Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Opinions on best CLI IOS authentication model

Anyone care to mention what works well and what doesn't for alternatives to the default enable/exec password scheme in IOS? I've got RADIUS authentication working on an AP1200, and am thinking of using it elsewhere, but I'm concerned about what happens if the RADIUS server goes down. Can I fall back to enable/exec passwords? Does console access still use these?

1 REPLY
Hall of Fame Super Gold

Re: Opinions on best CLI IOS authentication model

Ben

There are a number of alternatives to the default of using line and enable passwords. Most of these alternatives are configured through aaa in IOS. If you have Radius working in an AP1200 then you should have a head start in understanding what to do in IOS.

The basics of configuring aaa authentication is that you refer to method lists. Line passwords are a method list, enable passwords are a method list, radius is a method list. You can refer to multiple method lists for authentication. When you have multiple method lists for authentication the IOS will try the first one and if it is not available IOS will try the next one. So for example you might configure this:

aaa authentication login default group radius line

This will provide authentication for login (by default this includes console, vty lines, but you can change that in the configuration if you want to) and will first try the Radius server but if the Radius server is not available the IOS will use the configured line passwords.

To authenticate privilege mode you might configure this:

aaa authentication enable default group radius enable

This configuration authenticates privilege mode by using the Radius server first and if it is not available IOS will fall back to using the configured enable secret (or password).

HTH

Rick

139
Views
0
Helpful
1
Replies
CreatePlease to create content