Solved

2 RADIUS server and Local User failover help

Posted on 2010-08-27
4
319 Views
Last Modified: 2012-06-27
Well.  Here is what I have.  Basically, trying to get it so that when users login via SSH/HTTPS the users authentication will first check primary, and then secondary RADIUS servers, and if no luck there, to use the local user database...

This is just my test router, but once I solidify the connections, I will be using it on the active network.  Reason I'm timid.  I typed in aaa new-model and it took the switch down that I was working on.  So yea.  Timid....  =[
Current configuration : 1092 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test_rtr
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default group radius
aaa authorization exec default group radius 
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
!
username shaun.local privilege 15 password 7 00150457566A3C472F
!
!
!
interface FastEthernet0/0
 ip address 10.11.8.254 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.1 255.255.255.240
 duplex auto
 speed auto
!
interface Serial0/1/0
 no ip address
 shutdown
!
interface BRI0/2/0
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.11.8.1
!
ip http server
ip http authentication aaa
!
radius-server host 10.11.8.252 auth-port 1812 acct-port 1813 key 7 0833434F0D11001616
!
control-plane
!         
privilege exec level 7 clear line
privilege exec level 7 clear
!
line con 0
line aux 0
line vty 0 4
!
end

Open in new window

0
Comment
Question by:Delszeki
  • 2
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 33547161
"aaa new-model" should not take any CLI away.  Additionally, it goes into effect on an authentication request.  So, if you're already authenticated, it shouldn't kill your session.

=================================================
note:  if you can use "secret" instead of "password", with the username, do so:

username USERNAME priv 15 secret PASSWORD
=================================================

aaa new-model
aaa authentication login CREDS  radius local
aaa authorization exec CREDS radius local if-authenticated

ip http authentication aaa

line vty 0 4
 login authentication CREDS
 authorization exec CREDS
0
 

Author Comment

by:Delszeki
ID: 33547524
That is what I thought, but I kid you not.  [i]aaa new-model[/i] and it DROPPED!  Brought the whole switch down, and rebooted.  Not a good morning.  

If that one system is unstable, is there a safeway to check the system before?

As far as solution...  [i]CREDS[/i] means the enable password.  I just am really wanting everything is square before switching things.  :-)
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33549118
CREDS is just a word used to identify the aaa authen and author lines.  You could have called it SSH and had another pair for HTTP.

The enable password isn't used and the secret password shouldn't be needed with priv 15.

What version of IOS on what device crashed when typing 'aaa new-model'?

I've updated multiple dozens of devices remotely to aaa and never had a problem such as you've mentioned.
0
 

Author Closing Comment

by:Delszeki
ID: 33550983
Was actually....  aaa authorization exec CREDS group radius local if-authenticated

But other then that, works like a champ!  Thank you.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now