12-18-2007 01:30 AM - edited 03-05-2019 08:03 PM
Hi all,
We have a Radius server for authencation on cisco device, How can we access the device using AAA authencation and local user/Password (on Device) at the same time.
I have heard this can be done, any reference link available.
Many thanks,
Raj
12-18-2007 02:38 AM
The local database is a fall-back for the radius aaa-service. Local authentication will take place only when the latter fails.
You can simulate local authentication by adding the same useraccounts to your radius database also. Be aware that I do not recommend this solution because failing radius authentication is an indicator of network problems. Using the method described creates the possibility that one does not notice this failure.
Below is a sample config like we are using it for device access control:
username user01 privilege 15 password XXX
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting suppress null-username
aaa accounting update newinfo
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
regards,
Leo
12-18-2007 02:50 AM
hi Raj,
Yes you can configure your device for aaa & still get locally authenticated when the aaa server cant be contacted. Pls note that its a common mistake to get locked while configuring aaa on the device for 1st time.
So before you configure aaa on device, use this min config to be authenticated locally in case something goes wrong.
Minimum aaa config to save u from getting locked while configuring aaa for tacacs:
aaa new-model
aaa authentication login local
username abc password xyz
Anytime u r locked while configuring, u can use the above username & password to gain access.
Please refer this doc for more details if ur interested:
hope that clarifies.
Pls rate all helpful posts.
12-18-2007 03:08 AM
Hi Raj,
Is it that you want one user to be authenticated by local database even when the aaa server is up. In short, do you want an exception rule for a single user.
12-18-2007 03:10 AM
Ya Rishi,
This is what i am looking for (expection rule).
Can u guide me further on this.
Rgds,
Raj
12-18-2007 05:00 AM
Raj
I have not seen exception at the individual user level but I have done several types of authentication on the same router for different types of connections. So you could certainly do authentication with Radius for vty connections and with the local user database for console connections. Or you could configure some vty to use telnet and authenticate with the local user data base and configure other vty to use SSH and authenticate with Radius.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide