Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6871
Views
20
Helpful
10
Replies

Radius server availabiltiy & fallback to local login

Gordon Ross
Level 9
Level 9

‎08-03-2016 08:43 AM - edited ‎03-08-2019 06:51 AM

I'm having problems when using radius for IOS authentication and falling back to local credentials. When the IOS device comes up, I just get "% Authentication failed" messages, with no login prompt. Then about three or four minutes after boot, I can finally get a login prompt and I can login using local credentials.

My aaa/radius configuration is:

!
aaa authentication login default group radius local
!
radius-server dead-criteria time 2 tries 3
radius-server deadtime 5
!
radius server FOO1
 address ipv4 192.168.2.1 auth-port 1812 acct-port 1813
 timeout 2
 retransmit 3
 key XXXXX

What am I missing to get IOS to fail back to local credentials sooner?

Thanks,

GTG

Please rate all helpful posts.
Labels:
0 Helpful
10 Replies 10

Luke Oxley
Level 1
Level 1

‎08-03-2016 03:28 PM

Hey [@gr306@cam.ac.uk],

Thanks for your post. I love the Thomas The Tank Engine avatar...
I'd be happy to help. So from my understanding, you have a RADIUS AAA server that you use for authentication to the IOS device. However when the RADIUS authentication fails it will kill your session as opposed to reverting to the local database for authentication? Please can you negate the following commands as per the below, save the configuration reload and then test again?
no radius-server dead-criteria time 2 tries 3
no radius-server deadtime 5
Please let me know how you get along and if you have any issues. I look forward to hearing back and getting this resolved for you.
Kind regards,
Luke

0 Helpful

Gordon Ross
Level 9
Level 9
In response to Luke Oxley

‎08-03-2016 11:26 PM

My initial Radius config didn't have those commands. I'd added them hoping they might help resolve the problem :-(

Gordon.

PS - You do know that avatar picture isn't Thomas... ;-)

Please rate all helpful posts.

Luke Oxley
Level 1
Level 1
In response to Gordon Ross

‎08-04-2016 12:47 PM

[@gr306@cam.ac.uk],

Wow - yesterday must have been a slow day for me, I've only just made the connection that it is Gordon in the avatar and you are called Gordon... anyway, onwards and upwards.
You won't need the deadtime and dead-criteria commands for what you are trying to achieve, although I can see your reasoning. After examining your current configuration and taking in to account your requirements I have a few points to make which I think will sort this for you. Please be warned that as I cannot see your entire environment, I've made some pretty heavy assumptions about your setup. Please review these carefully at the bottom of my post before continuing.
  1. I can see that in your AAA authentication string you've specified a server group named "radius", but have not created a group, instead you have just created a RADIUS node that is not part of a group. In theory, this should work all the same but to keep things tidy I prefer seeing groups made. This is also how I have it working in my lab, so for the sake of my sanity I'm passing you a working configuration that we should at least try.
  2. You have truncated the configuration, so I cannot vouch for what you have included in your terminal lines, but I'm making the assumption you haven't specified the authentication method for VTY, Aux and Console as and where needed. This will need to be done to tell the router what type of authentication to use for each connection type.
Let's move on to getting this sorted for you. On a console connection (so you don't lock yourself out), please complete the following.
Firstly, let's start by negating and removing the configuration you currently have in place with the below commands. Also, any further AAA/RADIUS/login related configuration that I do not have a view of should be removed too.
no aaa authentication login default group radius local
no radius-server dead-criteria time 2 tries 3
no radius-server deadtime 5
no radius server FOO1
no aaa new-model
Now, let us start by enabling AAA new-model and creating a AAA RADIUS server group.
aaa new-model
aaa group server radius RADIUS
 server 192.168.2.1 auth-port 1812 acct-port 1813
Secondly, we need to create a AAA authentication string to tie the server group in with the local user database. I'm naming this "RAD_LOC" to describe clearly that its function is to try RADIUS authentication first and then fall back to the local user database.
aaa authentication login RAD_LOC group RADIUS local
Now, we need to specify the AAA authentication string under the VTY line(s) with the following commands.
line vty 0 15
 login authentication RAD_LOC
Lastly, and for good measure, lets save the configuration, reload the device and then begin testing. Remember, after the reload, allow the router a few moments (maybe 30 seconds or so) after it has booted in to IOS to ensure all the necessary services and processes have had time to start.
copy run start
reload
Let me know how you get along with my suggestions, hopefully this gets it sorted for you. I look forward to hearing back.

