[c-nsp] aaa authentication & authorization for telnet access control

Emanuel Popa emanuel.popa at gmail.com
Thu Oct 19 12:25:41 EDT 2006


hi everybody,

we're trying to implement a centralised authentication & authorization
method for all our equipments (mostly cisco). i'm trying to determine
the best failover scenario when the radius servers are all
unreachable.

this would be the setup:

---
enable secret 5 CENSORED
username admin privilege 15 secret 5 CENSORED

aaa new-model
aaa group server radius nbauth
 server-private A.B.C.D auth-port XXXX acct-port YYYY key 7 CENSORED
 deadtime 5

aaa authentication login nbauth group nbauth local
aaa authentication enable default group nbauth enable
aaa authorization exec nbauth group nbauth local

radius-server source-ports ZZZZ-TTTT
radius-server retransmit 1
radius-server timeout 1

line vty 0 4
 access-class 2 in
 password 7 CENSORED
 authorization exec nbauth
 login authentication nbauth
 transport input telnet
line vty 5 15
 access-class 2 in
 password 7 CENSORED
 authorization exec nbauth
 login authentication nbauth
 transport input telnet
---

our main problem is that when the radius servers are not available,
there is no warning message and a potential user will have to try
several times until he realises he needs to use the failover username
and password.

with tacacs i found this way: instead of 'local', i configured
'enable' or 'line' as alternate authentication method and when the
tacacs servers are unavailable the router displays directly the
password promt instead of the username prompt which is great.

does anybody know a way of doing this with radius aaa?

thanks,
emanuel popa


More information about the cisco-nsp mailing list