09-06-2012 10:06 AM - edited 03-11-2019 04:51 PM
Hi all,
I have a PIX 515 Ewhich does authentication for SSH via RADIUS protocol and fails over to the local database if radius server goes offline. But when the radius server comes back online, authentication still takes place through LOCAL and not the radius server. Following are the commands:
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (outside) host 208.86.100.41 vinakom1365 timeout 5
aaa-server LOCAL protocol local
aaa authentication ssh console RADIUS LOCAL
Cisco PIX Firewall Version 6.3(5)
Can anyone let me know what the issue is?
Thanks
Mukundh
Solved! Go to Solution.
09-06-2012 10:24 AM
Hello Mukundh,
I would say it's because of this:
aaa-server RADIUS deadtime 10
"While the command may be configured even without having configured the LOCAL method on any of the three authentication and authorization commands described earlier, it only affects operations when a user has configured two methods. Obviously, at this time, the second method must and be LOCAL.
The command specifies the minutes a particular method should be marked unresponsive and skipped. When a AAA server group has been marked unresponsive, the firewall will immediately perform the authentication or authorization against the next method which will be the local firewall user database. Every server in a group must be marked unresponsive before the entire group will be declared unresponsive.
When you configure the deadtime to "0", the AAA server group is never considered unresponsive and all authentication and authorization requests are always attempted against this AAA server group first before using the next method in the method list (for example, falling back to the local user database).
The [no] form of this command restores the aaa-server command to its default value of 10 minutes.
The deadtime begins as soon as the last server in the AAA server group has been marked DOWN. A server is marked down when maximum number of attempts defined in max-attempts has been reached and failed to receive a response. Upon expiration of the deadtime, the AAA server group becomes active and all requests will are submitted once again to the AAA servers in the AAA server group."
So in your case you should be able to use the radius authentication method 10 minutes later the radius server went down,
Please change it to 1 minute, wait and see how it behaves.
Regards,
Julio
Rate all the helpful posts
09-06-2012 10:24 AM
Hello Mukundh,
I would say it's because of this:
aaa-server RADIUS deadtime 10
"While the command may be configured even without having configured the LOCAL method on any of the three authentication and authorization commands described earlier, it only affects operations when a user has configured two methods. Obviously, at this time, the second method must and be LOCAL.
The command specifies the minutes a particular method should be marked unresponsive and skipped. When a AAA server group has been marked unresponsive, the firewall will immediately perform the authentication or authorization against the next method which will be the local firewall user database. Every server in a group must be marked unresponsive before the entire group will be declared unresponsive.
When you configure the deadtime to "0", the AAA server group is never considered unresponsive and all authentication and authorization requests are always attempted against this AAA server group first before using the next method in the method list (for example, falling back to the local user database).
The [no] form of this command restores the aaa-server command to its default value of 10 minutes.
The deadtime begins as soon as the last server in the AAA server group has been marked DOWN. A server is marked down when maximum number of attempts defined in max-attempts has been reached and failed to receive a response. Upon expiration of the deadtime, the AAA server group becomes active and all requests will are submitted once again to the AAA servers in the AAA server group."
So in your case you should be able to use the radius authentication method 10 minutes later the radius server went down,
Please change it to 1 minute, wait and see how it behaves.
Regards,
Julio
Rate all the helpful posts
09-06-2012 04:37 PM
Hi Julio,
You are correct. I had to reduce deadtime to resolve the issue.
Thanks for your help
Mukundh
09-06-2012 04:38 PM
Hello Mukundh,
My pleasure
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide