Fall Back Option for RADIUS Authentication

Overview

Currently, the Remote Authentication Dial-In User Service (RADIUS) server authentication fallback to the local authentication server only when the RADIUS server is not reachable.

This behavior is modified to forward the authentication request to the local authentication server when the RADIUS authentication is failed or not reachable.

Feature Characteristics

The RADIUS authentication mechanism is enhanced to fallback to local authentication server when the user

  • is not present on RADIUS server or
  • authentication fails from RADIUS server

To implement the above requirements, the existing CLI aaa authentication login default fallback error local non-existent-user vrf management is used to enable fallback to local authentication server. This is disabled by default.

For invalid secret key there is no fallback local authentication. Console authentication is not supported for RADIUS.

Benefits

By default, the fallback to local authentication is applied when the RADIUS server is unreachable. For other scenarios, enable the fallback using the CLI.

Configuration

Below is the existing CLI used to enable the fallback local authentication server.

Copy 
aaa authentication login default fallback error local non-existent-user vrf management

Refer to Authentication, Authorization and Accounting section in the OcNOS System Management Configuration Guide.

Validation

Configure aaa authentication console and verify console authentication:

Copy 
OcNOS#con t
Enter configuration commands, one per line.  End with CNTL/Z.
OcNOS(config)#radius-server login host 1.1.1.2 seq-num 1 key 0 kumar
OcNOS(config)#commit
OcNOS(config)#aaa authentication login console group radius
OcNOS(config)#commit
OcNOS(config)#exit
OcNOS#exit
 
OcNOS#show users
Current user          : (*).  Lock acquired by user : (#).
CLI user              : [C].  Netconf users         : [N].
Location : Applicable to CLI users.
Session  : Applicable to NETCONF users.
 
Line        User           Idle         Location/Session PID    TYPE   Role
(*) 0 con 0 [C]ocnos       0d00h00m     ttyS0            5531   Remote network-admin

Enabled RADIUS local fallback and verify the authentication:

Copy 
OcNOS(config)#aaa authentication login console group radius local
OcNOS(config)#commit
OcNOS(config)#exit
OcNOS#exit
OcNOS>exit
 
OcNOS>enable
OcNOS#show users
Current user          : (*).  Lock acquired by user : (#).
CLI user              : [C].  Netconf users         : [N].
Location : Applicable to CLI users.
Session  : Applicable to NETCONF users.
 
Line         User          Idle         Location/Session PID   TYPE   Role
(*) 0 con 0  [C]test        0d00h00m     ttyS0           5713  Local  network-engineer
130 vty 0    [C]test        0d00h01m     pts/0           5688  Local  network-engineer
OcNOS#