cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1227
Views
0
Helpful
11
Replies

Radius authentication help on router

Andy White
Level 3
Level 3

Hello,

I have managed to get radius authentication (Windows IAS)  to work on one of my routers, however I I manage to lock my Windows Active Directory account out and I then thought imagine I did this remotely!  Is they a way that if aaa authentication doesn't work it could use the local username and password on the router or telnet password?

Here is my test config:


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c1841
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default group radius
aaa authorization exec default group radius
!
aaa session-id common
clock timezone utc 0
clock summer-time bst recurring last Sun Mar 2:00 last Sun Oct 3:00
ip cef
!
!
!
!
no ip domain lookup
login on-failure log
login on-success log
!
!
username cisco privilege 15 password 0 password
archive
log config
  logging enable
  logging size 200
  notify syslog
  hidekeys
!
interface FastEthernet0/0
ip address 192.168.60.222 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.60.254
!
ip http server
no ip http secure-server
!
ip radius source-interface FastEthernet0/0
logging trap notifications
logging source-interface FastEthernet0/0
logging 192.168.21.19
radius-server host 192.168.22.6 auth-port 1645 acct-port 1646 key test1
!
control-plane
!
!
line con 0
password password
line aux 0
line vty 0 4
password password
!
scheduler allocate 20000 1000
end

11 Replies 11

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Andy,

You need this command in your config to get authenticated locally in case of radius not being available

aaa authentication login default group radius local

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093c81.shtml

HTH

Reza

Thanks, so if the radius server cannot be contacted the router will default to local authentication and as soon as the radius server is back online the radius authentication will resume?

That is correct.  Once radius server is on line then it will the primary for authentication

I just changed the radius server ip on the config and then attempted to login via telnet to the router but it failed:

User Access Verification

Username: cisco
Password:
% Authorization failed.


Connection to host lost.

C:\>

on the router I got:

*May 18 14:06:34.771: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 192.168.90.11] [localport: 23] at 15:06:34 bst Tue May 18 2010

Am I missing something?

Did you add this command to your config?

aaa authentication login default group radius local

Yeah I have these 2 lines and I turned off the radius service.

aaa authentication login default group radius local
aaa authorization exec default group radius

I ahd to amend the other line aswell as the one you mentioned:

aaa authorization exec default group radius local

If you have for example the wrong radius server configured, you should see some thing like this in the logs:

*Apr  7 04:52:29.801: %RADIUS-4-RADIUS_DEAD: RADIUS server 1.1.1.30:1645,1646 is not responding.
*Apr  7 04:52:29.801: %RADIUS-4-RADIUS_ALIVE: RADIUS server 1.1.1.30:1645,1646 is being marked alive.
Switch-C#

Here is the config:

aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius local

radius-server host 1.1.1.30 auth-port 1645 acct-port 1646

As soon as I remove "radius-server host 1.1.1.30" I get authenticated locally without waiting for radius time out

Certainly you need to have something in the config for authorization to serve as an alternative in case the authentication server is not available. While this is ok:

aaa authorization exec default group radius local

I would suggest that this is even better:

aaa authorization exec default group radius if-authenticated.

HTH

Rick

HTH

Rick

Hi,

I thought mine does have an alternative? With local at the end it allows me to use the usernames and passwords if the radius server is unavailable. For my understanding what does your example do as I may try it?

Many thanks

Andy

My suggestion is a bit more general and says that if authorization is required and the authentication/authorization server is not available then assume authorization as long as the user has been successfully authenticated. Your approach is a bit more specific and says that is authorization is required and the authentication/authorization server is not available then the router should conduct authorization using the local database of user IDs.

Here is a scenario in which our solutions behave differently. Assume that a user has logged on and authenticated via the Radius server. Then assume that the server has become unavailable and that the user now needs authorization. In my suggestion the user is successful since they have been successfully authenticated. In your approach the router needs to authorize using the local data base, but the router does not know which record in the local database applies since the user did not authenticate using the local data base.

Also I would like to offer one clarification: in re-reading your original post I notice that part of the original problem was that you locked your AD account. This implies that the router was communicating with the server but that the server was not authenticating (or authorizing). In this case using the "local" option as the backup method for authentication or authorization would not resolve your problem. If the router sends a request to the server and recieves a response of "not authenticated" (or "not authorized") then the router will not use the local option.

HTH

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card