Solved

Cisco Router Radius Failover to Local issues

Posted on 2010-08-27
4
1,553 Views
Last Modified: 2013-11-25
I setup my routers for Radius authentication using a Windows 2008 Network Policy Server. It seems to work successfully as far as authenticating to my active directory accounts. The problem is when I tested user account failover to local access, it fails. If my NPS server is unavailable, I am out of luck and I won't be able to login. Access should try the radius server and then if not available try local. The is the basic config of what I inputted into my router..
Anyone have any ideas of why its not failing over to local access?

aaa new-model
aaa group server radius RADIUS_AUTH
server 10.x.x.x auth-port 1812 acct-port 1813
aaa authentication login networkaccess group RADIUS_AUTH enable
aaa authorization exec default group RADIUS_AUTH if-authenticated
ip radius source-interface FastEthernet0/1.1
radius-server host 10.x.x.x auth-port 1812 acct-port 1813 key
line vty 0 15
exec-timeout 0 0
login authentication networkaccess
0
Comment
Question by:cslack_13
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:erik_nodland
ID: 33545815
Hi

You don't seem to have the "local" command configuration applied to your auth,

IE You would need something like
aaa authorization exec default group RADIUS_AUTH if-authenticated local

cheers
Erik
0
 

Author Comment

by:cslack_13
ID: 33546198
Hey Erik, thanks for the reply. I added a line like you stated above, shutdown my NPS server and still cannot login with a local router account. Is there some timeout settings somewhere? Maybe need to make some changes to the VTY console? I have some Dell switches that are failing over properly with local Radius, its just the cisco stuff I am having problems with.
0
 
LVL 4

Accepted Solution

by:
erik_nodland earned 500 total points
ID: 33546350
Hi

There will be a timeout but it should fail over. Did you do a "debug aaa auth" and see what it was trying to do. Did you add the local keyword to the authentication as well?

Try adding

aaa authentication login default group RADIUS_AUTH enable local

Then removing
login authentication networkaccess

from your vty line. If it works you can go back to using named lists.

thanks
Erik

thanks
Erik
0
 

Author Comment

by:cslack_13
ID: 33546401
That worked Erik, removing the "login authenticatio networkaccess" line and adding
aaa authentication login default group RADIUS_AUTH enable local


Thanks for the help
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP Failover Relationship caveats 6 95
ASR920 switching 2 26
Managed vs unmanaged switches 8 48
Getting locked out and can't access Cisco via the web 18 35
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now