Re: Secure ACS 4.0 / local authentication

jackleung · ‎04-24-2006

Hey all,

I'm sure this is a very simple problem but I can't seem to get local authentication done as a second choice on any device if I use radius. It works if I use tacacs+. The lines I have set in AAA are:

aaa authentication login default group cwtest001 local-case

aaa authentication dot1x default group cwtest001 none

aaa authorization config-commands

aaa authorization exec default group cwtest001 local

aaa authorization network default group cwtest001

aaa accounting auth-proxy default start-stop group tacacs+

where cwtest001 has been defined.

This line in question:

aaa authentication login default group cwtest001 local-case

I have tried every variation I can think of (I think). From SecureACS side, the device is set to use Radius IETF as authentication. I can log into the device without a problem using network credentials but in case this server goes down, I want the ability to use a local account on the device as backup.

Any help is appreciated.

Thanks!

s.jankowski · ‎04-28-2006

You have set the authentication to Local. Are you sure, you have the user name and password configured in the local database?. Because, you might have mistakenly missed out that information to be added.

scottmac · ‎04-28-2006

For Cisco APs, set the ACS up for Cisco Wireless.

If you're not GUI-phobic, set up the RADIUS server/local auth according to their preferred order in the WebGUI on the security page.

How many users/userids do you have?

The local RADIUS / user base can only handle ~50 entities (and I think that's a hard-limited count).

Good Luck

Scott