Can you have a Authentication Group (radius) configured and a local user?

Unanswered Question
Aug 5th, 2008
User Badges:

I have a radius group configured:aaa authentication login AUTHENTICATE group radius

If my radius server quits working I can't use the VPN to get in. Is there any way to add a local login in case the radius server isn't available?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (3 ratings)
richardcalvert Wed, 08/06/2008 - 06:44
User Badges:

How does this work, does the hardware recognize that its aaa server is unavailable and let the local authentication take place?

JORGE RODRIGUEZ Wed, 08/06/2008 - 07:16
User Badges:
  • Green, 3000 points or more

The keyword [LOCAL] pertains to ASA local user database,if you have RADIUS server configured as a primary server to authenticate remote VPN users, and that radius server is not longer available the LOCAL ASA user database will be used as a backup to RADIUS for authentication,that is, you must also have those VPN user accounts and passwords created in ASA local user database .

jasosan22 Wed, 08/06/2008 - 07:36
User Badges:

Sorry let me clairify. I am configuring Cisco VPN client on a Cisco router. I know that if I am running TACACS I can still configure a local username/password to get into the router if the TACACS server is unavailable. My issue is that I have all of my VPN Clients using Radius to authenticat into the VPN. If the Radius server is not available I cannot get in through VPN. Is is possible to configure a VPN Client to authenticate localy if there is a Radius authentication group configured. Below is my config.

aaa new-model



aaa authentication login default local

aaa authentication login console local

aaa authentication login AUTHENTICATE group radius

aaa authorization network AUTHORIZE local

aaa session-id common

crypto map CRYPTOMAP client authentication list AUTHENTICATE

JORGE RODRIGUEZ Wed, 08/06/2008 - 09:21
User Badges:
  • Green, 3000 points or more

Jason, I do apologize for not asking, I thought all along your post was geared towards PIX/ASA instead of IOS.

Im sorry I do not have an answer, Im hoping someone may have additional information on this one, I am sure there should be a solution other than having two TACACS servers as a redundant authentication servers, in my experience with aaa in IOS which goes way back we used dual TACACS servers, but now your requirement is an addition to RA vpn and single TACACS radius server.. I will have to look it up at some point today.. if anyone can comment will be great..


This Discussion