topic Radius and Local Authentication in Network Access Control

Radius and Local Authentication

rfurman1161 — Mon, 11 Mar 2019 01:30:21 GMT

Hey everyone,

I'm having a small problem with some routers that I recently setup to authenticate to a new Windows 2008 R2 Radius Server. That part works fine, but it appears now that we cannot access the local usernames that were configured. Is it possible to do both or do I just have something not set up right? This is running on some older 2600 series routers with ssh enabled. Below is our standard config:

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname Csico-R1

boot-start-marker

boot-end-marker

enable password **********************

memory-size iomem 15

aaa new-model

aaa group server radius RADIUS_AUTH

server 192.168.1.100 auth-port 1812 acct-port 1813

aaa authentication login default local

aaa authentication login networkaccess group RADIUS_AUTH enable

aaa authentication enable default enable

aaa authorization exec default group RADIUS_AUTH if-authenticated

aaa session-id common

ip subnet-zero

ip cef

no ip domain lookup

ip audit po max-events 100

username ciscoadmin password 7 ******************

username supercisco password 7 *****************

ip ssh time-out 60

ip ssh authentication-retries 5

ip ssh rsa keypair-name myrsakey

interface FastEthernet0/1

ip address 192.168.1.4 255.255.255.0

duplex auto

speed auto

no ip http server

no ip http secure-server

ip classless

ip radius source-interface FastEthernet0/1

radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key *****************

alias interface show do show

alias configure show do show

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

line vty 0 4

exec-timeout 0 0

privilege level 15

logging synchronous

transport input telnet ssh

line vty 5 15

exec-timeout 0 0

privilege level 15

logging synchronous

transport input telnet ssh

Thanks,

Robert

Radius and Local Authentication

Eduardo Aliaga — Mon, 24 Oct 2011 01:15:14 GMT

When you use a group of AAA server (radius or tacacs) the router will always look for the users within those AAA servers. The router can be configured to use the local database only if the AAA servers fail.

Radius and Local Authentication

Richard Burts — Mon, 24 Oct 2011 03:04:52 GMT

When you configure AAA authentication you can configure a primary authentication method, such as using Radius, and also one or more alternative authentication methods, including using the loal database on the router (or switch) which can be used if the primary method is not available.

Here is what is configured:

aaa authentication login networkaccess group RADIUS_AUTH enable

this says to use Radius as the primary authentication method and to use the enable password as the alternative method of authentication if the Radius server is not available. So in this case you would not use the local user name at all.

If you configured it this way:

aaa authentication login networkaccess group RADIUS_AUTH local

then it would try Radius and if Radius was not available then it would try the local user name.

HTH

Rick