Re: AAA trouble....

Darby,
you missed the point of the Q.
He was wondering about why the LOCAL priviledge was not being honoured...
AAA ? yes Radius ? no.

-Carlos

Darby Weaver @ 23/04/2009 23:44 -0200 dixit:
> Do you have a Radius Server and is it defined? I did not see this in the
> config snippet.
>
> If you do not then it will look - refer to the debug output. If it fails to
> find an auth server, then and only then will it fall back to the next
> defined authententication method (in this case local).
>
> So...
>
> 1. If the Auth Server exists it will:
>
> A. Authenticate the use if the u/p is correct. or...
> B. Fail if non-exist or incorrect.
>
> And that is it.
>
> 2. If the Auth Server does not exist (not defined in the config, is not
> reachable, etc.)...
>
> A. The device will then proceed to the fallback auth mechanism if one if
> configured and exists properly i.e. local database in the case presented.
>
> Now this is normal and expected behavior.
>
> I've read about people taking their labs and defining say VTY and not
> defining an existing Auth Server or worse... not defining one at all... and
> guess what else they do?
>
> They do not define a secondary authentication mechaism... or do not define a
> local database with a u/p...
>
> Me -
>
> I like to verify things and I telnet/ssh to the device from the device and
> verify what I will happen. I also perform a reload in 5 and just turn it
> off if I don't need it.
>
> Hey I've had to set up whole networks with 500-1000+ devices at a time to
> "take control" and when you have to do this kind of task you really don't
> have time to lock yourself out of the box.
>
> Live and Learn.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net