Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12470
Views
1
Helpful
3
Replies

Auth Radius fallback to Local?

Go to solution
lcaruso
Level 6
Level 6

‎01-14-2013 11:50 AM - edited ‎03-04-2019 06:42 PM

Hi,

How do I configure aaa model so that if a local user is defined, the Radius server is not checked or fails auth and reverts to the local user?

For example, if I have

aaa new-model
aaa group server radius RADIUS_AUTH
 server 10.10.10.10 auth-port 1812 acct-port 1813
aaa authentication login LocalAuth local

How do I configure line vty 0 4 to do as I described?

Thanks.

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎01-14-2013 11:54 AM

If you're wanting to allow local users to telnet/ssh into the device but not checked against RADIUS, you can use the following under your vty lines:

line vty 0 4

login authentication

Method could be:

aaa authentication login TELNET local

line vty 0 4

login authentication TELNET

That won't check the RADIUS server ever. You can also do a couple of other things. One would be for it to check your local first, and then fail over to radius:

aaa authentication login TELNET local group radius

Then if the local account doesn't exist, it can fail over to the radius server before failing authentication altogether...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

Go to solution
Karsten Iwen
VIP
VIP

‎01-14-2013 11:56 AM

If you still want to check the RADIUS when a local user is not found, then you need the following config:

aaa authentication login LOC_RAD local group RADIUS_AUTH

line vty 0 4

  login authentication LOC_RAD

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎01-14-2013 11:54 AM

If you're wanting to allow local users to telnet/ssh into the device but not checked against RADIUS, you can use the following under your vty lines:

line vty 0 4

login authentication

Method could be:

aaa authentication login TELNET local

line vty 0 4

login authentication TELNET

That won't check the RADIUS server ever. You can also do a couple of other things. One would be for it to check your local first, and then fail over to radius:

aaa authentication login TELNET local group radius

Then if the local account doesn't exist, it can fail over to the radius server before failing authentication altogether...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Go to solution
lcaruso
Level 6
Level 6
In response to John Blakley

‎01-14-2013 11:57 AM

Thanks much. I'll test that.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎01-14-2013 11:56 AM

If you still want to check the RADIUS when a local user is not found, then you need the following config:

aaa authentication login LOC_RAD local group RADIUS_AUTH

line vty 0 4

  login authentication LOC_RAD

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card