cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
388
Views
4
Helpful
3
Replies

AAA authentication.

pauloroque
Level 1
Level 1

Hi all,

Suppose this is configured on a router:

'aaa authentication login default group radius local'.

A user telnets to this router and radius does not respond.

Will the router prompt for a new user/pass to check against the local database or it will use the user/pass already typed?

Thx.

Paulo Roque

3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

Hi Paulo,

If radius is not responding and user is trying to telnet into it. It will simply prompt for

username:XXXX

password:XXXX

This is what you see:

=============================

Username: test \tried radius cred...

Password:

% Authentication failed

Username: aaateam \tried local cred...

Password:

Switch>

==============================

User will never know whether radius is down or not. In this kind of situation end user need to try radius credentials first...it would come up as authentication failed and then he needs to enter local credentials.

HTH

REgards,

JK

~Jatin

humm... it not clear yet.

Let's make this question more generic.

If I have 'aaa authentication login default method-1 method-2 ... method-n'

Will the router prompt once for user/pass and try this same credencial over all listed method or it will ask a new credencial for each method?

Paulo Roque

Hi Paulo,

No, it won't ask for user/password for each method. You only need to supply user/pass once. It will check all the defined method sequentially like Method1,Method2...method-n for the same user/pass.

You can see this in the debugs.

debug aaa authentication

debug tacacs

term mon

HTH

Regards,

JK

~Jatin
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: