Solved

Cisco Router Radius Failover to Local issues

Posted on 2010-08-27
4
1,548 Views
Last Modified: 2013-11-25
I setup my routers for Radius authentication using a Windows 2008 Network Policy Server. It seems to work successfully as far as authenticating to my active directory accounts. The problem is when I tested user account failover to local access, it fails. If my NPS server is unavailable, I am out of luck and I won't be able to login. Access should try the radius server and then if not available try local. The is the basic config of what I inputted into my router..
Anyone have any ideas of why its not failing over to local access?

aaa new-model
aaa group server radius RADIUS_AUTH
server 10.x.x.x auth-port 1812 acct-port 1813
aaa authentication login networkaccess group RADIUS_AUTH enable
aaa authorization exec default group RADIUS_AUTH if-authenticated
ip radius source-interface FastEthernet0/1.1
radius-server host 10.x.x.x auth-port 1812 acct-port 1813 key
line vty 0 15
exec-timeout 0 0
login authentication networkaccess
0
Comment
Question by:cslack_13
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:erik_nodland
ID: 33545815
Hi

You don't seem to have the "local" command configuration applied to your auth,

IE You would need something like
aaa authorization exec default group RADIUS_AUTH if-authenticated local

cheers
Erik
0
 

Author Comment

by:cslack_13
ID: 33546198
Hey Erik, thanks for the reply. I added a line like you stated above, shutdown my NPS server and still cannot login with a local router account. Is there some timeout settings somewhere? Maybe need to make some changes to the VTY console? I have some Dell switches that are failing over properly with local Radius, its just the cisco stuff I am having problems with.
0
 
LVL 4

Accepted Solution

by:
erik_nodland earned 500 total points
ID: 33546350
Hi

There will be a timeout but it should fail over. Did you do a "debug aaa auth" and see what it was trying to do. Did you add the local keyword to the authentication as well?

Try adding

aaa authentication login default group RADIUS_AUTH enable local

Then removing
login authentication networkaccess

from your vty line. If it works you can go back to using named lists.

thanks
Erik

thanks
Erik
0
 

Author Comment

by:cslack_13
ID: 33546401
That worked Erik, removing the "login authenticatio networkaccess" line and adding
aaa authentication login default group RADIUS_AUTH enable local


Thanks for the help
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
In Agile (http://en.wikipedia.org/wiki/Agile_software_development), time and again people ask this question "How would you estimate a release for a product?". When it comes from management they want to know the following: Calculate the man hours wh…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now