Configuring IOS authentication with Windows IAS

Unanswered Question
Jan 29th, 2008

I've successfully configured both a test switch (Catalyst 3560) and Windows Server 2003 IAS to allow RADIUS authentication on the switch. The problem I'm having is that the switch will apparently allow anyone who can authenticate through IAS to access the switch. In testing with a non-admin account, I found that IAS is allowing this account to authenticate through a lower ranked policy which is used for generic VPN access. I thought I could control this by using a named list on the switch in the aaa authentication command, but it doesn't seem to be working.

Relevant switch config:

aaa new-model

aaa authentication login NetworkAdmin group radius local



radius-server host auth-port 1645 acct-port 1646 key <key removed>

radius-server source-ports 1645-1646


line vty 0 4

login authentication NetworkAdmin

line vty 5 15

login authentication NetworkAdmin

On the IAS server, NetworkAdmin is the name of a policy, which points to a specific AD group.

Am I missing something in the config? I only want to allow this one group logon access to this test switch.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jeff.velten Tue, 02/05/2008 - 08:22

Thanks for the reply. This is how I had things set up initially. The problem is that users able to login under a lower-ranking remote access policy for VPN can gain access to the switch. I only want the NetworkAdmin group to have access. I'd also rather not filter by client IP, as we have several switches across multiple VLANs that I would like to roll this out to once it's working.


This Discussion