topic AAA authentication preference in Network Access Control https://community.cisco.com/t5/network-access-control/aaa-authentication-preference/m-p/1964917#M186077 <HTML><HEAD></HEAD><BODY><P>With the command "aaa authentication login default local group radius" the local database is checked first and RADIUS is the fallback. But there is a "feature" that is sometimes not expected. If the user is not found in the local database the authentication is not rejected, but passed to the next method which is RADIUS.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Fri, 10 Aug 2012 19:09:35 GMT Karsten Iwen 2012-08-10T19:09:35Z AAA authentication preference https://community.cisco.com/t5/network-access-control/aaa-authentication-preference/m-p/1964916#M186065 <P>We have AAA configured as follows</P><P></P><P>aaa new-model</P><P></P><P>aaa authentication login default local group radius</P><P></P><P>aaa authentication enable default enable</P><P></P><P>aaa authorization exec default group radius if-authenticated</P><P></P><P>aaa session-id common</P><P></P><P></P><P>It was expected that switch will check the local username first and then Radius server. But it is not checking local username it's getting authenticated by RADUIS. even though default priority is for "local" and then "Radius group".</P><P></P><P>Please share the experience.</P><P>Thanks,</P><P>-Subodh</P> Mon, 11 Mar 2019 02:24:34 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-preference/m-p/1964916#M186065 bapatsubodh 2019-03-11T02:24:34Z AAA authentication preference https://community.cisco.com/t5/network-access-control/aaa-authentication-preference/m-p/1964917#M186077 <HTML><HEAD></HEAD><BODY><P>With the command "aaa authentication login default local group radius" the local database is checked first and RADIUS is the fallback. But there is a "feature" that is sometimes not expected. If the user is not found in the local database the authentication is not rejected, but passed to the next method which is RADIUS.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Fri, 10 Aug 2012 19:09:35 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-preference/m-p/1964917#M186077 Karsten Iwen 2012-08-10T19:09:35Z