06-11-2003 03:53 AM - edited 03-10-2019 07:21 AM
I've setup a router to authenticate using a RADIUS group and authorise exec locally. It all works fine but I also want local authentication if access to all RADIUS servers fail.
Looking at the doc's it should be as simple as:
aaa group server radius RADIUSGroup
server 1.1.1.1 auth-port 1645 acct-port 1646
server 2.2.2.2 auth-port 1645 acct-port 1646
aaa authentication login default group radius local
aaa authorization exec default local
However, when I disable access to the RADIUS servers (using an ACL) it fails to authenticate locally.
I've set the RADIUS dead timer to 1 minute and can see that the router considers all servers to be dead (using debug radius) but it still doesn't authenticate locally. It looks as though its not even attempting to.
Am I missing something?
I've tried this on:
2611XM - IOS 12.2(15)T2 firewall
1603R - IOS 12.0(3)T
TIA.
06-11-2003 08:32 AM
Hi,
Your configuration looks good. Did you create the local user on router?
config t
username tia pass cisco
If you already had the user created then try to see if the following is working:
aaa authentication login default local group radius
Implication is slightly different but will do the job for you. Thanks,
Mynul
06-16-2003 02:13 AM
Thanks for the reply.
The local user is there and authenticates OK when I'm not using RADIUS.
The problem with putting local before RADIUS us that I want the local username to be used only as a last resort where there is a comm's problem, otherwise I might as well not bother with RADIUS at all.
Cisco's documentation clearly states that each authentication method will be used in turn, but from what I've seen this simply isn't true.
I wonder if anyone has got this to work?
06-19-2003 10:03 AM
Hi,
It does fall back unless there is bug in the code. Pl. provide us the output of the following debug:
debug aaa authe
debug aaa autho
debug radius
Also, snippet of the AAA portion of most current config. Thanks,
Mynul
06-23-2003 04:20 AM
Cheers.
I've now got it to work by adding aaa accounting:
aaa authentication login default local
aaa authentication login TelnetAAA group radius local
aaa authorization exec TelnetAAA group radius local
aaa accounting exec default start-stop group radius
I'm still adamant that you're not meant to need it, but it works. Thanks for the help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: