Solved: RADIUS Fallback User Account

Guardian · ‎08-05-2020

Hi everyone,

I have setup my switches to authenticate via RADIUS as below:

aaa new-model
aaa group server radius ADAAA
server-private 192.168.xx.xx key xxxxx
aaa authentication login default group ADAAA local
line vty 0 4
transport input ssh
login authentication default

My question is, is there a way to configure a fallback account and password that is different from the AD account used when logging in? For example, if I was to try and login with user 'john', if RADIUS auth failed I would want to fall back on a local user 'admin' with a different password altogether. Will appreciate some pointers

Regards

Seb Rupik · ‎08-05-2020

Hi there,

The only way to fallback to a second user store in an AAA statement is if the primary store (RADIUS in your case) is unreachable. In your case the solution is a little more involved as you would need to create an ACL on your management network to prevent the switch in question from communicating with the RADIUS server, this would case the AAA to use the local user database.

cheers,

Seb.

View solution in original post

Seb Rupik · ‎08-05-2020

Hi there,

The only way to fallback to a second user store in an AAA statement is if the primary store (RADIUS in your case) is unreachable. In your case the solution is a little more involved as you would need to create an ACL on your management network to prevent the switch in question from communicating with the RADIUS server, this would case the AAA to use the local user database.

cheers,

Seb.

Guardian · ‎08-05-2020

Thank you for your response Seb. I will keep it simple in this case.