RE: Radius Authentication

From: Mike Louis (louism@gcs.k12.nc.us)
Date: Mon Dec 19 2005 - 20:38:15 GMT-3

• Next message: Mike Jones: "OT:Test"
• Previous message: Paul Slater: "RE: OSPF loopback addresses shown as real subnet the 3 ways"
• Maybe in reply to: Mike Louis: "Radius Authentication"
• Next in thread: Sean C.: "Re: Radius Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

My understanding is that the command

aaa authentication login use-radius radius local

means this

use aaa for authentication but first use the group use-radius

if this fails to authenticate the user then try the second method

which in this case is local

its a backdoor method for when you cannot authenticate against the first group or second for that matter. I have failed authentication on the radius server many times because of an incorrect password only to be let in via the local username and password.

Alternatively, if you wanted to you could forego the local option and force authentication via radius only.

Mike Louis CCNP,CCDA
Network Engineer
Granville County Schools Technology Team
919-693-4613 (office)
919-693-3791(fax)
919-691-0682(mobile)
>>> "Tim" <ccie2be@nyc.rr.com> 12/19/05 12:27 PM >>>
Henk,

The command you're using doesn't look correct but if it is maybe you're
missing other commands such as aaa new-model, aaa host x.x.x.x, etc.

One thing you might try is using debug aaa to see what traffic is being sent
and received from your radius server.

HTH, Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Henk
Botha
Sent: Monday, December 19, 2005 11:14 AM
To: ccielab@groupstudy.com
Subject: Radius Authentication

Hi

I am a bit confused about the process of Authentication.

I have a router setup to use Radius first and then local
"aaa authentication login use-radius radius local"

It all works fine. But the bit that confuses me is when I use the local
username to login it allows me to log in, as far as I understand this should

only happen if the Radius server is unavailable. With my scenario the Radius

server is always available.

For a test I add a username on the Radius that is exactly the same as the
local with a different password. But using the local still allows me to
login.

Is this the way it should work?

Regards

Henk

• Next message: Mike Jones: "OT:Test"
• Previous message: Paul Slater: "RE: OSPF loopback addresses shown as real subnet the 3 ways"
• Maybe in reply to: Mike Louis: "Radius Authentication"
• Next in thread: Sean C.: "Re: Radius Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3