[c-nsp] ios aaa

John Brown john at citylinkfiber.com
Sun Mar 1 13:15:17 EST 2015 

Thats what I'm experiencing.  Hence my query to the list ;)

Certain devices I want to have a local user on so a specific person
can access that specific device.
If I put them into radius then they can access all of our devices, not good.

At the same time, if radius fails the local user should be allowed to
log in to the device

On Sun, Mar 1, 2015 at 9:54 AM, Clint Wade <jarod.wade at gmail.com> wrote:
> Tthat is an ordered list based on availability and not just whether an
> account resides there, so as long as RADIUS is available it will not step to
> local as far as I know.
>
> On Sun, Mar 1, 2015 at 10:40 AM, John Brown <john at citylinkfiber.com> wrote:
>>
>> Hi Thomas,
>> Thats what I have, but it doesn't ever fail over to the local user on
>> the box.  Hence my confusion
>>
>> On Sun, Mar 1, 2015 at 7:55 AM, Thomas Toquothty <tltoquothty at gmail.com>
>> wrote:
>> > aaa authentication login <NAME> group radius local
>> >
>> > This is how we have ours and it will roll over to local if connectivity
>> > is
>> > down or whatever reason.
>> >
>> > On Sat, Feb 28, 2015 at 9:24 PM John Brown <john at citylinkfiber.com>
>> > wrote:
>> >>
>> >> Hi,
>> >>
>> >> I'm trying to have our cisco boxes use two different methods for
>> >> authentication.
>> >>
>> >> Radius and local.
>> >>
>> >> At present we have Radius working nicely.
>> >>
>> >> What  I would like to do is also have local username function.
>> >>
>> >> So that if the user is NOT in radius, but IS on the device locally it
>> >> will authenticate and let that user on.
>> >>
>> >> In addition, if radius is dead, the local username will allow a person
>> >> on.
>> >>
>> >> This would be via  serial console, or ssh, or telnet (for those few
>> >> devices we have left that don't support ssh)
>> >>
>> >> I haven't found anything that is clear and makes sense.  I'm hoping
>> >> someone has a cut and paste, or a pointer to a working setup.  If this
>> >> is possible.
>> >>
>> >> thanks
>> >> _______________________________________________
>> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list