BRPsysadmin
asked on
Configuring cisco switch for local username and password failover when radius is not avialable
I recently changed the configuration on a cisco 2950 to allow radius authentication, which worksw ell, but also what I thought would be failover to a local username and password incase of the radius server being unavailable.
Well I deployed the below configuration however when the switch couldn't talk to the radius server (I shut down the server) I was not allowed into the switch via telnet with either local or domain credentials, which is what I'm looking to happen. I need validate credentials against the radius server if it is available however if it is not available I need it to default to the local username and password. Can someone take a look and see what I missed? I'm only including what I believe to be relevant.
aaa new-model
aaa authentication login default group radius
aaa authentication login console local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization network default group raidus
enable secret 5 *omitted*
!
username admin secret 5 *omitted*
...
...
radius-server host *omitted* auth-port 1812 acct-port 1813 key *omitted*
radius-server retransmit 3
radius-server timeout 4
radius-server deadtime 2
radius-server vsa send authentication
line con 0
login authentication console
line vty 0 4
password 7 *omitted*
length 0
line vty 5 15
!
!
end
Well I deployed the below configuration however when the switch couldn't talk to the radius server (I shut down the server) I was not allowed into the switch via telnet with either local or domain credentials, which is what I'm looking to happen. I need validate credentials against the radius server if it is available however if it is not available I need it to default to the local username and password. Can someone take a look and see what I missed? I'm only including what I believe to be relevant.
aaa new-model
aaa authentication login default group radius
aaa authentication login console local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization network default group raidus
enable secret 5 *omitted*
!
username admin secret 5 *omitted*
...
...
radius-server host *omitted* auth-port 1812 acct-port 1813 key *omitted*
radius-server retransmit 3
radius-server timeout 4
radius-server deadtime 2
radius-server vsa send authentication
line con 0
login authentication console
line vty 0 4
password 7 *omitted*
length 0
line vty 5 15
!
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here's a config I use for my routers with TACACS+ that should work the same for you with RADIUS:
aaa authentication login default group tacacs+ local enable
aaa authentication login CONSOLE local group tacacs+ enable
aaa authentication login TELNET group tacacs+ local enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local group tacacs+
aaa authorization commands 0 default local group tacacs+
aaa authorization commands 1 default local group tacacs+
aaa authorization commands 15 default local group tacacs+
If TACACS+ is not available, you'll see the initial login hang for a few seconds longer than normal and then be able to login with the local username/password.
Hope this helps...
Mike
aaa authentication login default group tacacs+ local enable
aaa authentication login CONSOLE local group tacacs+ enable
aaa authentication login TELNET group tacacs+ local enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local group tacacs+
aaa authorization commands 0 default local group tacacs+
aaa authorization commands 1 default local group tacacs+
aaa authorization commands 15 default local group tacacs+
If TACACS+ is not available, you'll see the initial login hang for a few seconds longer than normal and then be able to login with the local username/password.
Hope this helps...
Mike
With the above radius will be checked first and if the radius server does not respond then the local database will be used. but if the radius server denies access then the local access will not be used. This only works when the radius server is down.
ASKER