AAA authentication.

Unanswered Question
Sep 27th, 2009
User Badges:

Hi all,


Suppose this is configured on a router:

'aaa authentication login default group radius local'.


A user telnets to this router and radius does not respond.


Will the router prompt for a new user/pass to check against the local database or it will use the user/pass already typed?


Thx.

Paulo Roque


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jatin Katyal Mon, 09/28/2009 - 04:47
User Badges:
  • Cisco Employee,

Hi Paulo,


If radius is not responding and user is trying to telnet into it. It will simply prompt for


username:XXXX

password:XXXX



This is what you see:

=============================

Username: test \tried radius cred...

Password:


% Authentication failed


Username: aaateam \tried local cred...

Password:


Switch>

==============================


User will never know whether radius is down or not. In this kind of situation end user need to try radius credentials first...it would come up as authentication failed and then he needs to enter local credentials.


HTH


REgards,

JK



pauloroque Mon, 09/28/2009 - 13:42
User Badges:

humm... it not clear yet.

Let's make this question more generic.

If I have 'aaa authentication login default method-1 method-2 ... method-n'

Will the router prompt once for user/pass and try this same credencial over all listed method or it will ask a new credencial for each method?


Paulo Roque

Jatin Katyal Tue, 09/29/2009 - 04:06
User Badges:
  • Cisco Employee,

Hi Paulo,


No, it won't ask for user/password for each method. You only need to supply user/pass once. It will check all the defined method sequentially like Method1,Method2...method-n for the same user/pass.


You can see this in the debugs.


debug aaa authentication

debug tacacs

term mon


HTH


Regards,

JK

Actions

This Discussion