Be careful with "allow-fail-through". Depending on your security needs, this may not be the best option. Please also consider using tracking options to detect non-working RADIUS servers. Allow-fail-through will enable a local user to always login no matter whether RADIUS servers are reachable or not, given the username is not existing in the central auth system.
If you need a backdoor, I usually configure local auth on the serial console, so, you have a fallback available which is more secure than the other option.
Original Message:
Sent: Jan 23, 2025 05:56 AM
From: frmeunier
Subject: ArubaOS-CX RADIUS Server configuration - Use RADIUS then local if RADIUS down
Hello rford1219
Yes , allow-fail-through should give what you expect : if RADIUS authentication fails, for any reason, the second method (local) should be tried.
(If you don't set the fail-through, doc says "The system only attempts to reach the next server or accounting method if there is an accounting failure due to an unreachable TACACS+ or RADIUS server or a shared key mismatch error between the switch and the server." In this case, if RADIUS is reachable, local will never be sollicited )
------------------------------
Frederic
(kudos welcome)
Original Message:
Sent: Jan 22, 2025 02:39 PM
From: rford1219
Subject: ArubaOS-CX RADIUS Server configuration - Use RADIUS then local if RADIUS down
Was reading the configuration guide and it seems like this is what I need to do if I am reading it right?
radius-server host SERVER_IP vrf default
aaa group server radius rg1
server SERVER_IP vrf default
radius-server key plaintext SECRET_KEY
radius-server auth-type pap
aaa authentication allow-fail-through
aaa authentication login default group rg1 local
aaa authentication login https-server group rg1 local
aaa authentication allow-fail-through
------------------------------
rford1219
Original Message:
Sent: Jan 22, 2025 12:43 PM
From: rford1219
Subject: ArubaOS-CX RADIUS Server configuration - Use RADIUS then local if RADIUS down
Hello,
I have a RADIUS Server configured and working with my ArubaOS switches, but I am having trouble with my ArubaOS-CX switches. I am using the following command for the RADIUS Server, but I am not sure how to configure the switch to use the RADIUS Server, but if down, use a local login.
config
radius-server host RADIUS_SERVER_IP key ciphertext MY_SECRET_KEY
aaa authentication login ssh group radius local
The second command is where I am not sure, I am not able to login with the RADIUS Server, only local. The Server is up. My goal is to use the RADIUS Server, but if it is down, use a local login. Any suggestions would be appreciated.
------------------------------
rford1219
------------------------------