AAA authentication and local user (Radius Server)

Unanswered Question
Dec 18th, 2007

Hi all,

We have a Radius server for authencation on cisco device, How can we access the device using AAA authencation and local user/Password (on Device) at the same time.

I have heard this can be done, any reference link available.

Many thanks,

Raj

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (3 ratings)
Loading.
lgijssel Tue, 12/18/2007 - 02:38

The local database is a fall-back for the radius aaa-service. Local authentication will take place only when the latter fails.

You can simulate local authentication by adding the same useraccounts to your radius database also. Be aware that I do not recommend this solution because failing radius authentication is an indicator of network problems. Using the method described creates the possibility that one does not notice this failure.

Below is a sample config like we are using it for device access control:

username user01 privilege 15 password XXX

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

aaa accounting suppress null-username

aaa accounting update newinfo

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting connection default start-stop group radius

regards,

Leo

bvsnarayana03 Tue, 12/18/2007 - 02:50

hi Raj,

Yes you can configure your device for aaa & still get locally authenticated when the aaa server cant be contacted. Pls note that its a common mistake to get locked while configuring aaa on the device for 1st time.

So before you configure aaa on device, use this min config to be authenticated locally in case something goes wrong.

Minimum aaa config to save u from getting locked while configuring aaa for tacacs:

aaa new-model

aaa authentication login local

username abc password xyz

Anytime u r locked while configuring, u can use the above username & password to gain access.

Please refer this doc for more details if ur interested:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/7.x/configuration/guide/authent.html#wp1221026

hope that clarifies.

Pls rate all helpful posts.

rishikesh_khedkar Tue, 12/18/2007 - 03:08

Hi Raj,

Is it that you want one user to be authenticated by local database even when the aaa server is up. In short, do you want an exception rule for a single user.

rkcontrol Tue, 12/18/2007 - 03:10

Ya Rishi,

This is what i am looking for (expection rule).

Can u guide me further on this.

Rgds,

Raj

Richard Burts Tue, 12/18/2007 - 05:00

Raj

I have not seen exception at the individual user level but I have done several types of authentication on the same router for different types of connections. So you could certainly do authentication with Radius for vty connections and with the local user database for console connections. Or you could configure some vty to use telnet and authenticate with the local user data base and configure other vty to use SSH and authenticate with Radius.

HTH

Rick

Actions

This Discussion