Anyone care to mention what works well and what doesn't for alternatives to the default enable/exec password scheme in IOS? I've got RADIUS authentication working on an AP1200, and am thinking of using it elsewhere, but I'm concerned about what happens if the RADIUS server goes down. Can I fall back to enable/exec passwords? Does console access still use these?
There are a number of alternatives to the default of using line and enable passwords. Most of these alternatives are configured through aaa in IOS. If you have Radius working in an AP1200 then you should have a head start in understanding what to do in IOS.
The basics of configuring aaa authentication is that you refer to method lists. Line passwords are a method list, enable passwords are a method list, radius is a method list. You can refer to multiple method lists for authentication. When you have multiple method lists for authentication the IOS will try the first one and if it is not available IOS will try the next one. So for example you might configure this:
aaa authentication login default group radius line
This will provide authentication for login (by default this includes console, vty lines, but you can change that in the configuration if you want to) and will first try the Radius server but if the Radius server is not available the IOS will use the configured line passwords.
To authenticate privilege mode you might configure this:
aaa authentication enable default group radius enable
This configuration authenticates privilege mode by using the Radius server first and if it is not available IOS will fall back to using the configured enable secret (or password).
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...