02-24-2016 10:08 AM - edited 03-10-2019 11:31 PM
I would like to start using RADIUS to authenticate users trying to access network equipment through VPNs. Since we will need to access the equipment in the event of a VPN failing, I need to know if the credentials can be cached on the device.
Solved! Go to Solution.
02-24-2016 09:26 PM
You mean the devices can be only be accessed once you have VPN established. In case of VPN failure, can you even ping the network devices. I am assuming they would be internal resources. In any case, credential can not be cached on the device. Let me know if I am missing any piece in your questions. ~ Jatin
02-24-2016 04:44 PM
No you can't do that per se.
However you can setup a second connection profile that uses local credentials as a fallback mechanism.
02-24-2016 09:26 PM
You mean the devices can be only be accessed once you have VPN established. In case of VPN failure, can you even ping the network devices. I am assuming they would be internal resources. In any case, credential can not be cached on the device. Let me know if I am missing any piece in your questions. ~ Jatin
02-25-2016 09:14 AM
Jatin - Correct, the devices can only be accessed with RADIUS credentials if the VPN is up. If the VPN goes down, we would need to access them via the WAN of the router without RADIUS access.
Marvin - My only option is to have local credentials in the device as a backup if the device can't reach RADIUS?
02-25-2016 10:32 AM
Caching is not possible like you won't be logged in automatically when VPN goes down. However as Marvin said fallback mechanism can be used.
~ Jatin
02-25-2016 07:16 PM
Some other authentication in addition to RADIUS would be needed.
Local credentials would be the most common.
But of course they could be any other supported authentication type - e.g., AD or LDAP.
02-26-2016 09:50 AM
If the VPN is down won't AD and LDAP be useless as well?
02-26-2016 10:04 AM
only if the AD and LDAP traffic is going through the VPN tunnel and I guess in your case they are located across the tunnel.
~ Jatin
02-26-2016 10:46 AM
We don't want to spend the money for TACACS so we are stuck using authentication technology that doesn't natively encrypt which is the reason for the VPN being needed.
02-26-2016 10:53 AM
I could read your thought behind it when you first post your question :)
~ Jatin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide