09-22-2014 09:32 AM
I want to turn off the internal Admin Login account if Radius Auth servers respond to Auth requests but have it come back on if they do not, without having to login and enable localauth.
I have Looked at allow-fail-through and the default fail-over and the only option seems to be disabling local auth but that requires a console connection and recovery process to turn internal admin auth back on.
Currenly have 3 CP cluster memebrs providing Radius passthru to Windows AD but local / internal Admin acount is always availabe.for Mgmt login.
Here's my config:
aaa server-group "aaa-admin-auth"
aaa server-group "default"
set role condition role value-of
aaa authentication mgmt
Solved! Go to Solution.
09-22-2014 04:13 PM - edited 09-22-2014 04:17 PM
You need to disable "Allow Local Authentication" on the Administration GUI page or run the following command:
This will disable local authentication (for example "admin"), if the RADIUS/TACACS server is responding. If the server does not respond, the local account can be used.
From the CLI Guide:
Disables authentication of management users based on the results returned by the authentication server. To cancel this setting, use the no form of the command:
no mgmt-user localauth-disable
To verify if authentication of local management user accounts is enabled or disabled, use the following command:
show mgmt-user local-authentication-mode
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX