

If the IOS box is configured to authenticate against a Radius server and is unable to reach the server for some reason, the response to the user is along the lines of "authentication failed" and the 'Username' prompt reappears.

Typically a locally configured fallback user account/password will be different to that configured in Radius server database, but there is no clue from the IOS box as to which authentication method just 'failed'; consequently the user doesn't know whether:

a. they just typed the wrong username or password for Radius and should try again, or

b. Radius is not working and they should instead use the local fallback userid/password.

My point is that the only way an admin will 'know' to use the fallback ID is because their Radius credentials consistently fail to gain access, and trying the fallback ID works! Pretty confusing to someone inexperienced.

I would have expected a way for IOS to advise the person attempting to log-in that they just failed to authenticate because Radius is not responding, not because their credentials were rejected. There doesn't seem to be any difference from the users perspective.

Cheers,

-phil

Actions

This Discussion