This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Authentication Fallback

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Authentication Fallback

mrsold
Not applicable

‎03-23-2012 09:19 AM

Hello,

So, we currently authenticate administrators to our PA's via Radius (TACACS).  Is there a way to configure the PA's that it will only use the local DB / Administrators if Radius isn't available? 

Thanks!

1 person had this problem.
Labels:
0 Likes Likes
6 REPLIES 6

Nico-Eisma
L0 Member

‎06-13-2021 11:02 AM

I'm curious if anyone have come up with a solution to this as we have the same requirement.

 

I'm also thinking, if we create the same credentials on our radius as with the local db but the radius profile has less priviledge (almost no priviledges). Then if the auth sequence is radius1 & radius2 (for redundancy), then as long as both radius are available, then said local db credentials (superadmin) won't be used correct? Correct me if I'm understanding it wrong.

0 Likes Likes

MarkWalters
L0 Member
In response to RenatoMartins

‎07-29-2021 06:53 PM - edited ‎07-29-2021 07:31 PM

FYI the docs may be wrong on this one, and the solution may work the way that @jseals  mentioned.  We authenticate VPN users against radius, and only if the radius servers are down should the local user database be used as a fallback.  In the Portal -> Authentication config, if the Radius auth is ordered first and the servers are responding, then the local user database is never checked.  Similarly, if the Local Database is ordered first, then auth will check the local database, and Radius is never checked (so putting anything after Local Database seems useless).  So we placed Radius first and Local Database second.

Not exactly the scenario that was mentioned above in the post, just a data point.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks