[c-nsp] ios aaa

Clint Wade jarod.wade at gmail.com
Sun Mar 1 13:11:30 EST 2015 

Counter to how I've always understood it, if you put local first it will
never attempt to use RADIUS. It's Sunday morning I'm way too lazy to lab
this up. Again this list is "IF AVAILABLE" not "if-authenticated".

http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html#login_auth

Configuring Authentication

The Cisco IOS software uses the first method listed to authenticate users.
If that method fails to respond (indicated by an ERROR), the Cisco IOS
software selects the next authentication method listed in the method list.
This process continues until there is successful communication with a
listed authentication method, or all methods defined in the method list are
exhausted.

It is important to note that the Cisco IOS software attempts authentication
with the next listed authentication method only when there is no response
from the previous method. If authentication fails at any point in this
cycle, meaning that the AAA server or local username database responds by
denying the user access (indicated by a FAIL), the authentication process
stops and no other authentication methods are attempted



~ One option you have assuming this a shared local account is to create the
account on the RADIUS server as well as local. Would only make sense for
shared accounts, depending on your security posture this may not be allowed.


On Sun, Mar 1, 2015 at 11:22 AM, Jon Lewis <jlewis at lewis.org> wrote:

> Flip the "local" "group radius" order and it'll do what you're looking
> for.  i.e. check the local db first (allowing non-radius users in) and if
> not found in the local db, radius is tried.  Keep in mind, there are some
> additional config hoops to jump through to get radius auth working for
> console logins.  So, test your config...don't just assume it'll work and
> find out at the worst time that it doesn't quite.
>
>
> On Sun, 1 Mar 2015, John Brown wrote:
>
>  Hi Thomas,
>> Thats what I have, but it doesn't ever fail over to the local user on
>> the box.  Hence my confusion
>>
>> On Sun, Mar 1, 2015 at 7:55 AM, Thomas Toquothty <tltoquothty at gmail.com>
>> wrote:
>>
>>> aaa authentication login <NAME> group radius local
>>>
>>> This is how we have ours and it will roll over to local if connectivity
>>> is
>>> down or whatever reason.
>>>
>>> On Sat, Feb 28, 2015 at 9:24 PM John Brown <john at citylinkfiber.com>
>>> wrote:
>>>
>>>>
>>>> Hi,
>>>>
>>>> I'm trying to have our cisco boxes use two different methods for
>>>> authentication.
>>>>
>>>> Radius and local.
>>>>
>>>> At present we have Radius working nicely.
>>>>
>>>> What  I would like to do is also have local username function.
>>>>
>>>> So that if the user is NOT in radius, but IS on the device locally it
>>>> will authenticate and let that user on.
>>>>
>>>> In addition, if radius is dead, the local username will allow a person
>>>> on.
>>>>
>>>> This would be via  serial console, or ssh, or telnet (for those few
>>>> devices we have left that don't support ssh)
>>>>
>>>> I haven't found anything that is clear and makes sense.  I'm hoping
>>>> someone has a cut and paste, or a pointer to a working setup.  If this
>>>> is possible.
>>>>
>>>> thanks
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
> ----------------------------------------------------------------------
>  Jon Lewis, MCP :)           |  I route
>                              |  therefore you are
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list