cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1447
Views
0
Helpful
9
Replies

Can I cache RADIUS credentials used to access network equipment?

jasonww04
Level 1
Level 1

I would like to start using RADIUS to authenticate users trying to access network equipment through VPNs. Since we will need to access the equipment in the event of a VPN failing, I need to know if the credentials can be cached on the device.

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

You mean the devices can be only be accessed once you have VPN established. In case of VPN failure, can you even ping the network devices. I am assuming they would be internal resources. In any case, credential can not be cached on the device. Let me know if I am missing any piece in your questions. ~ Jatin

~Jatin

View solution in original post

9 Replies 9

Marvin Rhoads
Hall of Fame
Hall of Fame

No you can't do that per se.

However you can setup a second connection profile that uses local credentials as a fallback mechanism.

Jatin Katyal
Cisco Employee
Cisco Employee

You mean the devices can be only be accessed once you have VPN established. In case of VPN failure, can you even ping the network devices. I am assuming they would be internal resources. In any case, credential can not be cached on the device. Let me know if I am missing any piece in your questions. ~ Jatin

~Jatin

Jatin - Correct, the devices can only be accessed with RADIUS credentials if the VPN is up. If the VPN goes down, we would need to access them via the WAN of the router without RADIUS access.

Marvin - My only option is to have local credentials in the device as a backup if the device can't reach RADIUS?

Caching is not possible like you won't be logged in automatically when VPN goes down. However as Marvin said fallback mechanism can be used.

~ Jatin

~Jatin

jasonww04  ,

Some other authentication in addition to RADIUS would be needed.

Local credentials would be the most common.

But of course they could be any other supported authentication type - e.g., AD or LDAP.

If the VPN is down won't AD and LDAP be useless as well?

only if the AD and LDAP traffic is going through the VPN tunnel and I guess in your case they are located across the tunnel.

~ Jatin

~Jatin

We don't want to spend the money for TACACS so we are stuck using authentication technology that doesn't natively encrypt which is the reason for the VPN being needed.

I could read your thought behind it when you first post your question :)

~ Jatin

~Jatin