cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
689
Views
14
Helpful
5
Replies

Can you have a Authentication Group (radius) configured and a local user?

jasosan22
Level 1
Level 1

I have a radius group configured:aaa authentication login AUTHENTICATE group radius

If my radius server quits working I can't use the VPN to get in. Is there any way to add a local login in case the radius server isn't available?

5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

You can use LOCAL as a backup

tunnel-group general-attributes

authentication-server-group (inside) LOCAL

See Step-2

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpngrp.html#wp1133080

Jorge Rodriguez

How does this work, does the hardware recognize that its aaa server is unavailable and let the local authentication take place?

The keyword [LOCAL] pertains to ASA local user database,if you have RADIUS server configured as a primary server to authenticate remote VPN users, and that radius server is not longer available the LOCAL ASA user database will be used as a backup to RADIUS for authentication,that is, you must also have those VPN user accounts and passwords created in ASA local user database .

Jorge Rodriguez

Sorry let me clairify. I am configuring Cisco VPN client on a Cisco router. I know that if I am running TACACS I can still configure a local username/password to get into the router if the TACACS server is unavailable. My issue is that I have all of my VPN Clients using Radius to authenticat into the VPN. If the Radius server is not available I cannot get in through VPN. Is is possible to configure a VPN Client to authenticate localy if there is a Radius authentication group configured. Below is my config.

aaa new-model

!

!

aaa authentication login default local

aaa authentication login console local

aaa authentication login AUTHENTICATE group radius

aaa authorization network AUTHORIZE local

aaa session-id common

crypto map CRYPTOMAP client authentication list AUTHENTICATE

Jason, I do apologize for not asking, I thought all along your post was geared towards PIX/ASA instead of IOS.

Im sorry I do not have an answer, Im hoping someone may have additional information on this one, I am sure there should be a solution other than having two TACACS servers as a redundant authentication servers, in my experience with aaa in IOS which goes way back we used dual TACACS servers, but now your requirement is an addition to RA vpn and single TACACS radius server.. I will have to look it up at some point today.. if anyone can comment will be great..

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: