08-03-2007 02:58 AM - edited 03-05-2019 05:41 PM
When we give alternative ways of authentication (local & radius), cisco routers bypass the first method of local & go for radius if the user provided username is not in local database.
(aaa authentication login default local group radius)
But if first method is Radius , & user provides a username not available in radius server it shows as an authentication failure & doesn't check local database (aaa authentication login default group radius local )
Anyone can explain why does it treat as
local failure - username not in local database , if username is not in local database it checks radius
radius failure - radius server not available , username not in radius database is not a reason to bypass the radius & check local
08-03-2007 03:17 AM
Hi,
I don't know the logic behind it but may be if you use radius a central administration assumed so every user are must be in the db and only if the radius server is unresponsive the local database used instead.
Krisztian
08-03-2007 03:41 AM
Hi,
This is very logical security wise, as if you tell the router to use RADIUS, then the username must be in RADIUS, or else the router did violate your order, the only use of local in your case, is that it would be use to fall back if RADIUS is not reachable.
HTH,
Mohammed Mahmoud.
08-03-2007 04:31 AM
Dear Mohammed,
You are correct. But my question was different.
08-03-2007 12:41 PM
Hi,
Actually this is due to the way IOS works.
If you have this command
aaa authentication login default local group radius
now run the debugs and try to make an attempt with the user that is not in local db. You will see that IOS returns vlaue " error "
Where in on the other hand if user is not in Radius db , radius returns value "Fail" instead of "error".
That is why it never check local db if users is not in radius.
So to change this behavior we need to make changes in the radius or in IOS.
Hope that helps !
Regards,
~JG
08-03-2007 12:52 PM
Jagdeep provides a good discussion of this issue. With AAA authentication there are 3 types of responses (pass, fail, and error). The IOS implementation of AAA authentication is pretty clear (and I believe it to be correct) so that if you receive a response of error the IOS will attempt an alternate method but if IOS receives a response of fail then IOS considers it done and does not attempt other methods.
So then the question becomes what response do we get from Radius and from local if the user name is not in the data base. Jagdeep is quite correct that Radius returns a fail response if the name is not in the data base and that local returns an error response.
I believe that the original problem really involves the inconsistency that the 2 methods return different responses when the user name is not in the data base. I am not sure that there is a good way to resolve this inconsistency. I suspect that we will need to live with this being the way that it works.
HTH
Rick
08-03-2007 01:19 PM
hi Pitigala,
Please do accept my apologies if i got your question wrong, and i totally agree with Rick that Jagdeep has provided a nice answer, the RADIUS response is very logical while the local DB is weired as it should also give failed, maybe this was intended for a specific reason, however Rick is correct in that we need to live with this being the way that it works.
HTH,
Mohammed Mahmoud.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide