I've setup a router to authenticate using a RADIUS group and authorise exec locally. It all works fine but I also want local authentication if access to all RADIUS servers fail.
Looking at the doc's it should be as simple as:
aaa group server radius RADIUSGroup
server 22.214.171.124 auth-port 1645 acct-port 1646
server 126.96.36.199 auth-port 1645 acct-port 1646
aaa authentication login default group radius local
aaa authorization exec default local
However, when I disable access to the RADIUS servers (using an ACL) it fails to authenticate locally.
I've set the RADIUS dead timer to 1 minute and can see that the router considers all servers to be dead (using debug radius) but it still doesn't authenticate locally. It looks as though its not even attempting to.
The local user is there and authenticates OK when I'm not using RADIUS.
The problem with putting local before RADIUS us that I want the local username to be used only as a last resort where there is a comm's problem, otherwise I might as well not bother with RADIUS at all.
Cisco's documentation clearly states that each authentication method will be used in turn, but from what I've seen this simply isn't true.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...