[c-nsp] ios aaa
Jon Lewis
jlewis at lewis.org
Sun Mar 1 12:22:22 EST 2015
Flip the "local" "group radius" order and it'll do what you're looking
for. i.e. check the local db first (allowing non-radius users in) and if
not found in the local db, radius is tried. Keep in mind, there are some
additional config hoops to jump through to get radius auth working for
console logins. So, test your config...don't just assume it'll work and
find out at the worst time that it doesn't quite.
On Sun, 1 Mar 2015, John Brown wrote:
> Hi Thomas,
> Thats what I have, but it doesn't ever fail over to the local user on
> the box. Hence my confusion
>
> On Sun, Mar 1, 2015 at 7:55 AM, Thomas Toquothty <tltoquothty at gmail.com> wrote:
>> aaa authentication login <NAME> group radius local
>>
>> This is how we have ours and it will roll over to local if connectivity is
>> down or whatever reason.
>>
>> On Sat, Feb 28, 2015 at 9:24 PM John Brown <john at citylinkfiber.com> wrote:
>>>
>>> Hi,
>>>
>>> I'm trying to have our cisco boxes use two different methods for
>>> authentication.
>>>
>>> Radius and local.
>>>
>>> At present we have Radius working nicely.
>>>
>>> What I would like to do is also have local username function.
>>>
>>> So that if the user is NOT in radius, but IS on the device locally it
>>> will authenticate and let that user on.
>>>
>>> In addition, if radius is dead, the local username will allow a person on.
>>>
>>> This would be via serial console, or ssh, or telnet (for those few
>>> devices we have left that don't support ssh)
>>>
>>> I haven't found anything that is clear and makes sense. I'm hoping
>>> someone has a cut and paste, or a pointer to a working setup. If this
>>> is possible.
>>>
>>> thanks
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list