Thanks,
Luke

Assumptions and Caveats
  1. I make the assumption you already have SSH access setup correctly.
  2. I make the assumption that this issue is only occurring when connecting using VTY. I.E, SSH/Telnet, not Console/Aux.
  3. I make the assumption that you have 0-15 VTY lines as opposed to 0-4. This depends on the platform you are using. If not, please amend my configuration above to match.
  4. I make the assumption the RADIUS server you are using is reachable in good time from the router. I.E, not a 1300ms ping response time.
  5. I make the assumption the RADIUS server is setup correctly to receive and service authenticaton requests and has been proven working with other devices.

Gordon Ross
Level 9
Level 9
In response to Luke Oxley

‎08-05-2016 12:57 AM

I'd just like to clarify the problem: Radius does usually work on the device. The problem is when the device initially boots up and isn't connected to the network (or can't talk to the radius server) It can take 3-4 minutes for the system to failover from radius authentication to local. Both authentication schemes work - it's just taking *way* too long to failover.

e.g. When the device boots, you have to wait through multiple instances of:

switch con0 is now available





Press RETURN to get started.









User Access Verification

% Authentication failed

% Authentication failed

% Authentication failed


Before you get  a login prompt where local authentication works. If the device is connected to the network and the radius server is working, then you get a login prompt instantly, and you can login fine.

GTG

Please rate all helpful posts.
0 Helpful

Luke Oxley
Level 1
Level 1
In response to Gordon Ross

‎08-17-2016 02:12 AM

[@gr306@cam.ac.uk],
Apologies for the late response. This is strange, however I have a few thoughts that I think can get us on the right track.
1. Can you please confirm the version of IOS you are running?
2. Can you please confirm if there is anything in the logs at the time the "% Authentication failed" occurs?
3.Lastly, I see that you originally had a deadtime set of 5 minutes, which means that the server will only be marked as dead after 5 minutes. We should negate this command and add in the following as per the below.
radius-server retransmit 1
radius-server timeout 3
no radius-server deadtime
I'll have a check for bugs in the meantime. If after these suggestions it still fails, please would you be able to provide a full sanitised configuration and I'll spin this up in my lab to test further. We'll get it sorted for you Gordon.
Kind regards,
Luke Oxley
0 Helpful

Luke Oxley
Level 1
Level 1
In response to Luke Oxley

‎08-17-2016 02:13 AM

[@gr306@cam.ac.uk],

I hope you're well. As per my last post, did you manage to test this?

Kind regards,

LukeOxley

0 Helpful

CHRIS GRUBER
Level 1
Level 1
In response to Gordon Ross

‎11-20-2016 08:49 PM

Hi Gordon,

Not sure if this is an issue - thread is a little old, but your RADIUS timeout may be a little short, depending on your environment. You can try and set "timeout 10" and if successful drop it to a lower value if required.

Cheers,

Chris

0 Helpful

Gordon Ross
Level 9
Level 9
In response to Luke Oxley

‎08-05-2016 12:58 AM

I've made the changes you suggested, and there's no difference.

GTG

Please rate all helpful posts.
0 Helpful

paul driver
VIP
VIP

‎08-04-2016 05:23 PM

Hello

Try decreasing the retries/timeout/dead timings

radius-server retransmit (x)
radius-server timeout (secs)
radius-server deadtime (sec)

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Luke Oxley
Level 1
Level 1

‎08-04-2016 09:10 PM

[@gr306@cam.ac.uk],

Please follow my configuration example first, as I just want to make sure you have the fundamentals correct, since you are yet to get RADIUS authentication to work.
After this if you have no success, pdriver makes a great point about decreasing the deadtime and timeout values.
Let us know how you get along with the testing.

All the best,
Luke

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card