[c-nsp] aaa authentication & authorization for telnet access control

Shakeel Ahmad shakeelahmad at gmail.com
Thu Oct 19 15:30:28 EDT 2006


I had the same issue, i preffered fall back on line password rather than
local user database.

But this issue still lies for some of my ASA and PIX which don't have line
passwords.


SAC


On 10/19/06, Emanuel Popa <emanuel.popa at gmail.com> wrote:
>
> hi everybody,
>
> we're trying to implement a centralised authentication & authorization
> method for all our equipments (mostly cisco). i'm trying to determine
> the best failover scenario when the radius servers are all
> unreachable.
>
> this would be the setup:
>
> ---
> enable secret 5 CENSORED
> username admin privilege 15 secret 5 CENSORED
>
> aaa new-model
> aaa group server radius nbauth
> server-private A.B.C.D auth-port XXXX acct-port YYYY key 7 CENSORED
> deadtime 5
>
> aaa authentication login nbauth group nbauth local
> aaa authentication enable default group nbauth enable
> aaa authorization exec nbauth group nbauth local
>
> radius-server source-ports ZZZZ-TTTT
> radius-server retransmit 1
> radius-server timeout 1
>
> line vty 0 4
> access-class 2 in
> password 7 CENSORED
> authorization exec nbauth
> login authentication nbauth
> transport input telnet
> line vty 5 15
> access-class 2 in
> password 7 CENSORED
> authorization exec nbauth
> login authentication nbauth
> transport input telnet
> ---
>
> our main problem is that when the radius servers are not available,
> there is no warning message and a potential user will have to try
> several times until he realises he needs to use the failover username
> and password.
>
> with tacacs i found this way: instead of 'local', i configured
> 'enable' or 'line' as alternate authentication method and when the
> tacacs servers are unavailable the router displays directly the
> password promt instead of the username prompt which is great.
>
> does anybody know a way of doing this with radius aaa?
>
> thanks,
> emanuel popa
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list