Fall Back Option for RADIUS Authentication

OcNOS-SP : Key Features : Enhanced Security and Performance : Fall Back Option for RADIUS Authentication

Overview

Currently, the Remote Authentication Dial-In User Service (RADIUS) server authentication fallback to the local authentication server only when the RADIUS server is not reachable.

This behavior is modified in the current release to forward the authentication request to the local authentication server when the RADIUS authentication is failed or not reachable.

Feature Characteristics

The RADIUS authentication mechanism is enhanced to fallback to local authentication server when the user

• is not present on RADIUS server or

• authentication fails from RADIUS server

To implement the above requirements, the existing CLI aaa authentication login default fallback error local non-existent-user vrf management is used to enable fallback to local authentication server. This is disabled by default.

Note: For invalid secret key there is no fallback local authentication.
Console authentication is not supported for RADIUS.

Benefits

By default, the fallback to local authentication is applied when the RADIUS server is unreachable. For other scenarios, enable the fallback using the CLI.

Configuration

Below is the existing CLI used to enable the fallback local authentication server.

aaa authentication login default fallback error local non-existent-user vrf management

Validation

Configure aaa authentication console and verify console authentication:

OcNOS#con t

Enter configuration commands, one per line. End with CNTL/Z.

OcNOS(config)#radius-server login host 1.1.1.2 seq-num 1 key 0 kumar

OcNOS(config)#commit

OcNOS(config)#aaa authentication login console group radius

OcNOS(config)#commit

OcNOS(config)#exit

OcNOS#exit

OcNOS#show users

Current user : (*). Lock acquired by user : (#).

CLI user : [C]. Netconf users : [N].

Location : Applicable to CLI users.

Session : Applicable to NETCONF users.

Line User Idle Location/Session PID TYPE Role

(*) 0 con 0 [C]ocnos 0d00h00m ttyS0 5531 Remote network-admin

Enabled RADIUS local fallback and verify the authentication:

OcNOS(config)#aaa authentication login console group radius local

OcNOS(config)#commit

OcNOS(config)#exit

OcNOS#exit

OcNOS>exit

OcNOS>enable

OcNOS#show users

Current user : (*). Lock acquired by user : (#).

CLI user : [C]. Netconf users : [N].

Location : Applicable to CLI users.

Session : Applicable to NETCONF users.

Line User Idle Location/Session PID TYPE Role

(*) 0 con 0 [C]test 0d00h00m ttyS0 5713 Local network-engineer

130 vty 0 [C]test 0d00h01m pts/0 5688 Local network-engineer

OcNOS#

CLI Commands

aaa authentication login default fallback error

Use this command to enable fallback to local authentication for the default login if remote authentication is configured and all AAA servers are unreachable.

Use the no form of this command to disable fallback to local authentication.

Note: If you have specified local (use local authentication) in the aaa authentication login default command, you do not need to use this command to ensure that “fall back to local” occurs.

Command Syntax

aaa authentication login default fallback error local (vrf management|)

no aaa authentication login default fallback error local (vrf management|)

Parameters

management

Management VRF

Default

By default, AAA authentication is local.

Command Mode

Configure mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

    (config)#aaa authentication login default fallback error local vrf management

aaa authentication login default

Use this command to set the AAA authentication methods.

Use the no form of this command to set the default AAA authentication method (local).

Command Syntax

aaa authentication login default (vrf management|) ((group LINE) | (local (|none)) | (none))

no aaa authentication login default (vrf management|) ((group) | (local (|none)) | (none))

Parameters

group

Use a server group list for authentication

LINE

A space-separated list of up to 8 configured RADIUS or TACACS+, server group names followed by local or none or both local and none. The list can also include:

radius

All configured RADIUS servers

tacacs+

All configured TACACS+ servers

local

Use local authentication

none

No authentication

management

Management VRF

Default

By default, AAA authentication method is local

By default, groups: RADIUS or TACACS+

Command Mode

Configure mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

#configure terminal

(config)#aaa authentication login default vrf management group radius

Abbreviations


Acronym	Description
AAA	accounting, authentication, authorization
RADIUS	Remote Authentication Dial-In User Service