×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Multiple AAA methods

Unanswered Question
Jun 11th, 2003
User Badges:

I've setup a router to authenticate using a RADIUS group and authorise exec locally. It all works fine but I also want local authentication if access to all RADIUS servers fail.


Looking at the doc's it should be as simple as:


aaa group server radius RADIUSGroup

server 1.1.1.1 auth-port 1645 acct-port 1646

server 2.2.2.2 auth-port 1645 acct-port 1646

aaa authentication login default group radius local

aaa authorization exec default local


However, when I disable access to the RADIUS servers (using an ACL) it fails to authenticate locally.


I've set the RADIUS dead timer to 1 minute and can see that the router considers all servers to be dead (using debug radius) but it still doesn't authenticate locally. It looks as though its not even attempting to.


Am I missing something?


I've tried this on:

2611XM - IOS 12.2(15)T2 firewall

1603R - IOS 12.0(3)T


TIA.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhoda Wed, 06/11/2003 - 08:32
User Badges:
  • Silver, 250 points or more

Hi,


Your configuration looks good. Did you create the local user on router?


config t

username tia pass cisco


If you already had the user created then try to see if the following is working:


aaa authentication login default local group radius


Implication is slightly different but will do the job for you. Thanks,


Mynul


shitching Mon, 06/16/2003 - 02:13
User Badges:

Thanks for the reply.


The local user is there and authenticates OK when I'm not using RADIUS.


The problem with putting local before RADIUS us that I want the local username to be used only as a last resort where there is a comm's problem, otherwise I might as well not bother with RADIUS at all.


Cisco's documentation clearly states that each authentication method will be used in turn, but from what I've seen this simply isn't true.


I wonder if anyone has got this to work?

mhoda Thu, 06/19/2003 - 10:03
User Badges:
  • Silver, 250 points or more

Hi,


It does fall back unless there is bug in the code. Pl. provide us the output of the following debug:


debug aaa authe

debug aaa autho

debug radius


Also, snippet of the AAA portion of most current config. Thanks,


Mynul

shitching Mon, 06/23/2003 - 04:20
User Badges:

Cheers.


I've now got it to work by adding aaa accounting:

aaa authentication login default local

aaa authentication login TelnetAAA group radius local

aaa authorization exec TelnetAAA group radius local

aaa accounting exec default start-stop group radius


I'm still adamant that you're not meant to need it, but it works. Thanks for the help.

Actions

This Discussion