cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1787
Views
0
Helpful
4
Replies

Multiple AAA methods

shitching
Level 1
Level 1

I've setup a router to authenticate using a RADIUS group and authorise exec locally. It all works fine but I also want local authentication if access to all RADIUS servers fail.

Looking at the doc's it should be as simple as:

aaa group server radius RADIUSGroup

server 1.1.1.1 auth-port 1645 acct-port 1646

server 2.2.2.2 auth-port 1645 acct-port 1646

aaa authentication login default group radius local

aaa authorization exec default local

However, when I disable access to the RADIUS servers (using an ACL) it fails to authenticate locally.

I've set the RADIUS dead timer to 1 minute and can see that the router considers all servers to be dead (using debug radius) but it still doesn't authenticate locally. It looks as though its not even attempting to.

Am I missing something?

I've tried this on:

2611XM - IOS 12.2(15)T2 firewall

1603R - IOS 12.0(3)T

TIA.

4 Replies 4

mhoda
Level 5
Level 5

Hi,

Your configuration looks good. Did you create the local user on router?

config t

username tia pass cisco

If you already had the user created then try to see if the following is working:

aaa authentication login default local group radius

Implication is slightly different but will do the job for you. Thanks,

Mynul

Thanks for the reply.

The local user is there and authenticates OK when I'm not using RADIUS.

The problem with putting local before RADIUS us that I want the local username to be used only as a last resort where there is a comm's problem, otherwise I might as well not bother with RADIUS at all.

Cisco's documentation clearly states that each authentication method will be used in turn, but from what I've seen this simply isn't true.

I wonder if anyone has got this to work?

Hi,

It does fall back unless there is bug in the code. Pl. provide us the output of the following debug:

debug aaa authe

debug aaa autho

debug radius

Also, snippet of the AAA portion of most current config. Thanks,

Mynul

Cheers.

I've now got it to work by adding aaa accounting:

aaa authentication login default local

aaa authentication login TelnetAAA group radius local

aaa authorization exec TelnetAAA group radius local

aaa accounting exec default start-stop group radius

I'm still adamant that you're not meant to need it, but it works. Thanks for the help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: