In this blog we will explain how to restrict logons to just RADIUS accounts, while the RADIUS server is operational, and fallback to local authentication when the RADIUS server is not reachable. Its is assumed that RADIUS using Cisco ISE has been configured per our previous blog.
1. Connect to the firewall via SSH (in our lab topology, it is 10.1.18.102)
2. Enter Expert mode.
3. 1. Edit the file /etc/pam.d/system-auth :
[Expert@hostname:0]#vi /etc/pam.d/system-auth
4. replace the following line:
auth [success=done new_authtok_reqd=done auth_err=ignore perm_denied=ignore conv_err=die default=ignore] pam_radius_auth.so
with:
auth [success=done new_authtok_reqd=done auth_err=die perm_denied=die conv_err=die default=ignore] pam_radius_auth.so
Note that 'auth_err' and 'perm_denied' are both changed to 'die'.
5. Save the file and exit.