Fallback: Bypass Radius Server

Unanswered Question
Aug 6th, 2008
User Badges:

Hi guys,

Currently checking zeroshell for radius to centralize my logins. My question is, if the radius server fails, is there a fallback username/password that i can configure just in case?


Thanks.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
yjdabear Thu, 08/07/2008 - 06:20
User Badges:
  • Gold, 750 points or more

You can configure IOS to try multiple RADIUS/AAA servers. It's always a good idea to have more than one.


aaa group server radius authentication-group

server 209.165.200.225 key radkey1

server 209.165.200.226 key radkey2


aaa group server radius accounting-group

server 209.165.200.225 key radkey1

server 209.165.200.226 key radkey2

server 209.165.201.1 key radkey3


Or, if you meant configuring a local user/password on the router, check out

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ft_md5.html


username name secret {[0] password | 5 encrypted-secret}




jeffersoncbriones Thu, 08/07/2008 - 17:38
User Badges:

Hi,

Let say my routers are configured to authenticate tru the radius server. What if that radius server goes down, how can i telnet/ssh into my router then? Thats why im finding a way wherein login should first be authenticated tru the radius server and if no radius server found (radius is down) a backdoor username/password can be used.


Thanks.



Richard Burts Fri, 08/08/2008 - 12:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jefferson


It is a very common requirement to have some backup method of authentication such as local authentication in case the configured server (or multiple servers) is not available. Assuming that you have the radius server configured you would want something like this in your config:

user password

aaa authentication login default group radius local


This will attempt to authenticate with radius and if there is an error in that authentication attempt then it will authenticate with the configured local user ID and password.


HTH


Rick

Actions

This Discussion