[c-nsp] ios aaa

Sun Mar 1 13:31:33 EST 2015

What I'm basically saying is unless something has changed recently, you are
limited very much by the switches order of operations; which makes doing
what you're wanting to do something that is easier implemented on the
authentication server. In your case you're using RADIUS which is rather
limited on user level based permissions. Stepping up to something like tac+
would resolve your issues. There is freeware TACPLUS available, this isn't
something that would require say a Cisco ACS/ISE.

On Sun, Mar 1, 2015 at 12:15 PM, John Brown <john at citylinkfiber.com> wrote:

> Thats what I'm experiencing.  Hence my query to the list ;)
>
> Certain devices I want to have a local user on so a specific person
> can access that specific device.
> If I put them into radius then they can access all of our devices, not
> good.
>
> At the same time, if radius fails the local user should be allowed to
> log in to the device
>
> On Sun, Mar 1, 2015 at 9:54 AM, Clint Wade <jarod.wade at gmail.com> wrote:
> > Tthat is an ordered list based on availability and not just whether an
> > account resides there, so as long as RADIUS is available it will not
> step to
> > local as far as I know.
> >
> > On Sun, Mar 1, 2015 at 10:40 AM, John Brown <john at citylinkfiber.com>
> wrote:
> >>
> >> Hi Thomas,
> >> Thats what I have, but it doesn't ever fail over to the local user on
> >> the box.  Hence my confusion
> >>
> >> On Sun, Mar 1, 2015 at 7:55 AM, Thomas Toquothty <tltoquothty at gmail.com
> >
> >> wrote:
> >> > aaa authentication login <NAME> group radius local
> >> >
> >> > This is how we have ours and it will roll over to local if
> connectivity
> >> > is
> >> > down or whatever reason.
> >> >
> >> > On Sat, Feb 28, 2015 at 9:24 PM John Brown <john at citylinkfiber.com>
> >> > wrote:
> >> >>
> >> >> Hi,
> >> >>
> >> >> I'm trying to have our cisco boxes use two different methods for
> >> >> authentication.
> >> >>
> >> >> Radius and local.
> >> >>
> >> >> At present we have Radius working nicely.
> >> >>
> >> >> What  I would like to do is also have local username function.
> >> >>
> >> >> So that if the user is NOT in radius, but IS on the device locally it
> >> >> will authenticate and let that user on.
> >> >>
> >> >> In addition, if radius is dead, the local username will allow a
> person
> >> >> on.
> >> >>
> >> >> This would be via  serial console, or ssh, or telnet (for those few
> >> >> devices we have left that don't support ssh)
> >> >>
> >> >> I haven't found anything that is clear and makes sense.  I'm hoping
> >> >> someone has a cut and paste, or a pointer to a working setup.  If
> this
> >> >> is possible.
> >> >>
> >> >> thanks
> >> >> _______________________________________________
> >> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>