Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco Router Radius Failover to Local issues

Posted on 2010-08-27
4
Medium Priority
?
1,592 Views
Last Modified: 2013-11-25
I setup my routers for Radius authentication using a Windows 2008 Network Policy Server. It seems to work successfully as far as authenticating to my active directory accounts. The problem is when I tested user account failover to local access, it fails. If my NPS server is unavailable, I am out of luck and I won't be able to login. Access should try the radius server and then if not available try local. The is the basic config of what I inputted into my router..
Anyone have any ideas of why its not failing over to local access?

aaa new-model
aaa group server radius RADIUS_AUTH
server 10.x.x.x auth-port 1812 acct-port 1813
aaa authentication login networkaccess group RADIUS_AUTH enable
aaa authorization exec default group RADIUS_AUTH if-authenticated
ip radius source-interface FastEthernet0/1.1
radius-server host 10.x.x.x auth-port 1812 acct-port 1813 key
line vty 0 15
exec-timeout 0 0
login authentication networkaccess
0
Comment
Question by:cslack_13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:erik_nodland
ID: 33545815
Hi

You don't seem to have the "local" command configuration applied to your auth,

IE You would need something like
aaa authorization exec default group RADIUS_AUTH if-authenticated local

cheers
Erik
0
 

Author Comment

by:cslack_13
ID: 33546198
Hey Erik, thanks for the reply. I added a line like you stated above, shutdown my NPS server and still cannot login with a local router account. Is there some timeout settings somewhere? Maybe need to make some changes to the VTY console? I have some Dell switches that are failing over properly with local Radius, its just the cisco stuff I am having problems with.
0
 
LVL 4

Accepted Solution

by:
erik_nodland earned 2000 total points
ID: 33546350
Hi

There will be a timeout but it should fail over. Did you do a "debug aaa auth" and see what it was trying to do. Did you add the local keyword to the authentication as well?

Try adding

aaa authentication login default group RADIUS_AUTH enable local

Then removing
login authentication networkaccess

from your vty line. If it works you can go back to using named lists.

thanks
Erik

thanks
Erik
0
 

Author Comment

by:cslack_13
ID: 33546401
That worked Erik, removing the "login authenticatio networkaccess" line and adding
aaa authentication login default group RADIUS_AUTH enable local


Thanks for the help
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

"Disruption" is the most feared word for C-level executives these days. They agonize over their industry being disturbed by another player - most likely by startups.
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Progress

662 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question