AAA authentication failures (local & radius)

Unanswered Question
Aug 3rd, 2007
User Badges:

When we give alternative ways of authentication (local & radius), cisco routers bypass the first method of local & go for radius if the user provided username is not in local database.

(aaa authentication login default local group radius)

But if first method is Radius , & user provides a username not available in radius server it shows as an authentication failure & doesn't check local database (aaa authentication login default group radius local )

Anyone can explain why does it treat as

local failure - username not in local database , if username is not in local database it checks radius

radius failure - radius server not available , username not in radius database is not a reason to bypass the radius & check local

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mohammedmahmoud Fri, 08/03/2007 - 03:41
User Badges:
  • Green, 3000 points or more


This is very logical security wise, as if you tell the router to use RADIUS, then the username must be in RADIUS, or else the router did violate your order, the only use of local in your case, is that it would be use to fall back if RADIUS is not reachable.


Mohammed Mahmoud.

Jagdeep Gambhir Fri, 08/03/2007 - 12:41
User Badges:
  • Red, 2250 points or more


Actually this is due to the way IOS works.

If you have this command

aaa authentication login default local group radius

now run the debugs and try to make an attempt with the user that is not in local db. You will see that IOS returns vlaue " error "

Where in on the other hand if user is not in Radius db , radius returns value "Fail" instead of "error".

That is why it never check local db if users is not in radius.

So to change this behavior we need to make changes in the radius or in IOS.

Hope that helps !



Richard Burts Fri, 08/03/2007 - 12:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jagdeep provides a good discussion of this issue. With AAA authentication there are 3 types of responses (pass, fail, and error). The IOS implementation of AAA authentication is pretty clear (and I believe it to be correct) so that if you receive a response of error the IOS will attempt an alternate method but if IOS receives a response of fail then IOS considers it done and does not attempt other methods.

So then the question becomes what response do we get from Radius and from local if the user name is not in the data base. Jagdeep is quite correct that Radius returns a fail response if the name is not in the data base and that local returns an error response.

I believe that the original problem really involves the inconsistency that the 2 methods return different responses when the user name is not in the data base. I am not sure that there is a good way to resolve this inconsistency. I suspect that we will need to live with this being the way that it works.



mohammedmahmoud Fri, 08/03/2007 - 13:19
User Badges:
  • Green, 3000 points or more

hi Pitigala,

Please do accept my apologies if i got your question wrong, and i totally agree with Rick that Jagdeep has provided a nice answer, the RADIUS response is very logical while the local DB is weired as it should also give failed, maybe this was intended for a specific reason, however Rick is correct in that we need to live with this being the way that it works.


Mohammed Mahmoud.


This Discussion