AAA using RADIUS

Unanswered Question
Feb 20th, 2008
User Badges:

GOod morning all,


I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.


Dwane

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acharyr123 Fri, 02/22/2008 - 22:34
User Badges:

Hi!!!


I also want to perform similar activities within my network.


I also do have ACS 4.1 SE, Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers etc in my network. I want to have radius based authentication for the same.


I want telnet, ssh has to be verified by radius server & console by local authentication.


could u plz send me the config that is required to be done in the active devices as well as ACS!!!!



dpatkins Wed, 02/27/2008 - 09:01
User Badges:

For routers and IOS switches:



aaa new-model

aaa authentication banner *Unauthorized Access Prohibited*

aaa authentication login default group radius

radius-server host 10.10.10.10 (your acs device)

radius-server key cisco123

radius-server configure-nas

username nmg password telnet

aaa authentication ppp dialins group radius local

aaa authentication login nmg local

aaa authorization network default group radius local

aaa accounting network default start-stop group radius

aaa processes 16

line 1 16

login authentication







For CatOS switches:


Set radius-server 10.10.10.10

show radius

set radius key cisco123

set authentication login radius enable

set authentication enable radius enable

show authentication

set radius timeout 5

set radius retransmit 3

set radius deadtime 3



For Pix Firewalls:

aaa authentication ssh console radius LOCAL

aaa authentication telnet console radius LOCAL


aaa-server radgroup protocol RADIUS

max-failed-attempts 2

reactivation-mode depletion deadtime 5

exit

(NOTE: This will depending on the location of the pix firewall)


aaa-server radgroup (inside) host 10.10.10.10

key XXXXXXX

exit

aaa-server radgroup(inside) host 10.10.10.10

key XXXXXX

exit




This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.


If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.


Hope this helps some. I had alot of help from Cisco TAC on this.


Dwane

Actions

This Discussion