Radius authentication help on router

Unanswered Question
May 18th, 2010
User Badges:

Hello,


I have managed to get radius authentication (Windows IAS)  to work on one of my routers, however I I manage to lock my Windows Active Directory account out and I then thought imagine I did this remotely!  Is they a way that if aaa authentication doesn't work it could use the local username and password on the router or telnet password?


Here is my test config:



!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c1841
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default group radius
aaa authorization exec default group radius
!
aaa session-id common
clock timezone utc 0
clock summer-time bst recurring last Sun Mar 2:00 last Sun Oct 3:00
ip cef
!
!
!
!
no ip domain lookup
login on-failure log
login on-success log
!
!
username cisco privilege 15 password 0 password
archive
log config
  logging enable
  logging size 200
  notify syslog
  hidekeys
!
interface FastEthernet0/0
ip address 192.168.60.222 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.60.254
!
ip http server
no ip http secure-server
!
ip radius source-interface FastEthernet0/0
logging trap notifications
logging source-interface FastEthernet0/0
logging 192.168.21.19
radius-server host 192.168.22.6 auth-port 1645 acct-port 1646 key test1
!
control-plane
!
!
line con 0
password password
line aux 0
line vty 0 4
password password
!
scheduler allocate 20000 1000
end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Andy White Tue, 05/18/2010 - 06:55
User Badges:

Thanks, so if the radius server cannot be contacted the router will default to local authentication and as soon as the radius server is back online the radius authentication will resume?

Reza Sharifi Tue, 05/18/2010 - 06:59
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

That is correct.  Once radius server is on line then it will the primary for authentication

Andy White Tue, 05/18/2010 - 07:01
User Badges:

I just changed the radius server ip on the config and then attempted to login via telnet to the router but it failed:



User Access Verification


Username: cisco
Password:
% Authorization failed.



Connection to host lost.


C:\>


on the router I got:


*May 18 14:06:34.771: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 192.168.90.11] [localport: 23] at 15:06:34 bst Tue May 18 2010


Am I missing something?

Reza Sharifi Tue, 05/18/2010 - 07:08
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Did you add this command to your config?


aaa authentication login default group radius local

Andy White Tue, 05/18/2010 - 07:28
User Badges:

Yeah I have these 2 lines and I turned off the radius service.


aaa authentication login default group radius local
aaa authorization exec default group radius

Andy White Tue, 05/18/2010 - 08:14
User Badges:

I ahd to amend the other line aswell as the one you mentioned:


aaa authorization exec default group radius local

Reza Sharifi Tue, 05/18/2010 - 08:53
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

If you have for example the wrong radius server configured, you should see some thing like this in the logs:


*Apr  7 04:52:29.801: %RADIUS-4-RADIUS_DEAD: RADIUS server 1.1.1.30:1645,1646 is not responding.
*Apr  7 04:52:29.801: %RADIUS-4-RADIUS_ALIVE: RADIUS server 1.1.1.30:1645,1646 is being marked alive.
Switch-C#


Here is the config:


aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius local


radius-server host 1.1.1.30 auth-port 1645 acct-port 1646


As soon as I remove "radius-server host 1.1.1.30" I get authenticated locally without waiting for radius time out

Richard Burts Tue, 05/18/2010 - 10:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Certainly you need to have something in the config for authorization to serve as an alternative in case the authentication server is not available. While this is ok:

aaa authorization exec default group radius local

I would suggest that this is even better:

aaa authorization exec default group radius if-authenticated.


HTH


Rick

Andy White Tue, 05/18/2010 - 14:13
User Badges:

Hi,


I thought mine does have an alternative? With local at the end it allows me to use the usernames and passwords if the radius server is unavailable. For my understanding what does your example do as I may try it?


Many thanks

Richard Burts Wed, 05/19/2010 - 05:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


My suggestion is a bit more general and says that if authorization is required and the authentication/authorization server is not available then assume authorization as long as the user has been successfully authenticated. Your approach is a bit more specific and says that is authorization is required and the authentication/authorization server is not available then the router should conduct authorization using the local database of user IDs.


Here is a scenario in which our solutions behave differently. Assume that a user has logged on and authenticated via the Radius server. Then assume that the server has become unavailable and that the user now needs authorization. In my suggestion the user is successful since they have been successfully authenticated. In your approach the router needs to authorize using the local data base, but the router does not know which record in the local database applies since the user did not authenticate using the local data base.


Also I would like to offer one clarification: in re-reading your original post I notice that part of the original problem was that you locked your AD account. This implies that the router was communicating with the server but that the server was not authenticating (or authorizing). In this case using the "local" option as the backup method for authentication or authorization would not resolve your problem. If the router sends a request to the server and recieves a response of "not authenticated" (or "not authorized") then the router will not use the local option.


HTH


Rick

Actions

This Discussion