09-27-2009 05:29 PM - edited 03-10-2019 04:42 PM
Hi all,
Suppose this is configured on a router:
'aaa authentication login default group radius local'.
A user telnets to this router and radius does not respond.
Will the router prompt for a new user/pass to check against the local database or it will use the user/pass already typed?
Thx.
Paulo Roque
09-28-2009 04:47 AM
Hi Paulo,
If radius is not responding and user is trying to telnet into it. It will simply prompt for
username:XXXX
password:XXXX
This is what you see:
=============================
Username: test \tried radius cred...
Password:
% Authentication failed
Username: aaateam \tried local cred...
Password:
Switch>
==============================
User will never know whether radius is down or not. In this kind of situation end user need to try radius credentials first...it would come up as authentication failed and then he needs to enter local credentials.
HTH
REgards,
JK
09-28-2009 01:42 PM
humm... it not clear yet.
Let's make this question more generic.
If I have 'aaa authentication login default method-1 method-2 ... method-n'
Will the router prompt once for user/pass and try this same credencial over all listed method or it will ask a new credencial for each method?
Paulo Roque
09-29-2009 04:06 AM
Hi Paulo,
No, it won't ask for user/password for each method. You only need to supply user/pass once. It will check all the defined method sequentially like Method1,Method2...method-n for the same user/pass.
You can see this in the debugs.
debug aaa authentication
debug tacacs
term mon
HTH
Regards,
JK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: