[c-nsp] ios aaa

Jon Lewis jlewis at lewis.org
Sun Mar 1 13:43:02 EST 2015


Multiple brands document it that way, but the coders weren't listening. 
As mentioned, I encourage anyone doing this to test thoroughly, but on 
Brocade and Cisco, my experience has been that local group radius will 
work contrary to the docs.  I just hope they never fix this glitch...or 
fix it in the docs rather than in the code.

On Sun, 1 Mar 2015, Clint Wade wrote:

> Counter to how I've always understood it, if you put local first it will
> never attempt to use RADIUS. It's Sunday morning I'm way too lazy to lab
> this up. Again this list is "IF AVAILABLE" not "if-authenticated".
>
> http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html#login_auth
>
> Configuring Authentication
>
> The Cisco IOS software uses the first method listed to authenticate users.
> If that method fails to respond (indicated by an ERROR), the Cisco IOS
> software selects the next authentication method listed in the method list.
> This process continues until there is successful communication with a
> listed authentication method, or all methods defined in the method list are
> exhausted.
>
> It is important to note that the Cisco IOS software attempts authentication
> with the next listed authentication method only when there is no response
> from the previous method. If authentication fails at any point in this
> cycle, meaning that the AAA server or local username database responds by
> denying the user access (indicated by a FAIL), the authentication process
> stops and no other authentication methods are attempted
>
>
>
> ~ One option you have assuming this a shared local account is to create the
> account on the RADIUS server as well as local. Would only make sense for
> shared accounts, depending on your security posture this may not be allowed.
>
>
> On Sun, Mar 1, 2015 at 11:22 AM, Jon Lewis <jlewis at lewis.org> wrote:
>
>> Flip the "local" "group radius" order and it'll do what you're looking
>> for.  i.e. check the local db first (allowing non-radius users in) and if
>> not found in the local db, radius is tried.  Keep in mind, there are some
>> additional config hoops to jump through to get radius auth working for
>> console logins.  So, test your config...don't just assume it'll work and
>> find out at the worst time that it doesn't quite.
>>
>>
>> On Sun, 1 Mar 2015, John Brown wrote:
>>
>>  Hi Thomas,
>>> Thats what I have, but it doesn't ever fail over to the local user on
>>> the box.  Hence my confusion
>>>
>>> On Sun, Mar 1, 2015 at 7:55 AM, Thomas Toquothty <tltoquothty at gmail.com>
>>> wrote:
>>>
>>>> aaa authentication login <NAME> group radius local
>>>>
>>>> This is how we have ours and it will roll over to local if connectivity
>>>> is
>>>> down or whatever reason.
>>>>
>>>> On Sat, Feb 28, 2015 at 9:24 PM John Brown <john at citylinkfiber.com>
>>>> wrote:
>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> I'm trying to have our cisco boxes use two different methods for
>>>>> authentication.
>>>>>
>>>>> Radius and local.
>>>>>
>>>>> At present we have Radius working nicely.
>>>>>
>>>>> What  I would like to do is also have local username function.
>>>>>
>>>>> So that if the user is NOT in radius, but IS on the device locally it
>>>>> will authenticate and let that user on.
>>>>>
>>>>> In addition, if radius is dead, the local username will allow a person
>>>>> on.
>>>>>
>>>>> This would be via  serial console, or ssh, or telnet (for those few
>>>>> devices we have left that don't support ssh)
>>>>>
>>>>> I haven't found anything that is clear and makes sense.  I'm hoping
>>>>> someone has a cut and paste, or a pointer to a working setup.  If this
>>>>> is possible.
>>>>>
>>>>> thanks
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>
>>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>> ----------------------------------------------------------------------
>>  Jon Lewis, MCP :)           |  I route
>>                              |  therefore you are
>> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
                              |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


More information about the cisco-nsp mailing list