Hi guys!
I have found the next CLI command:
aaa authentication login default group radius group tacacs+ local
Firstly I try to break down into smaller pieces like:
But in this case, I wanted to know if fails RADIUS, the authentication will use TACACS+…
Thanks!
Hello Alfredo,
Yes, this will work, to test this. You can test this with a single device. I’ll use one router:
R1(config)#aaa authentication login default group radius group tacacs+ local
R1(config)#radius server RADIUS
R1(config-radius-server)#address ipv4 192.168.1.100
R1(config-radius-server)#key CISCO
R1(config)#tacacs server TACACS
R1(config-server-tacacs)#address ipv4 192.168.1.101
R1(config-server-tacacs)#key CISCO
The RADIUS and TACACS server are not there. Enable these three debugs:
R1#debug aaa authentication
R1#debug radius authentication
R1#debug tacacs authentication
And telnet to your own IP address:
R1#telnet 1.1.1.1
Trying 1.1.1.1 ... Open
User Access Verification
Username:
Password:
AAA/BIND(00000015): Bind i/f
AAA/AUTHEN/LOGIN (00000015): Pick method list 'default'
RADIUS/ENCODE(00000015): ask "Username: "
RADIUS/ENCODE(00000015): send packet; GET_USERADMIN
RADIUS/ENCODE(00000015): ask "Password: "
RADIUS/ENCODE(00000015): send packet; GET_PASSWORD
RADIUS/ENCODE(00000015):Orig. component type = Exec
RADIUS/ENCODE(00000015): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
RADIUS(00000015): Config NAS IP: 0.0.0.0
RADIUS(00000015): Config NAS IPv6: ::
RADIUS/ENCODE(00000015): acct_session_id: 5
RADIUS(00000015): sending
RADIUS/ENCODE: Best Local IP-Address 1.1.1.1 for Radius-Server 192.168.1.100
RADIUS(00000015): Send Access-Request to 192.168.1.100:1645 onvrf(0) id 1645/3, len 71
RADIUS: authenticator 9B 39 E8 3D 34 2A 30 A5 - 95 63 04 DB 6B E0 C2 0A
RADIUS: User-Name [1] 7 "ADMIN"
RADIUS: User-Password [2] 18 *
RADIUS: NAS-Port [5] 6 578
RADIUS: NAS-Port-Id [87] 8 "tty578"
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: NAS-IP-Address [4] 6 1.1.1.1
RADIUS(00000015): Sending a IPv4 Radius Packet
RADIUS(00000015): Started 5 sec timeout
RADIUS(00000015): Request timed out!
RADIUS: Retransmit to (192.168.1.100:1645,1646) for id 1645/3
RADIUS(00000015): Started 5 sec timeout
RADIUS(00000015): Request timed out!
%RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1645,1646 is not responding.
%RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1645,1646 is being marked alive.
RADIUS: Retransmit to (192.168.1.100:1645,1646) for id 1645/3
RADIUS(00000015): Started 5 sec timeout
RADIUS(00000015): Request timed out!
RADIUS: Retransmit to (192.168.1.100:1645,1646) for id 1645/3
RADIUS(00000015): Started 5 sec timeout
RADIUS(00000015): Request timed out!
RADIUS: No response from (192.168.1.100:1645,1646) for id 1645/3
RADIUS/DECODE: No response from radius-server; parse response; FAIL
RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
TPLUS: Queuing AAA Authentication request 21 for processing
TPLUS(00000015) login timer started 1020 sec timeout
TPLUS: processing authentication start request id 21
TPLUS: Authentication start packet created for 21(ADMIN)
TPLUS: Using server 192.168.1.101
TPLUS(00000015)/0: Connect Error No route to hostSee how it starts with RADIUS, then attempts TACACS+ and eventually falls back to local?
Rene
So after trying the RADIUS server, if fails this server the access will be denied. It make sense?
Thanks in advance!
Hello Alfredo,
If the RADIUS server is unreachable then it will try the TACACS+ server.
If the RADIUS server is reachable but the user credentials are incorrect/missing, then authentication fails.
Rene