cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
717
Views
0
Helpful
6
Replies

AAA authentication failures (local & radius)

dimuthurathna
Level 1
Level 1

When we give alternative ways of authentication (local & radius), cisco routers bypass the first method of local & go for radius if the user provided username is not in local database.

(aaa authentication login default local group radius)

But if first method is Radius , & user provides a username not available in radius server it shows as an authentication failure & doesn't check local database (aaa authentication login default group radius local )

Anyone can explain why does it treat as

local failure - username not in local database , if username is not in local database it checks radius

radius failure - radius server not available , username not in radius database is not a reason to bypass the radius & check local

6 Replies 6

kerek
Level 4
Level 4

Hi,

I don't know the logic behind it but may be if you use radius a central administration assumed so every user are must be in the db and only if the radius server is unresponsive the local database used instead.

Krisztian

mohammedmahmoud
Level 11
Level 11

Hi,

This is very logical security wise, as if you tell the router to use RADIUS, then the username must be in RADIUS, or else the router did violate your order, the only use of local in your case, is that it would be use to fall back if RADIUS is not reachable.

HTH,

Mohammed Mahmoud.

Dear Mohammed,

You are correct. But my question was different.

Jagdeep Gambhir
Level 10
Level 10

Hi,

Actually this is due to the way IOS works.

If you have this command

aaa authentication login default local group radius

now run the debugs and try to make an attempt with the user that is not in local db. You will see that IOS returns vlaue " error "

Where in on the other hand if user is not in Radius db , radius returns value "Fail" instead of "error".

That is why it never check local db if users is not in radius.

So to change this behavior we need to make changes in the radius or in IOS.

Hope that helps !

Regards,

~JG

Jagdeep provides a good discussion of this issue. With AAA authentication there are 3 types of responses (pass, fail, and error). The IOS implementation of AAA authentication is pretty clear (and I believe it to be correct) so that if you receive a response of error the IOS will attempt an alternate method but if IOS receives a response of fail then IOS considers it done and does not attempt other methods.

So then the question becomes what response do we get from Radius and from local if the user name is not in the data base. Jagdeep is quite correct that Radius returns a fail response if the name is not in the data base and that local returns an error response.

I believe that the original problem really involves the inconsistency that the 2 methods return different responses when the user name is not in the data base. I am not sure that there is a good way to resolve this inconsistency. I suspect that we will need to live with this being the way that it works.

HTH

Rick

HTH

Rick

hi Pitigala,

Please do accept my apologies if i got your question wrong, and i totally agree with Rick that Jagdeep has provided a nice answer, the RADIUS response is very logical while the local DB is weired as it should also give failed, maybe this was intended for a specific reason, however Rick is correct in that we need to live with this being the way that it works.

HTH,

Mohammed Mahmoud.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: