RE: Radius Authentication

From: Henk Botha (henkbotha@hotmail.com)
Date: Tue Dec 20 2005 - 06:50:36 GMT-3

• Next message: Mike Louis: "Radius Authentication"
• Previous message: Brian Dennis: "RE: OSPF redistribution question"
• Maybe in reply to: Mike Louis: "Radius Authentication"
• Next in thread: Henk Botha: "RE: Radius Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi

Thank you all for the responses

With fail I mean the Radius does not recognise the user. All the documents I
saw say exactly the same as you. The authentication should stop there and
not carry on to local, but it seems it depends on how you use the aaa
authentication command.

aaa authentication login use-radius group radius local
Explained to me by a group study member means radius or Local

I will test the following command today to see if it makes a difference.
aaa authentication login default radius local

Regards

Henk

>From: "Schulz, Dave" <DSchulz@dpsciences.com>
>Reply-To: "Schulz, Dave" <DSchulz@dpsciences.com>
>To: "Mike Louis " <louism@gcs.k12.nc.us>, <nobody@groupstudy.com>,
><ccielab@groupstudy.com>
>Subject: RE: Radius Authentication
>Date: Mon, 19 Dec 2005 22:28:11 -0500
>
>On the first method....we have to qualify the definition of "fails".
>Meaning,
>if the radius returns a fail, because the password or username was
>incorrect
>is different if the radius server is unavailable and does not return any
>response. On the first scenario, the authentication will end at the radius
>method and not continue on to the local method. However, in the second
>scenario (radius is unavailable), then the authentication will then proceed
>to
>the second method (local). Hope this helps.
>
>Dave
>
>-----Original Message-----
>From: nobody@groupstudy.com
>To: ccielab@groupstudy.com
>Sent: 12/19/2005 6:38 PM
>Subject: RE: Radius Authentication
>
>My understanding is that the command
>
>aaa authentication login use-radius radius local
>
>means this
>
>use aaa for authentication but first use the group use-radius
>
>if this fails to authenticate the user then try the second method
>
>which in this case is local
>
>its a backdoor method for when you cannot authenticate against the first
>group or second for that matter. I have failed authentication on the
>radius server many times because of an incorrect password only to be let
>in via the local username and password.
>
>Alternatively, if you wanted to you could forego the local option and
>force authentication via radius only.
>
>Mike Louis CCNP,CCDA
>Network Engineer
>Granville County Schools Technology Team
>919-693-4613 (office)
>919-693-3791(fax)
>919-691-0682(mobile)
> >>> "Tim" <ccie2be@nyc.rr.com> 12/19/05 12:27 PM >>>
>Henk,
>
>The command you're using doesn't look correct but if it is maybe you're
>missing other commands such as aaa new-model, aaa host x.x.x.x, etc.
>
>One thing you might try is using debug aaa to see what traffic is being
>sent
>and received from your radius server.
>
>HTH, Tim
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Henk
>Botha
>Sent: Monday, December 19, 2005 11:14 AM
>To: ccielab@groupstudy.com
>Subject: Radius Authentication
>
>Hi
>
>I am a bit confused about the process of Authentication.
>
>I have a router setup to use Radius first and then local
>"aaa authentication login use-radius radius local"
>
>It all works fine. But the bit that confuses me is when I use the local
>username to login it allows me to log in, as far as I understand this
>should
>
>only happen if the Radius server is unavailable. With my scenario the
>Radius
>
>server is always available.
>
>For a test I add a username on the Radius that is exactly the same as
>the
>local with a different password. But using the local still allows me to
>login.
>
>Is this the way it should work?
>
>Regards
>
>Henk
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>The Granville County School System does not discriminate on the basis of
>race,color, national origin, sex, disability,religion, or age in its
>programs or activities.
>If you have an inquiry regarding the nondiscrimination policies, please
>contact: Assistant Superintendent for Human Resources and Operations
>Granville County Schools,Oxford, North Carolina 27565, 919-693-4613
><<<< GWAVASIG >>>>
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Mike Louis: "Radius Authentication"
• Previous message: Brian Dennis: "RE: OSPF redistribution question"
• Maybe in reply to: Mike Louis: "Radius Authentication"
• Next in thread: Henk Botha: "RE: Radius Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3