Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can you have a Authentication Group (radius) configured and a local user?

I have a radius group configured:aaa authentication login AUTHENTICATE group radius

If my radius server quits working I can't use the VPN to get in. Is there any way to add a local login in case the radius server isn't available?

5 REPLIES

Re: Can you have a Authentication Group (radius) configured and

You can use LOCAL as a backup

tunnel-group general-attributes

authentication-server-group (inside) LOCAL

See Step-2

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpngrp.html#wp1133080

New Member

Re: Can you have a Authentication Group (radius) configured and

How does this work, does the hardware recognize that its aaa server is unavailable and let the local authentication take place?

Re: Can you have a Authentication Group (radius) configured and

The keyword [LOCAL] pertains to ASA local user database,if you have RADIUS server configured as a primary server to authenticate remote VPN users, and that radius server is not longer available the LOCAL ASA user database will be used as a backup to RADIUS for authentication,that is, you must also have those VPN user accounts and passwords created in ASA local user database .

New Member

Re: Can you have a Authentication Group (radius) configured and

Sorry let me clairify. I am configuring Cisco VPN client on a Cisco router. I know that if I am running TACACS I can still configure a local username/password to get into the router if the TACACS server is unavailable. My issue is that I have all of my VPN Clients using Radius to authenticat into the VPN. If the Radius server is not available I cannot get in through VPN. Is is possible to configure a VPN Client to authenticate localy if there is a Radius authentication group configured. Below is my config.

aaa new-model

!

!

aaa authentication login default local

aaa authentication login console local

aaa authentication login AUTHENTICATE group radius

aaa authorization network AUTHORIZE local

aaa session-id common

crypto map CRYPTOMAP client authentication list AUTHENTICATE

Re: Can you have a Authentication Group (radius) configured and

Jason, I do apologize for not asking, I thought all along your post was geared towards PIX/ASA instead of IOS.

Im sorry I do not have an answer, Im hoping someone may have additional information on this one, I am sure there should be a solution other than having two TACACS servers as a redundant authentication servers, in my experience with aaa in IOS which goes way back we used dual TACACS servers, but now your requirement is an addition to RA vpn and single TACACS radius server.. I will have to look it up at some point today.. if anyone can comment will be great..

314
Views
14
Helpful
5
Replies