[c-nsp] ios aaa

Thomas Toquothty tltoquothty at gmail.com
Sun Mar 1 13:36:34 EST 2015


Hmmm, when I fire up my laptop next I'll check to see how ours is setup. I
may have misunderstood your initial request. Mine is set to hit RADIUS for
our admins with a local roll over on failure to hit the NPS server.

On Sun, Mar 1, 2015, 1:29 PM John Brown <john at citylinkfiber.com> wrote:

> Thats what I'm experiencing.  Hence my query to the list ;)
>
> Certain devices I want to have a local user on so a specific person
> can access that specific device.
> If I put them into radius then they can access all of our devices, not
> good.
>
> At the same time, if radius fails the local user should be allowed to
> log in to the device
>
> On Sun, Mar 1, 2015 at 9:54 AM, Clint Wade <jarod.wade at gmail.com> wrote:
> > Tthat is an ordered list based on availability and not just whether an
> > account resides there, so as long as RADIUS is available it will not
> step to
> > local as far as I know.
> >
> > On Sun, Mar 1, 2015 at 10:40 AM, John Brown <john at citylinkfiber.com>
> wrote:
> >>
> >> Hi Thomas,
> >> Thats what I have, but it doesn't ever fail over to the local user on
> >> the box.  Hence my confusion
> >>
> >> On Sun, Mar 1, 2015 at 7:55 AM, Thomas Toquothty <tltoquothty at gmail.com
> >
> >> wrote:
> >> > aaa authentication login <NAME> group radius local
> >> >
> >> > This is how we have ours and it will roll over to local if
> connectivity
> >> > is
> >> > down or whatever reason.
> >> >
> >> > On Sat, Feb 28, 2015 at 9:24 PM John Brown <john at citylinkfiber.com>
> >> > wrote:
> >> >>
> >> >> Hi,
> >> >>
> >> >> I'm trying to have our cisco boxes use two different methods for
> >> >> authentication.
> >> >>
> >> >> Radius and local.
> >> >>
> >> >> At present we have Radius working nicely.
> >> >>
> >> >> What  I would like to do is also have local username function.
> >> >>
> >> >> So that if the user is NOT in radius, but IS on the device locally it
> >> >> will authenticate and let that user on.
> >> >>
> >> >> In addition, if radius is dead, the local username will allow a
> person
> >> >> on.
> >> >>
> >> >> This would be via  serial console, or ssh, or telnet (for those few
> >> >> devices we have left that don't support ssh)
> >> >>
> >> >> I haven't found anything that is clear and makes sense.  I'm hoping
> >> >> someone has a cut and paste, or a pointer to a working setup.  If
> this
> >> >> is possible.
> >> >>
> >> >> thanks
> >> >> _______________________________________________
> >> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list