My question is not really about the protocol or it's operation, it's more about how an IOS device (router/switch etc) behaves when an administrator logs-in via Telnet.
If the IOS box is configured to authenticate against a Radius server and is unable to reach the server for some reason, the response to the user is along the lines of "authentication failed" and the 'Username' prompt reappears.
Typically a locally configured fallback user account/password will be different to that configured in Radius server database, but there is no clue from the IOS box as to which authentication method just 'failed'; consequently the user doesn't know whether:
a. they just typed the wrong username or password for Radius and should try again, or
b. Radius is not working and they should instead use the local fallback userid/password.
My point is that the only way an admin will 'know' to use the fallback ID is because their Radius credentials consistently fail to gain access, and trying the fallback ID works! Pretty confusing to someone inexperienced.
I would have expected a way for IOS to advise the person attempting to log-in that they just failed to authenticate because Radius is not responding, not because their credentials were rejected. There doesn't seem to be any difference from the users perspective.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :