Where to start configure radius with cisco devices

Unanswered Question
Aug 29th, 2007
User Badges:

Any good hints/links where is information how to start do authentication with microsoft ias server.

Now we use ssh to connect our devices but now is need to start to use aaa. Our devices are cisco 3500, 4500, 6500 series devices. Pictures, configuring examples anything is now needed.


Thanks

Juha

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
Jagdeep Gambhir Wed, 08/29/2007 - 07:36
User Badges:
  • Red, 2250 points or more

Juha,

Here are the IOS commands for setting up AAA,


Router(config)# username [username] password [password]

radius-server host [ip]

radius-server key [key]

aaa new-model

aaa authentication login default group radius+ local


Guidelines for Placing Radius in the Network,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080092567.shtml


Configuring RADIUS

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7ab.html#1000872


Hope that helps.



Regards,

~JG


Please rate helpful posts





u346874_2 Wed, 09/12/2007 - 01:34
User Badges:

Thanks JG


I have set router with commands and i can see from sniffer that my router sends 4 times Access reguest to MS IAS server but no response comes. My settings is now


aaa new-model

aaa authentication login default group radius none

radius-server host 10.x.x.x auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key mykey

radius-server vsa send authentication


MS IAS server is set to communicate with MS AD. I have set radius client(cisco device) and remote access policy to MS IAS but no response comes from that when i try to connect via vlan to my device. I found one advice how to set MS IAS but iam not sure is that OK. Any idea where to found advice what attributes and settings have to be set in MS IAS server so that i could login to my device with radius authentication.


thanks

Juha

u346874_2 Thu, 09/13/2007 - 03:22
User Badges:

Thanks.

That was very good pdf document. Now i can use radius and MS IAS successfully. Only one thing i cant understand. I can only use PAP protocol. If i try to use any other athentication fails. Usernames will sent in the clear. Is it really so that cisco devices does not support any other Authentication protocol.? Fortunately password is not in clear text because of shared secret.


Juha

Jagdeep Gambhir Thu, 09/13/2007 - 06:15
User Badges:
  • Red, 2250 points or more

Juha,

The issue is not with Cisco. Telnet sessions uses PAP password authentication. Because of this reason, IAS authentication is working with PAP password and fails for other password authentication attempts.


PAP password authentication will send username is clear text and password is encrypted.


For other sessions like PPP, we can specify password authentication methods as CHAP or

MS-CHAP methods.


Regards,

~JG

u346874_2 Thu, 09/13/2007 - 20:19
User Badges:

OK


Thanks

Normally we use ssh when connect to device. My test device is now configured for telnet.

Is ssh able to use those better secure methods.


Juha


Jagdeep Gambhir Mon, 09/17/2007 - 14:59
User Badges:
  • Red, 2250 points or more

It provides high confidentiality and integrity of data.

u346874_2 Mon, 09/17/2007 - 23:14
User Badges:

Is there any document where is explanation how does that algorithm work.(when using that shared security with pap) Our security people is not pleased because of that pap protocol. I could not found how is that password encrypted.


Juha

Jagdeep Gambhir Tue, 09/18/2007 - 04:04
User Badges:
  • Red, 2250 points or more

Juha,

The password is encrypted using an MD5 hash when passed between the router and Radius and they use the shared secret as part of that hash. The RFCs can explain it a lot better than I can.



http://www.ietf.org/rfc/rfc2865.txt



Hope that helps


Regards,

~JG






Actions

This Discussion