Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco Router Radius Failover to Local issues

Posted on 2010-08-27
4
Medium Priority
?
1,611 Views
Last Modified: 2013-11-25
I setup my routers for Radius authentication using a Windows 2008 Network Policy Server. It seems to work successfully as far as authenticating to my active directory accounts. The problem is when I tested user account failover to local access, it fails. If my NPS server is unavailable, I am out of luck and I won't be able to login. Access should try the radius server and then if not available try local. The is the basic config of what I inputted into my router..
Anyone have any ideas of why its not failing over to local access?

aaa new-model
aaa group server radius RADIUS_AUTH
server 10.x.x.x auth-port 1812 acct-port 1813
aaa authentication login networkaccess group RADIUS_AUTH enable
aaa authorization exec default group RADIUS_AUTH if-authenticated
ip radius source-interface FastEthernet0/1.1
radius-server host 10.x.x.x auth-port 1812 acct-port 1813 key
line vty 0 15
exec-timeout 0 0
login authentication networkaccess
0
Comment
Question by:cslack_13
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:erik_nodland
ID: 33545815
Hi

You don't seem to have the "local" command configuration applied to your auth,

IE You would need something like
aaa authorization exec default group RADIUS_AUTH if-authenticated local

cheers
Erik
0
 

Author Comment

by:cslack_13
ID: 33546198
Hey Erik, thanks for the reply. I added a line like you stated above, shutdown my NPS server and still cannot login with a local router account. Is there some timeout settings somewhere? Maybe need to make some changes to the VTY console? I have some Dell switches that are failing over properly with local Radius, its just the cisco stuff I am having problems with.
0
 
LVL 4

Accepted Solution

by:
erik_nodland earned 2000 total points
ID: 33546350
Hi

There will be a timeout but it should fail over. Did you do a "debug aaa auth" and see what it was trying to do. Did you add the local keyword to the authentication as well?

Try adding

aaa authentication login default group RADIUS_AUTH enable local

Then removing
login authentication networkaccess

from your vty line. If it works you can go back to using named lists.

thanks
Erik

thanks
Erik
0
 

Author Comment

by:cslack_13
ID: 33546401
That worked Erik, removing the "login authenticatio networkaccess" line and adding
aaa authentication login default group RADIUS_AUTH enable local


Thanks for the help
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Learn how ViaSat reduced average response times for IT incidents from 10 minutes to 30 seconds.
Simple Linear Regression
Progress

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question