cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7052
Views
0
Helpful
3
Replies
Contributor

Auth Radius fallback to Local?

Hi,

How do I configure aaa model so that if a local user is defined, the Radius server is not checked or fails auth and reverts to the local user?

For example, if I have

aaa new-model

aaa group server radius RADIUS_AUTH

server 10.10.10.10 auth-port 1812 acct-port 1813

aaa authentication login LocalAuth local

How do I configure line vty 0 4 to do as I described?

Thanks.

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Advisor

Re: Auth Radius fallback to Local?

If you're wanting to allow local users to telnet/ssh into the device but not checked against RADIUS, you can use the following under your vty lines:

line vty 0 4

login authentication

Method could be:

aaa authentication login TELNET local

line vty 0 4

login authentication TELNET

That won't check the RADIUS server ever. You can also do a couple of other things. One would be for it to check your local first, and then fail over to radius:

aaa authentication login TELNET local group radius

Then if the local account doesn't exist, it can fail over to the radius server before failing authentication altogether...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

Highlighted
VIP Mentor

Re: Auth Radius fallback to Local?

If you still want to check the RADIUS when a local user is not found, then you need the following config:

aaa authentication login LOC_RAD local group RADIUS_AUTH

line vty 0 4

  login authentication LOC_RAD

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

3 REPLIES 3
Highlighted
Advisor

Re: Auth Radius fallback to Local?

If you're wanting to allow local users to telnet/ssh into the device but not checked against RADIUS, you can use the following under your vty lines:

line vty 0 4

login authentication

Method could be:

aaa authentication login TELNET local

line vty 0 4

login authentication TELNET

That won't check the RADIUS server ever. You can also do a couple of other things. One would be for it to check your local first, and then fail over to radius:

aaa authentication login TELNET local group radius

Then if the local account doesn't exist, it can fail over to the radius server before failing authentication altogether...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

Highlighted
Contributor

Auth Radius fallback to Local?

Thanks much. I'll test that.

Highlighted
VIP Mentor

Re: Auth Radius fallback to Local?

If you still want to check the RADIUS when a local user is not found, then you need the following config:

aaa authentication login LOC_RAD local group RADIUS_AUTH

line vty 0 4

  login authentication LOC_RAD

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

CreatePlease to create content