cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11291
Views
0
Helpful
3
Replies

Auth Radius fallback to Local?

lcaruso
Level 6
Level 6

Hi,

How do I configure aaa model so that if a local user is defined, the Radius server is not checked or fails auth and reverts to the local user?

For example, if I have

aaa new-model

aaa group server radius RADIUS_AUTH

server 10.10.10.10 auth-port 1812 acct-port 1813

aaa authentication login LocalAuth local

How do I configure line vty 0 4 to do as I described?

Thanks.

2 Accepted Solutions

Accepted Solutions

John Blakley
VIP Alumni
VIP Alumni

If you're wanting to allow local users to telnet/ssh into the device but not checked against RADIUS, you can use the following under your vty lines:

line vty 0 4

login authentication

Method could be:

aaa authentication login TELNET local

line vty 0 4

login authentication TELNET

That won't check the RADIUS server ever. You can also do a couple of other things. One would be for it to check your local first, and then fail over to radius:

aaa authentication login TELNET local group radius

Then if the local account doesn't exist, it can fail over to the radius server before failing authentication altogether...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

If you still want to check the RADIUS when a local user is not found, then you need the following config:

aaa authentication login LOC_RAD local group RADIUS_AUTH

line vty 0 4

  login authentication LOC_RAD

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

3 Replies 3

John Blakley
VIP Alumni
VIP Alumni

If you're wanting to allow local users to telnet/ssh into the device but not checked against RADIUS, you can use the following under your vty lines:

line vty 0 4

login authentication

Method could be:

aaa authentication login TELNET local

line vty 0 4

login authentication TELNET

That won't check the RADIUS server ever. You can also do a couple of other things. One would be for it to check your local first, and then fail over to radius:

aaa authentication login TELNET local group radius

Then if the local account doesn't exist, it can fail over to the radius server before failing authentication altogether...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Thanks much. I'll test that.

If you still want to check the RADIUS when a local user is not found, then you need the following config:

aaa authentication login LOC_RAD local group RADIUS_AUTH

line vty 0 4

  login authentication LOC_RAD

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: