[c-nsp] aaa authentication & authorization for telnet access control

Emanuel Popa emanuel.popa at gmail.com
Fri Oct 20 05:18:52 EDT 2006


ok. but are you using radius or tacacs? because with radius, even if
the radius server is down, the router still asks for username when it
should ask directly for the line password. only after first error the
router asks for the line password.

regards,
emanuel popa


On 10/19/06, Shakeel Ahmad <shakeelahmad at gmail.com> wrote:
> I had the same issue, i preffered fall back on line password rather than
> local user database.
>
> But this issue still lies for some of my ASA and PIX which don't have line
> passwords.
>
>
> SAC
>
>
> On 10/19/06, Emanuel Popa <emanuel.popa at gmail.com> wrote:
> >
> > hi everybody,
> >
> > we're trying to implement a centralised authentication & authorization
> > method for all our equipments (mostly cisco). i'm trying to determine
> > the best failover scenario when the radius servers are all
> > unreachable.
> >
> > this would be the setup:
> >
> > ---
> > enable secret 5 CENSORED
> > username admin privilege 15 secret 5 CENSORED
> >
> > aaa new-model
> > aaa group server radius nbauth
> > server-private A.B.C.D auth-port XXXX acct-port YYYY key 7 CENSORED
> > deadtime 5
> >
> > aaa authentication login nbauth group nbauth local
> > aaa authentication enable default group nbauth enable
> > aaa authorization exec nbauth group nbauth local
> >
> > radius-server source-ports ZZZZ-TTTT
> > radius-server retransmit 1
> > radius-server timeout 1
> >
> > line vty 0 4
> > access-class 2 in
> > password 7 CENSORED
> > authorization exec nbauth
> > login authentication nbauth
> > transport input telnet
> > line vty 5 15
> > access-class 2 in
> > password 7 CENSORED
> > authorization exec nbauth
> > login authentication nbauth
> > transport input telnet
> > ---
> >
> > our main problem is that when the radius servers are not available,
> > there is no warning message and a potential user will have to try
> > several times until he realises he needs to use the failover username
> > and password.
> >
> > with tacacs i found this way: instead of 'local', i configured
> > 'enable' or 'line' as alternate authentication method and when the
> > tacacs servers are unavailable the router displays directly the
> > password promt instead of the username prompt which is great.
> >
> > does anybody know a way of doing this with radius aaa?
> >
> > thanks,
> > emanuel popa
> > _______________________________________________
> > cisco-nsp mailing list   cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>


More information about the cisco-nsp mailing list