Fallback: Bypass Radius Server

jeffersoncbriones · ‎08-06-2008

Hi guys,

Currently checking zeroshell for radius to centralize my logins. My question is, if the radius server fails, is there a fallback username/password that i can configure just in case?

Thanks.

yjdabear · ‎08-07-2008

You can configure IOS to try multiple RADIUS/AAA servers. It's always a good idea to have more than one.

aaa group server radius authentication-group

server 209.165.200.225 key radkey1

server 209.165.200.226 key radkey2

aaa group server radius accounting-group

server 209.165.200.225 key radkey1

server 209.165.200.226 key radkey2

server 209.165.201.1 key radkey3

Or, if you meant configuring a local user/password on the router, check out

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ft_md5.html

username name secret {[0] password | 5 encrypted-secret}

jeffersoncbriones · ‎08-07-2008

Hi,

Let say my routers are configured to authenticate tru the radius server. What if that radius server goes down, how can i telnet/ssh into my router then? Thats why im finding a way wherein login should first be authenticated tru the radius server and if no radius server found (radius is down) a backdoor username/password can be used.

Thanks.

Richard Burts · ‎08-08-2008

Jefferson

It is a very common requirement to have some backup method of authentication such as local authentication in case the configured server (or multiple servers) is not available. Assuming that you have the radius server configured you would want something like this in your config:

user password

aaa authentication login default group radius local

This will attempt to authenticate with radius and if there is an error in that authentication attempt then it will authenticate with the configured local user ID and password.

HTH

Rick

HTH

Rick