cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
426
Views
0
Helpful
3
Replies

Configuring IOS authentication with Windows IAS

jeff.velten
Level 1
Level 1

I've successfully configured both a test switch (Catalyst 3560) and Windows Server 2003 IAS to allow RADIUS authentication on the switch. The problem I'm having is that the switch will apparently allow anyone who can authenticate through IAS to access the switch. In testing with a non-admin account, I found that IAS is allowing this account to authenticate through a lower ranked policy which is used for generic VPN access. I thought I could control this by using a named list on the switch in the aaa authentication command, but it doesn't seem to be working.

Relevant switch config:

aaa new-model

aaa authentication login NetworkAdmin group radius local

!

!

radius-server host 172.16.0.42 auth-port 1645 acct-port 1646 key <key removed>

radius-server source-ports 1645-1646

!

line vty 0 4

login authentication NetworkAdmin

line vty 5 15

login authentication NetworkAdmin

On the IAS server, NetworkAdmin is the name of a policy, which points to a specific AD group.

Am I missing something in the config? I only want to allow this one group logon access to this test switch.

3 Replies 3

didyap
Level 6
Level 6

Change the aaa line to "aaa authentication login default group radius line" and add "login authentication connect" command under line vty 0 4. Following link may help you

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080094501.shtml#windows2000

Thanks for the reply. This is how I had things set up initially. The problem is that users able to login under a lower-ranking remote access policy for VPN can gain access to the switch. I only want the NetworkAdmin group to have access. I'd also rather not filter by client IP, as we have several switches across multiple VLANs that I would like to roll this out to once it's working.

you can use the NAR that can solve your need

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: