Hello Raghu
Thanks for your feedback, it’s much appreciated! I will let @ReneMolenaar know of your request and he’ll get back to you.
Thanks again!
Laz
Hi
I found this question on OCG book.
Your routers is configured as follows:
R1#show run | i aaa|username
aaa new-model
username ENARSI password 0 EXAM
R1# show run | s vty
line vty 0 4
password cisco
transport input all
R1#
Based on the configuration, what will occour when someone uses Telnet to reach the router?
- Authentication will fail because there is no AAA method list
- The user will be required to use line password cisco.
- The user will be required to use the username ENARSI with the password EXAM
- Something else…
The answer is the number 3.
Can you explain to me why 2 is not correct ? (Telnet not require username as I know)
Thanks
Hello Giovanni
It all has to do with the behavior of the device with and without the aaa new-model command.
Without aaa new-model, the VTY will behave as follows:
The login command is used to instruct the VTY to ask for credentials when an attempt to login is made. If the command is simply login then it uses the password configured with the password command under the VTY configuration. If the command is login local then it asks for a username and password based on the local user database regardless of whether or not the password was used. Note if login is used and no password is set, it will still prompt for a password, but access will never be granted.
The following configuration will ask for a password whenever connectivity via Telnet is attempted using the password cisco.
line vty 0 4
password cisco
login
transport input all
The following configuration will give Telnet access immediately without asking for any credentials, even though a password is configured.
line vty 0 4
password cisco
transport input all
The following configuration will ask for a username and password whenever connectivity via Telnet is attempted. The password cisco is completely ignored, and the local database is used for authentication, using username and password.
line vty 0 4
password cisco
login local
transport input all
With aaa new-model enabled, the VTY will behave as follows:
The VTY will always use the local database as the authentication source by default. The password configured within the VTY configuration is ignored. The login and login local commands are disabled and replaced with a login authentication command which specifies an authentication list (a list of acceptable sources for credentials).
So to answer your question, when you enable aaa new-model, the VTY will always use the local database as the source of credentials, thus it will use the username and password created using the username command in global configuration mode.
Note that Telnet can be configured to not require a password, but the aaa new-model mode of configuration does not allow this.
I hope this has been helpful!
Laz
1 Like
Agree with Raghu. Installation/Setup videos or a Lesson of topics like Free Radius etc will be very helpful!
Hello Rahul
Thanks for voicing your opinion about this, it’s always helpful to get such feedback. For a more immediate response from Rene, I suggest you go to the following Member Ideas page and make your suggestion there. YOu may find that others have made similar suggestions and if so, you can add your voice to theirs.
I hope this has been helpful!
Laz
Configured AAA but i am getting below error
Attempting authentication test to server-group tacacs+ using tacacs+
**No authoritative response from any server**.
Able to reach tacacs server
ping 172.16.21.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.102, timeout is 2 seconds:
!!!!!
Hello Pavanc
There are several things that may cause this behavior. One is if the IP address is incorrect, but I’m assuming that you’ve checked this already. 
Other issues may have to do with the actual AAA configuration. Take a look at the following Cisco community threads that may have some clues as to how you can proceed:
Also, try using the debug aaa authentication and debug aaa tacacs commands to check the AAA events and communication that takes place from your router. Also, if you can, check to see if your TACACS server actually receives packets when you try to authenticate. All of these should help in your troubleshooting process. Let us know how you get along!
I hope this has been helpful!
Laz
Once I configured “aaa authentication login default group radius local” and save the config, the local username and password is not able to login anymore. I assume it should fallback to the local user authentication if the connection to RADIUS server is not available. Could you please explain why the local account doesn’t work?
This is my configuration for the local user:
username admin secret 5 $1$ZOZH$FDOAYVEquweBvlape9aL.0
line con 0
exec-timeout 1 0
password 7 0523130D6249561D4903111B08093B29242A
logging synchronous
login local
line vty 0 4
exec-timeout 3 0
password 7 013B1306180E1E1B714A48001A0028060E00
logging synchronous
login local
transport input ssh
line vty 5 15
login
Hello Siwen
Indeed the command aaa authentication login default group radius local will cause the router to fall back on the local user database for authentication if the RADIUS server is unavailable. To be clear, that means that to fall back to the local database, the RADIUS server must fail to respond to the request. If the RADIUS server responds and denies access, the authentication will not fall back to the local database. The user will simply be denied.
