Solved

2 RADIUS server and Local User failover help

Posted on 2010-08-27
4
322 Views
Last Modified: 2012-06-27
Well.  Here is what I have.  Basically, trying to get it so that when users login via SSH/HTTPS the users authentication will first check primary, and then secondary RADIUS servers, and if no luck there, to use the local user database...

This is just my test router, but once I solidify the connections, I will be using it on the active network.  Reason I'm timid.  I typed in aaa new-model and it took the switch down that I was working on.  So yea.  Timid....  =[
Current configuration : 1092 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test_rtr
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default group radius
aaa authorization exec default group radius 
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
!
username shaun.local privilege 15 password 7 00150457566A3C472F
!
!
!
interface FastEthernet0/0
 ip address 10.11.8.254 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.1 255.255.255.240
 duplex auto
 speed auto
!
interface Serial0/1/0
 no ip address
 shutdown
!
interface BRI0/2/0
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.11.8.1
!
ip http server
ip http authentication aaa
!
radius-server host 10.11.8.252 auth-port 1812 acct-port 1813 key 7 0833434F0D11001616
!
control-plane
!         
privilege exec level 7 clear line
privilege exec level 7 clear
!
line con 0
line aux 0
line vty 0 4
!
end

Open in new window

0
Comment
Question by:Delszeki
  • 2
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 33547161
"aaa new-model" should not take any CLI away.  Additionally, it goes into effect on an authentication request.  So, if you're already authenticated, it shouldn't kill your session.

=================================================
note:  if you can use "secret" instead of "password", with the username, do so:

username USERNAME priv 15 secret PASSWORD
=================================================

aaa new-model
aaa authentication login CREDS  radius local
aaa authorization exec CREDS radius local if-authenticated

ip http authentication aaa

line vty 0 4
 login authentication CREDS
 authorization exec CREDS
0
 

Author Comment

by:Delszeki
ID: 33547524
That is what I thought, but I kid you not.  [i]aaa new-model[/i] and it DROPPED!  Brought the whole switch down, and rebooted.  Not a good morning.  

If that one system is unstable, is there a safeway to check the system before?

As far as solution...  [i]CREDS[/i] means the enable password.  I just am really wanting everything is square before switching things.  :-)
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33549118
CREDS is just a word used to identify the aaa authen and author lines.  You could have called it SSH and had another pair for HTTP.

The enable password isn't used and the secret password shouldn't be needed with priv 15.

What version of IOS on what device crashed when typing 'aaa new-model'?

I've updated multiple dozens of devices remotely to aaa and never had a problem such as you've mentioned.
0
 

Author Closing Comment

by:Delszeki
ID: 33550983
Was actually....  aaa authorization exec CREDS group radius local if-authenticated

But other then that, works like a champ!  Thank you.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
home router to use as repeater  (signal extender) 10 34
Need help with VLAN issue 6 70
Trunk Port 7 55
VLAN Overused monitor 4 34
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question