https://community.cisco.com/t5/network-access-control/multiple-aaa-methods/m-p/150205#M436389 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply.</P><P></P><P>The local user is there and authenticates OK when I'm not using RADIUS. </P><P></P><P>The problem with putting local before RADIUS us that I want the local username to be used only as a last resort where there is a comm's problem, otherwise I might as well not bother with RADIUS at all.</P><P></P><P>Cisco's documentation clearly states that each authentication method will be used in turn, but from what I've seen this simply isn't true.</P><P></P><P>I wonder if anyone has got this to work?</P></BODY></HTML> Mon, 16 Jun 2003 09:13:05 GMT shitching 2003-06-16T09:13:05Z https://community.cisco.com/t5/network-access-control/multiple-aaa-methods/m-p/150203#M436387 <P>I've setup a router to authenticate using a RADIUS group and authorise exec locally. It all works fine but I also want local authentication if access to all RADIUS servers fail.</P><P></P><P>Looking at the doc's it should be as simple as:</P><P></P><P>aaa group server radius RADIUSGroup</P><P> server 1.1.1.1 auth-port 1645 acct-port 1646</P><P> server 2.2.2.2 auth-port 1645 acct-port 1646</P><P>aaa authentication login default group radius local</P><P>aaa authorization exec default local</P><P></P><P>However, when I disable access to the RADIUS servers (using an ACL) it fails to authenticate locally.</P><P></P><P>I've set the RADIUS dead timer to 1 minute and can see that the router considers all servers to be dead (using debug radius) but it still doesn't authenticate locally. It looks as though its not even attempting to.</P><P></P><P>Am I missing something?</P><P></P><P>I've tried this on:</P><P>2611XM - IOS 12.2(15)T2 firewall</P><P>1603R - IOS 12.0(3)T</P><P></P><P>TIA.</P> Sun, 10 Mar 2019 14:21:20 GMT https://community.cisco.com/t5/network-access-control/multiple-aaa-methods/m-p/150203#M436387 shitching 2019-03-10T14:21:20Z https://community.cisco.com/t5/network-access-control/multiple-aaa-methods/m-p/150204#M436388 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Your configuration looks good. Did you create the local user on router?</P><P></P><P>config t</P><P>username tia pass cisco</P><P></P><P>If you already had the user created then try to see if the following is working:</P><P></P><P>aaa authentication login default local group radius </P><P></P><P>Implication is slightly different but will do the job for you. Thanks,</P><P></P><P>Mynul </P><P></P></BODY></HTML> Wed, 11 Jun 2003 15:32:50 GMT https://community.cisco.com/t5/network-access-control/multiple-aaa-methods/m-p/150204#M436388 mhoda 2003-06-11T15:32:50Z https://community.cisco.com/t5/network-access-control/multiple-aaa-methods/m-p/150205#M436389 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply.</P><P></P><P>The local user is there and authenticates OK when I'm not using RADIUS. </P><P></P><P>The problem with putting local before RADIUS us that I want the local username to be used only as a last resort where there is a comm's problem, otherwise I might as well not bother with RADIUS at all.</P><P></P><P>Cisco's documentation clearly states that each authentication method will be used in turn, but from what I've seen this simply isn't true.</P><P></P><P>I wonder if anyone has got this to work?</P></BODY></HTML> Mon, 16 Jun 2003 09:13:05 GMT https://community.cisco.com/t5/network-access-control/multiple-aaa-methods/m-p/150205#M436389 shitching 2003-06-16T09:13:05Z https://community.cisco.com/t5/network-access-control/multiple-aaa-methods/m-p/150206#M436390 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It does fall back unless there is bug in the code. Pl. provide us the output of the following debug:</P><P></P><P>debug aaa authe</P><P>debug aaa autho</P><P>debug radius</P><P></P><P>Also, snippet of the AAA portion of most current config. Thanks,</P><P></P><P>Mynul</P></BODY></HTML> Thu, 19 Jun 2003 17:03:17 GMT https://community.cisco.com/t5/network-access-control/multiple-aaa-methods/m-p/150206#M436390 mhoda 2003-06-19T17:03:17Z https://community.cisco.com/t5/network-access-control/multiple-aaa-methods/m-p/150207#M436391 <HTML><HEAD></HEAD><BODY><P>Cheers.</P><P></P><P>I've now got it to work by adding aaa accounting:</P><P>aaa authentication login default local</P><P>aaa authentication login TelnetAAA group radius local</P><P>aaa authorization exec TelnetAAA group radius local</P><P>aaa accounting exec default start-stop group radius</P><P></P><P>I'm still adamant that you're not meant to need it, but it works. Thanks for the help.</P></BODY></HTML> Mon, 23 Jun 2003 11:20:44 GMT https://community.cisco.com/t5/network-access-control/multiple-aaa-methods/m-p/150207#M436391 shitching 2003-06-23T11:20:44Z