If that local username and password are not also configured in the RADIUS server, then the RADIUS server will simply deny access. So the behavior you see is expected. If you want the same credentials to operate when the RADIUS server is up and running, then you can add the same username and password as credentials in the RADIUS server as well.
I hope this has been helpful!
Laz
Hi @ReneMolenaar @lagapidis ,
I have a very simple query.
We are configuring fallback methods with aaa authentication cmds.does this fallback method work when we fail authentication with the primary one? or it is when we loose connectivity to primary server?
simply think that our primary method is RADIUS server and fallback is local database.
we have configured user ‘admin’ in local database only.
can we log in to the device with username as ‘admin’ when we have reachability to RADIUS server?
Hello Nipun
If authentication fails due to incorrect credentials with the primary method, the fallback method will NOT be tried. The fallback mechanism comes into effect only when the primary server is unreachable or unresponsive, not when authentication fails due to incorrect credentials.
This makes sense because if someone tries to log in using brute force and fail, you can consider them an illegitimate user. If you were legitimate, you would know the password. So you don’t want to give an illegitimate user that may continue their brute force attack a second chance to try to connect again. So when a user provides incorrect credentials for the primary method, the device will return an authentication failure and will not proceed to try the fallback method.
The fallback is mainly intended to provide an alternative way to authenticate users when there’s an issue with the primary authentication server or method, not to give users multiple attempts to authenticate with different methods.
I hope this has been helpful!
Laz
1 Like
Hi Rene,
Our C9200 use mgmt port , and we would like to do TACACS authentication through the management interface. But not work.
If authenticate to tacacs through Vrf, what commands need to be added?
Hello Eric
What kind of error message are you getting? Can you also inform us about the VRF configuration you have?
In general, if you want to add a TACACS server from a particular VRF, you can do the following:
(config)# tacacs server TACACS-SERVER
(config-server-tacacs)# address ipv4 10.0.0.10 vrf MGMT
(config-server-tacacs)# key <shared-secret>
(config-server-tacacs)# exit
Here you can see that the particular VRF on which the server is can be indicated. Here it is indicated as MGMT.
If you need any more information, please feel free to let us know!
I hope this has been helpful!
Laz
Hello, everyone!
Please, are there any free RADIUS/TACACS+ softwares that I could use? I am running Windows for which I couldn’t install FreeRADIUS, the Elektron RADIUS link doesn’t do anything when I click “Download” and ClearBox felt a little complicated to set up when it came to RADIUS specifically.
Thank you in advance.
Hello David
What was the problem when you tried to install it? If you do a search online for “free radius server for windows” you should find quite a few resources to help you successfully install it.
The truth is that there aren’t that many free options for RADIUS servers for Windows. It’s even more difficult to find a free version of TACACS+ even on Linux. Even so, some RADIUS options that may be worth searching for include:
- TekRADIUS: It’s a Windows-based RADIUS server that’s available in both free and paid versions. The free version has some limitations, but it might meet your needs.
- Radiator: It’s a highly configurable and flexible RADIUS server that runs on Windows, Linux, MacOS, Solaris, and more. It’s not free, but they offer a 30-day trial.
Indeed Elektron RADIUS seems to be difficult to find these days. I’ll let Rene know to take a look and see if he can revise the content of this particular lesson which includes this software.
Let us know if you get any of the above working!
I hope this has been helpful!
Laz
Hello, everyone!
When it comes to RADIUS, authentication and authorization are combined.
In other words, if I was to access a Cisco device, the moment I would authenticate, I’d also be authorized, right? Basically, RADIUS passes all the authorization parameters the moment we are authenticated (pass on a priv level, and so on).
But why isn’t RADIUS capable of accounting for Cisco CLI commands? That function isn’t combined with the other two As and there is a specific port designated for it - 1813.
Thank you.
David