Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1659
Views
0
Helpful
2
Replies

Radius verus local user auth. on switch

Go to solution
marce1000
VIP
VIP

‎12-04-2012 04:17 AM - edited ‎03-07-2019 10:23 AM

  I would like to use radius authentication for network managers accessing (IOS based) switches.

  This works, but I wonder wether is it possible to make a local user ALWAYS authenticate as a

  fall-back mechanism, regardless of the state of the RADIUS servers and/or wether proper radius credentials

  are used or not ?

  The idea is to have basic fallback login mechanism on the switch.

  I have been playing around with 'aaa authentication...' ; command sequences, but I can't seem to get this going

(if radius=OK, I can not use the local user,but I want to be able to use the local account,even then).

                                 How can I realize  this ?

Tx,

Marc.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎12-04-2012 04:24 AM

Marc,

As far as I know, if you have aaa configured with radius first, it will use that and not roll over to the local database if the radius server is responding. If you have users configured on the device that will not be using the radius server, and you have network managers that will be using the radius server, you can configure the local database as the first option.

Alice - local

Bob - radius

For example, if Bob is a network manager and he will only be listed on the radius server, you could do something like the following:

username Alice secre password

aaa authentication login default local group radius

If Bob tried to log in, the local database would fail and would roll over to the radius server.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
2 Replies 2

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎12-04-2012 04:24 AM

Marc,

As far as I know, if you have aaa configured with radius first, it will use that and not roll over to the local database if the radius server is responding. If you have users configured on the device that will not be using the radius server, and you have network managers that will be using the radius server, you can configure the local database as the first option.

Alice - local

Bob - radius

For example, if Bob is a network manager and he will only be listed on the radius server, you could do something like the following:

username Alice secre password

aaa authentication login default local group radius

If Bob tried to log in, the local database would fail and would roll over to the radius server.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎12-04-2012 04:35 AM

Hi,

if the authentication is on a line vty then you could reserve some lines with authentication with local database only and some other lines with the radius and local as fallback. You can do this by applying a named list on some lines(on others the default list will be used).

As explained by John fallback method only gets tried if there is an ERROR message when trying to communicate with authentication server not an authentication failure message sent by this server.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card