RE: Radius Authentication

From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Tue Dec 20 2005 - 00:28:11 GMT-3

• Next message: Loc Pham: "RE: IE Workbook and OSPFv3"
• Previous message: Elliott Reyes: "RE: IE Workbook and OSPFv3"
• Maybe in reply to: Mike Louis: "Radius Authentication"
• Next in thread: Henk Botha: "RE: Radius Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On the first method....we have to qualify the definition of "fails". Meaning,
if the radius returns a fail, because the password or username was incorrect
is different if the radius server is unavailable and does not return any
response. On the first scenario, the authentication will end at the radius
method and not continue on to the local method. However, in the second
scenario (radius is unavailable), then the authentication will then proceed to
the second method (local). Hope this helps.

Dave

-----Original Message-----
From: nobody@groupstudy.com
To: ccielab@groupstudy.com
Sent: 12/19/2005 6:38 PM
Subject: RE: Radius Authentication

My understanding is that the command

aaa authentication login use-radius radius local

means this

use aaa for authentication but first use the group use-radius

if this fails to authenticate the user then try the second method

which in this case is local

its a backdoor method for when you cannot authenticate against the first
group or second for that matter. I have failed authentication on the
radius server many times because of an incorrect password only to be let
in via the local username and password.

Alternatively, if you wanted to you could forego the local option and
force authentication via radius only.

Mike Louis CCNP,CCDA
Network Engineer
Granville County Schools Technology Team
919-693-4613 (office)
919-693-3791(fax)
919-691-0682(mobile)
>>> "Tim" <ccie2be@nyc.rr.com> 12/19/05 12:27 PM >>>
Henk,

The command you're using doesn't look correct but if it is maybe you're
missing other commands such as aaa new-model, aaa host x.x.x.x, etc.

One thing you might try is using debug aaa to see what traffic is being
sent
and received from your radius server.

HTH, Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Henk
Botha
Sent: Monday, December 19, 2005 11:14 AM
To: ccielab@groupstudy.com
Subject: Radius Authentication

Hi

I am a bit confused about the process of Authentication.

I have a router setup to use Radius first and then local
"aaa authentication login use-radius radius local"

It all works fine. But the bit that confuses me is when I use the local
username to login it allows me to log in, as far as I understand this
should

only happen if the Radius server is unavailable. With my scenario the
Radius

server is always available.

For a test I add a username on the Radius that is exactly the same as
the
local with a different password. But using the local still allows me to
login.

Is this the way it should work?

Regards

Henk

• Next message: Loc Pham: "RE: IE Workbook and OSPFv3"
• Previous message: Elliott Reyes: "RE: IE Workbook and OSPFv3"
• Maybe in reply to: Mike Louis: "Radius Authentication"
• Next in thread: Henk Botha: "RE: Radius Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3