From: Mike Louis (louism@gcs.k12.nc.us)
Date: Tue Dec 20 2005 - 00:02:51 GMT-3
Sean,
Here are the lines from my configuration.
aaa new-model
aaa group server radius RadiusServers
server x.x.x.x auth-port 1812 acct-port 1813
aaa authentication login RadiusServers group RadiusServers local
radius host x.x.x.x auth-port 1812 acct-port 1813
(this defines the host specified in the group statement)
radius key 7 XXXXXXXXXXXX
(this defines the default key if none is specified in the group statement)
line vty 0 15
login authentication RadiusServers
(this defines the authentication type to be used on the line)
I have an ACS server listening on x.x.x.x on ports 1812 and 1813. My group is RadiusServers. The authentication will proceed at login as follows
user telnets to device
prompted for Radius username/password challenge
username/password fails challenge from the radius server at x.x.x.x
IOS checks local username and password
if this passes then user gains priv level 1 access
must enable to gain level 15
this is how i understand that it is working
am i incorrect?
Mike Louis CCNP,CCDA
Network Engineer
Granville County Schools Technology Team
919-693-4613 (office)
919-693-3791(fax)
919-691-0682(mobile)
>>> "Sean C." <Upp_and_Upp@hotmail.com> 12/19/05 10:46 PM >>>
Mike,
It may help if you post your the entire relevant configs. For example - we
can only assume you have the radius host configured.
But don't you need to use the word 'group' in your config:
aaa authentication login use-radius GROUP radius local
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfrad.htm#1001359
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_a1g.htm#wp1071170
Sorry, maybe I'm misunderstanding what you're attempting to do,
Sean
----- Original Message -----
From: "Mike Louis" <louism@gcs.k12.nc.us>
To: <ccielab@groupstudy.com>
Sent: Monday, December 19, 2005 3:38 PM
Subject: RE: Radius Authentication
My understanding is that the command
aaa authentication login use-radius radius local
means this
use aaa for authentication but first use the group use-radius
if this fails to authenticate the user then try the second method
which in this case is local
its a backdoor method for when you cannot authenticate against the first
group or second for that matter. I have failed authentication on the radius
server many times because of an incorrect password only to be let in via the
local username and password.
Alternatively, if you wanted to you could forego the local option and force
authentication via radius only.
Mike Louis CCNP,CCDA
Network Engineer
Granville County Schools Technology Team
919-693-4613 (office)
919-693-3791(fax)
919-691-0682(mobile)
>>> "Tim" <ccie2be@nyc.rr.com> 12/19/05 12:27 PM >>>
Henk,
The command you're using doesn't look correct but if it is maybe you're
missing other commands such as aaa new-model, aaa host x.x.x.x, etc.
One thing you might try is using debug aaa to see what traffic is being sent
and received from your radius server.
HTH, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Henk
Botha
Sent: Monday, December 19, 2005 11:14 AM
To: ccielab@groupstudy.com
Subject: Radius Authentication
Hi
I am a bit confused about the process of Authentication.
I have a router setup to use Radius first and then local
"aaa authentication login use-radius radius local"
It all works fine. But the bit that confuses me is when I use the local
username to login it allows me to log in, as far as I understand this should
only happen if the Radius server is unavailable. With my scenario the Radius
server is always available.
For a test I add a username on the Radius that is exactly the same as the
local with a different password. But using the local still allows me to
login.
Is this the way it should work?
Regards
Henk
This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3