[c-nsp] aaa authentication & authorization for telnet access control

[Emanuel Popa]

hi everybody,

we're trying to implement a centralised authentication & authorization
method for all our equipments (mostly cisco). i'm trying to determine
the best failover scenario when the radius servers are all
unreachable.

this would be the setup:

---
enable secret 5 CENSORED
username admin privilege 15 secret 5 CENSORED

aaa new-model
aaa group server radius nbauth
 server-private A.B.C.D auth-port XXXX acct-port YYYY key 7 CENSORED
 deadtime 5

aaa authentication login nbauth group nbauth local
aaa authentication enable default group nbauth enable
aaa authorization exec nbauth group nbauth local

radius-server source-ports ZZZZ-TTTT
radius-server retransmit 1
radius-server timeout 1

line vty 0 4
 access-class 2 in
 password 7 CENSORED
 authorization exec nbauth
 login authentication nbauth
 transport input telnet
line vty 5 15
 access-class 2 in
 password 7 CENSORED
 authorization exec nbauth
 login authentication nbauth
 transport input telnet
---

our main problem is that when the radius servers are not available,
there is no warning message and a potential user will have to try
several times until he realises he needs to use the failover username
and password.

with tacacs i found this way: instead of 'local', i configured
'enable' or 'line' as alternate authentication method and when the
tacacs servers are unavailable the router displays directly the
password promt instead of the username prompt which is great.

does anybody know a way of doing this with radius aaa?

thanks,
emanuel popa