Radius with AAA Authentication

jobegates · ‎04-13-2005

Having an issue with this and was hoping someone could help me out. We setup Radius with the AAA Authentication and everything works fine. So I wanted to make sure that we could still login if the IAS server goes down. Here's my config.

aaa new-model

aaa authentication login default group radius local

aaa authentication login if_needed local

aaa authorization exec default group radius if-authenticated

line vty 0 4

login authentication default

andrew.butterworth · ‎04-13-2005

I have the same setup (Microsoft IAS & AAA IOS clients). I just tried this and it works for me. My config is:

aaa new-model

aaa group server radius Radius-Servers

server 10.1.1.1 auth-port 1812 acct-port 1813

!

aaa authentication login default group Radius-Servers local

aaa authentication enable default group Radius-Servers enable

aaa authentication dot1x default group Radius-Servers

aaa authorization exec default group Radius-Servers if-authenticated

aaa authorization network default group Radius-Servers

aaa accounting dot1x default start-stop group Radius-Servers

aaa accounting exec default start-stop group Radius-Servers

!

radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key rad-key

!

I also have a user in global config and the enable secret set:

username fallback password cisco

!

It takes a few seconds for the server to time out before it uses the fallback account. Also the enable password prompt is presented twice: once as it tried the Radius server and then again after the timeout.

Andy