Also you can change the priority order for management user authentication so use radius, tacacs and then local database. Security - Priority Order menu.
On 30 June 2011 16:46, Victor Platov (viplatov) <[email protected]> wrote: > Hi Leigh,**** > > ** ** > > This doen’t make sence for me cause local user database can be used for the > following tasks:**** > > **1. **Management user authentication: always local db is asked > first, radius or tacacs second;**** > > **2. **Network user authentication: there are two options**** > > **a. **Web auth: local db always asked first**** > > **b. **Eap auth: radius always asked first then if the radius is not > online local db is used**** > > ** ** > > So from my opinion there is the only case when your correction can make > sence is APs authorization…**** > > ** ** > > ** ** > > Actually my question was: Am I correct that we can not simultaneously > enable APs AAA authorization and use local EAP on the same controller?**** > > ** ** > > *From:* Leigh Jewell [mailto:[email protected]] > *Sent:* Thursday, June 30, 2011 8:23 AM > *To:* Victor Platov (viplatov) > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Wireless] 802.1x Authentication sequence**** > > ** ** > > Hi Victor,**** > > **** > > The first paragraph is talking about the local database and the second > paragraph is talking about local EAP. The key difference here is the local > database is checked even if the Radius server doesn't have an entry for the > users. With Local-EAP, if the Radius server responds (regardless if the user > exists or not) then it is *never* checked.**** > > **** > > Cheers,**** > > Leigh**** > > **** > > > **** > > On 29 June 2011 23:15, Victor Platov (viplatov) <[email protected]> > wrote:**** > > Hi team,**** > > **** > > 4.2 configuration guide says:**** > > **** > > “The *controller passes client information to the RADIUS authentication > server first. If the client information does not match a RADIUS database > entry, the local user database is polled. Clients located in this database > are granted access to network services if the RADIUS authentication fails or > does not exist.*” (page 5-15).**** > > **** > > But below on page 5-23 we can read different info: **** > > **** > > “*If any RADIUS servers are configured on the controller, the controller > tries to authenticate the wireless clients using the RADIUS servers first. > Local EAP is attempted only if no RADIUS servers are found, either because > the RADIUS servers timed out or no RADIUS servers were configured**.*” > (page 5-23)**** > > **** > > I’ve tried it and found out that the second sentence is more accurate: if > Radius authentication returns Access-reject no other actions performed!*** > * > > **** > > What does that mean? **** > > That means we can not simultaneously use Local EAP authentication for > wireless clients and Authorize APs aganst AAA! For local EAP we should > uncheck “network user” from RADIUS configuration but for APs authorization > we should check it!**** > > **** > > **** > > **** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/>**** > > > > > -- > CCIE Blog - http://leigh-cciewireless.blogspot.com/**** > -- CCIE Blog - http://leigh-cciewireless.blogspot.com/
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
