AAA Authentication query

noelf · ‎04-08-2004

Hi,

Anybody know if its possible to have "login" and "network" users authenticating against 2 different Radius servers on a router? i.e. Sys admins auth against radius server 1 for logging in and ppp/network users auth against radius server 2. How is this achieved?

umedryk · ‎04-15-2004

As far as my knowledge goes, this it is not possible.

Richard Burts · ‎04-30-2004

If I understand your question correctly I am doing that on several routers with tacacs and it looks in the documentation like the same thing would work for radius.

The key concept is server groups in aaa. I define one group for admin login and point it at one server. I define a second group for network/ppp (user) and point it at other server. In aaa I define a special authentication method for admin and link it to the admin server group. I define the default authentication for login and link it to the user server group. On the vty ports I link them to the admin login method.

Key parts of the config:

aaa group server tacacs+ admin_TAC

server 192.168.1.1

!

aaa group server tacacs+ user_TAC

server 192.168.2.1

aaa authentication login default group user_TAC

aaa authentication login admin group admin_TAC line

aaa authentication ppp default if-needed group user_TAC

line vty 0 4

login authentication admin

Rick

HTH

Rick