Solved

2 RADIUS server and Local User failover help

Posted on 2010-08-27
4
325 Views
Last Modified: 2012-06-27
Well.  Here is what I have.  Basically, trying to get it so that when users login via SSH/HTTPS the users authentication will first check primary, and then secondary RADIUS servers, and if no luck there, to use the local user database...

This is just my test router, but once I solidify the connections, I will be using it on the active network.  Reason I'm timid.  I typed in aaa new-model and it took the switch down that I was working on.  So yea.  Timid....  =[
Current configuration : 1092 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test_rtr
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default group radius
aaa authorization exec default group radius 
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
!
username shaun.local privilege 15 password 7 00150457566A3C472F
!
!
!
interface FastEthernet0/0
 ip address 10.11.8.254 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.1 255.255.255.240
 duplex auto
 speed auto
!
interface Serial0/1/0
 no ip address
 shutdown
!
interface BRI0/2/0
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.11.8.1
!
ip http server
ip http authentication aaa
!
radius-server host 10.11.8.252 auth-port 1812 acct-port 1813 key 7 0833434F0D11001616
!
control-plane
!         
privilege exec level 7 clear line
privilege exec level 7 clear
!
line con 0
line aux 0
line vty 0 4
!
end

Open in new window

0
Comment
Question by:Delszeki
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 33547161
"aaa new-model" should not take any CLI away.  Additionally, it goes into effect on an authentication request.  So, if you're already authenticated, it shouldn't kill your session.

=================================================
note:  if you can use "secret" instead of "password", with the username, do so:

username USERNAME priv 15 secret PASSWORD
=================================================

aaa new-model
aaa authentication login CREDS  radius local
aaa authorization exec CREDS radius local if-authenticated

ip http authentication aaa

line vty 0 4
 login authentication CREDS
 authorization exec CREDS
0
 

Author Comment

by:Delszeki
ID: 33547524
That is what I thought, but I kid you not.  [i]aaa new-model[/i] and it DROPPED!  Brought the whole switch down, and rebooted.  Not a good morning.  

If that one system is unstable, is there a safeway to check the system before?

As far as solution...  [i]CREDS[/i] means the enable password.  I just am really wanting everything is square before switching things.  :-)
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33549118
CREDS is just a word used to identify the aaa authen and author lines.  You could have called it SSH and had another pair for HTTP.

The enable password isn't used and the secret password shouldn't be needed with priv 15.

What version of IOS on what device crashed when typing 'aaa new-model'?

I've updated multiple dozens of devices remotely to aaa and never had a problem such as you've mentioned.
0
 

Author Closing Comment

by:Delszeki
ID: 33550983
Was actually....  aaa authorization exec CREDS group radius local if-authenticated

But other then that, works like a champ!  Thank you.
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question