I've setup a router to authenticate using a RADIUS group and authorise exec locally. It all works fine but I also want local authentication if access to all RADIUS servers fail.
Looking at the doc's it should be as simple as:
aaa group server radius RADIUSGroup
server 188.8.131.52 auth-port 1645 acct-port 1646
server 184.108.40.206 auth-port 1645 acct-port 1646
aaa authentication login default group radius local
aaa authorization exec default local
However, when I disable access to the RADIUS servers (using an ACL) it fails to authenticate locally.
I've set the RADIUS dead timer to 1 minute and can see that the router considers all servers to be dead (using debug radius) but it still doesn't authenticate locally. It looks as though its not even attempting to.
Am I missing something?
I've tried this on:
2611XM - IOS 12.2(15)T2 firewall
1603R - IOS 12.0(3)T