New Contributor

Radius vs Internal Mgmt Authentication

I want to turn off the internal Admin Login account if Radius Auth servers respond to Auth requests but have it come back on if they do not,  without having to login and enable localauth.


I have Looked at allow-fail-through and the default fail-over and the only option seems to be disabling local auth but that requires a console connection and recovery process to turn internal admin auth back on.


Currenly have 3 CP cluster memebrs providing Radius passthru to Windows AD but local / internal Admin acount  is always availabe.for Mgmt login.


Here's my config:


aaa server-group "aaa-admin-auth"
 auth-server CP-RADIUS-01
 auth-server CP-RADIUS-02
 auth-server CP-RADIUS-03


aaa server-group "default"
 auth-server Internal
 set role condition role value-of


aaa authentication mgmt
server-group "aaa-admin-auth"



Re: Radius vs Internal Mgmt Authentication

You need to disable "Allow Local Authentication" on the Administration GUI page or run the following command:


mgmt-user localauth-disable


This will disable local authentication (for example "admin"), if the RADIUS/TACACS server is responding.  If the server does not respond, the local account can be used.


From the CLI Guide:


Disables authentication of management users based on the results returned by the authentication server. To cancel this setting, use the no form of the command:

no mgmt-user localauth-disable

To verify if authentication of local management user accounts is enabled or disabled, use the following command:
show mgmt-user local-authentication-mode


Systems Engineer, Northeast USA

Search Airheads
Showing results for 
Search instead for 
Did you mean: