Cisco Router Radius Failover to Local issues

Posted on 2010-08-27
Last Modified: 2013-11-25
I setup my routers for Radius authentication using a Windows 2008 Network Policy Server. It seems to work successfully as far as authenticating to my active directory accounts. The problem is when I tested user account failover to local access, it fails. If my NPS server is unavailable, I am out of luck and I won't be able to login. Access should try the radius server and then if not available try local. The is the basic config of what I inputted into my router..
Anyone have any ideas of why its not failing over to local access?

aaa new-model
aaa group server radius RADIUS_AUTH
server 10.x.x.x auth-port 1812 acct-port 1813
aaa authentication login networkaccess group RADIUS_AUTH enable
aaa authorization exec default group RADIUS_AUTH if-authenticated
ip radius source-interface FastEthernet0/1.1
radius-server host 10.x.x.x auth-port 1812 acct-port 1813 key
line vty 0 15
exec-timeout 0 0
login authentication networkaccess
Question by:cslack_13
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 33545815

You don't seem to have the "local" command configuration applied to your auth,

IE You would need something like
aaa authorization exec default group RADIUS_AUTH if-authenticated local


Author Comment

ID: 33546198
Hey Erik, thanks for the reply. I added a line like you stated above, shutdown my NPS server and still cannot login with a local router account. Is there some timeout settings somewhere? Maybe need to make some changes to the VTY console? I have some Dell switches that are failing over properly with local Radius, its just the cisco stuff I am having problems with.

Accepted Solution

erik_nodland earned 500 total points
ID: 33546350

There will be a timeout but it should fail over. Did you do a "debug aaa auth" and see what it was trying to do. Did you add the local keyword to the authentication as well?

Try adding

aaa authentication login default group RADIUS_AUTH enable local

Then removing
login authentication networkaccess

from your vty line. If it works you can go back to using named lists.



Author Comment

ID: 33546401
That worked Erik, removing the "login authenticatio networkaccess" line and adding
aaa authentication login default group RADIUS_AUTH enable local

Thanks for the help

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question