AAA authentication.

Unanswered Question
Sep 27th, 2009

Hi all,

Suppose this is configured on a router:

'aaa authentication login default group radius local'.

A user telnets to this router and radius does not respond.

Will the router prompt for a new user/pass to check against the local database or it will use the user/pass already typed?

Thx.

Paulo Roque

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jatin Katyal Mon, 09/28/2009 - 04:47

Hi Paulo,

If radius is not responding and user is trying to telnet into it. It will simply prompt for

username:XXXX

password:XXXX

This is what you see:

=============================

Username: test \tried radius cred...

Password:

% Authentication failed

Username: aaateam \tried local cred...

Password:

Switch>

==============================

User will never know whether radius is down or not. In this kind of situation end user need to try radius credentials first...it would come up as authentication failed and then he needs to enter local credentials.

HTH

REgards,

JK

pauloroque Mon, 09/28/2009 - 13:42

humm... it not clear yet.

Let's make this question more generic.

If I have 'aaa authentication login default method-1 method-2 ... method-n'

Will the router prompt once for user/pass and try this same credencial over all listed method or it will ask a new credencial for each method?

Paulo Roque

Jatin Katyal Tue, 09/29/2009 - 04:06

Hi Paulo,

No, it won't ask for user/password for each method. You only need to supply user/pass once. It will check all the defined method sequentially like Method1,Method2...method-n for the same user/pass.

You can see this in the debugs.

debug aaa authentication

debug tacacs

term mon

HTH

Regards,

JK

Actions

This Discussion