How to failover to local account on a cisco switch/router if radius server fails?

Question

I have the following configuration on a switch that I testing for RADIUS authentication:

aaa new-model  
aaa authenticaton login default group radius local  
aaa authentication enable default group radius enable  
aaa authorization exec default group radius local  
enable secret 5 XXXXXXXXX  
!  
username admin secret 5 XXXXXXXXX  
!  
ip radius source-interface FastEthernet0/1  
radius-server host XXX.XXX.XXX.XXX auth-port 1812 acct-port 1813 key XXXXXXXXX  
radius-server retransmit 3  
!  
line con 0  
line vty 5 15

Radius authentication is working just fine but if the server is not available I can not log into the router with the ADMIN account.

What's wrong there?

Thanks!

What is the error message you get when trying to login? Does it just prompt for password again? — Joseph, Mar 21 '10 at 11:55
The switch accepts the login command in con term mode but after exiting to normal mode it doesn't get display when a sh run is executed — 3D1L, Mar 25 '10 at 16:42

score 1 · Answer 1 · answered Mar 19 '10 at 15:48

Seems correct to me. From Cisco site:

Example 1: Exec Access using Radius then Local
aaa authentication login default group radius local

In the command above:
* the named list is the default one (default).
* there are two authentication methods (group radius and local).

All users are authenticated using the Radius server (the first method).
If the Radius server doesn't respond, then the router's local database
is used (the second method).

Maybe you have some kind of

login authentication <NAME>

under your line vty 0 X ?

In that case you shoud add a line:

aaa authentication login <NAME> group radius local

or simply delete the

login authentication <NAME>

line from your conf.

MrShunz thanks but there is no login line except for the one that I already listed: aaa authentication login default group radius local — , Mar 19 '10 at 19:38
well, you can try then adding under line vty 0 X "login authentication " and "aaa authentication login local" to see if it works — Daniele Santi, Mar 20 '10 at 17:08

score 1 · Answer 2 · edited May 05 '15 at 17:05

The problem is that when you specify a tacacs or radius server first in your login method in your case the defualt method, it will never try the local username unless tacacs or radius is unreachable. So if you want to test your local login 1 of the following: 1. remove your device from radius (not good for production devices) 2. shut off the port that radius messages are received on 3. create another login method and test it on one of your other interfaces like your console port

For example:

aaa authentication login <some_name> local
line con 0
login authentication <some_name>

How to failover to local account on a cisco switch/router if radius server fails?

2 Answers2