Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2237
Views
0
Helpful
2
Replies

Radius and Local Authentication

rfurman1161
Level 1
Level 1

‎10-23-2011 05:57 PM - edited ‎03-10-2019 06:30 PM

Hey everyone,

I'm having a small problem with some routers that I recently setup to authenticate to a new Windows 2008 R2 Radius Server. That part works fine, but it appears now that we cannot access the local usernames that were configured. Is it possible to do both or do I just have something not set up right? This is running on some older 2600 series routers with ssh enabled. Below is our standard config:

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname Csico-R1

boot-start-marker

boot-end-marker

enable password **********************

memory-size iomem 15

aaa new-model

aaa group server radius RADIUS_AUTH

server 192.168.1.100 auth-port 1812 acct-port 1813

aaa authentication login default local

aaa authentication login networkaccess group RADIUS_AUTH enable

aaa authentication enable default enable

aaa authorization exec default group RADIUS_AUTH if-authenticated

aaa session-id common

ip subnet-zero

ip cef

no ip domain lookup

ip audit po max-events 100

username ciscoadmin password 7 ******************

username supercisco password 7 *****************

ip ssh time-out 60

ip ssh authentication-retries 5

ip ssh rsa keypair-name myrsakey

interface FastEthernet0/1

ip address 192.168.1.4 255.255.255.0

duplex auto

speed auto

no ip http server

no ip http secure-server

ip classless

ip radius source-interface FastEthernet0/1

radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key *****************

alias interface show do show

alias configure show do show

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

login authentication networkaccess

line aux 0

line vty 0 4

exec-timeout 0 0

privilege level 15

logging synchronous

login authentication networkaccess

transport input telnet ssh

line vty 5 15

exec-timeout 0 0

privilege level 15

logging synchronous

login authentication networkaccess

transport input telnet ssh

Thanks,

Robert

Labels:
0 Helpful
2 Replies 2

Eduardo Aliaga
Level 4
Level 4

‎10-23-2011 06:15 PM

When you use a group of AAA server (radius or tacacs) the router will always look for the users within those AAA servers. The router can be configured to use the local database only if the AAA servers fail.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Eduardo Aliaga

‎10-23-2011 08:04 PM

When you configure AAA authentication you can configure a primary authentication method, such as using Radius, and also one or more alternative authentication methods, including using the loal database on the router (or switch) which can be used if the primary method is not available.

Here is what is configured:

aaa authentication login networkaccess group RADIUS_AUTH enable

this says to use Radius as the primary authentication method and to use the enable password as the alternative method of authentication if the Radius server is not available. So in this case you would not use the local user name at all.

If you configured it this way:

aaa authentication login networkaccess group RADIUS_AUTH local

then it would try Radius and if Radius was not available then it would try the local user name.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents