Local account configure for backup if DUO 2FA failed

pltidjon · ‎07-13-2021

Please I need help after I have configured DUO on Cisco Router 4200, my local account is not working

login as: admin1
Keyboard-interactive authentication prompts from server:
| Password:
| Invalid User
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:

R1#conf t

R1(config)#aaa new-model

R1(config)#radius server duoauthproxy

R1(config-radius-server)#address ipv4 10.117.1.51 auth-port 1812 acct-port 1813

R1(config-radius-server)#key GFSUPERSECRETKeY!11!!

R1(config-radius-server)#timeout 60

R1(config-radius-server)#exit

R1(config)# aaa group server radius duoauthproxy

R1(config-sg-radius)#server name duoauthproxy

R1(config-sg-radius)#end

R1(config)#aaa authentication login radius-dap group duoauthproxy local-case

R1(config)#line vty 0 4

R1(config-line)#login authentication radius-dap

R1(config-line)#end

R1(config)#aaa new-model
R1(config)#aaa authentication login default group radius local
R1(config)#aaa authorization exec default local

pieterh · ‎07-19-2021

what do you means with local account not working?

NB! AAA will only fall back to local if the aaa server is unreachable or throws another error

not if the account does not exist or 2FA fails !

index.html (cisco.com)

! Note: Authentication attempts will NOT continue down a method list if a ‘fail’ response
is received, only if an error is received, e.g. if the server is down.
aaa authentication login <authen-exec-list> group <adminAAAgroup> local-case
!
! Define a AAA authorization method list for exec sessions to a AAA server, with local
fallback in case of loss of communication with the remote AAA servers