Order of authentication.

- A
- AM
  
  Contact options for registered users
posted
18 years ago

Thu, Jul 28, 2005 8:13 PM

I've already posted a question like this but I was not able to find out that post.

How to tell a router to try to ask first to a radius server then to local database?

thanks,

Alex.

- C
- Chris_D
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Fri, Jul 29, 2005 4:56 PM

I have not set this up on a router before but I use the following on wireless access points to check a remote radius server first, if that cannot be contacted, to revert back to local authentication.

ports 1645 and 1646 are for the remote radius box, 1812 and 1813 are for the local database

aaa new-model ! ! aaa group server radius localauth server 10.13.66.1 auth-port 1645 acct-port 1646 server 10.13.66.80 auth-port 1812 acct-port 1813 ! aaa authentication login eap_methods group localauth

radius-server local nas 10.13.66.80 key 7 011B03085704 user chris nthash 7 XXXXXXXXXXXXXXXXXXXXXXXX ! radius-server host 10.13.66.1 auth-port 1645 acct-port 1646 key 7 XXXXXXXXXX radius-server host 10.13.66.80 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXX radius-server deadtime 1 bridge 1 route ip

Drop the ZZZ to reply

Cheers ...

- R
- rave
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Mon, Aug 1, 2005 8:00 PM

whatever you have configured on the router is absolutely fine you can say group radius local this will ensure that if your radius is dead then it will send the request to local database. but if at all you get a reply from radius then it will never fall back to local database.