Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1393
Views
0
Helpful
9
Replies

Can I cache RADIUS credentials used to access network equipment?

Go to solution
jasonww04
Level 1
Level 1

‎02-24-2016 10:08 AM - edited ‎03-10-2019 11:31 PM

I would like to start using RADIUS to authenticate users trying to access network equipment through VPNs. Since we will need to access the equipment in the event of a VPN failing, I need to know if the credentials can be cached on the device.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-24-2016 09:26 PM

You mean the devices can be only be accessed once you have VPN established. In case of VPN failure, can you even ping the network devices. I am assuming they would be internal resources. In any case, credential can not be cached on the device. Let me know if I am missing any piece in your questions. ~ Jatin

~Jatin

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-24-2016 04:44 PM

No you can't do that per se.

However you can setup a second connection profile that uses local credentials as a fallback mechanism.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-24-2016 09:26 PM

You mean the devices can be only be accessed once you have VPN established. In case of VPN failure, can you even ping the network devices. I am assuming they would be internal resources. In any case, credential can not be cached on the device. Let me know if I am missing any piece in your questions. ~ Jatin

~Jatin
0 Helpful

Go to solution
jasonww04
Level 1
Level 1
In response to Jatin Katyal

‎02-25-2016 09:14 AM

Jatin - Correct, the devices can only be accessed with RADIUS credentials if the VPN is up. If the VPN goes down, we would need to access them via the WAN of the router without RADIUS access.

Marvin - My only option is to have local credentials in the device as a backup if the device can't reach RADIUS?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to jasonww04

‎02-25-2016 10:32 AM

Caching is not possible like you won't be logged in automatically when VPN goes down. However as Marvin said fallback mechanism can be used.

~ Jatin

~Jatin
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jasonww04

‎02-25-2016 07:16 PM

jasonww04  ,

Some other authentication in addition to RADIUS would be needed.

Local credentials would be the most common.

But of course they could be any other supported authentication type - e.g., AD or LDAP.

0 Helpful

Go to solution
jasonww04
Level 1
Level 1
In response to Marvin Rhoads

‎02-26-2016 09:50 AM

If the VPN is down won't AD and LDAP be useless as well?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to jasonww04

‎02-26-2016 10:04 AM

only if the AD and LDAP traffic is going through the VPN tunnel and I guess in your case they are located across the tunnel.

~ Jatin

~Jatin
0 Helpful

Go to solution
jasonww04
Level 1
Level 1
In response to Jatin Katyal

‎02-26-2016 10:46 AM

We don't want to spend the money for TACACS so we are stuck using authentication technology that doesn't natively encrypt which is the reason for the VPN being needed.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to jasonww04

‎02-26-2016 10:53 AM

I could read your thought behind it when you first post your question :)

~ Jatin

~Jatin
0 Helpful
Customers Also Viewed These Support Documents