02-20-2008 07:48 AM - edited 03-10-2019 03:40 PM
GOod morning all,
I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.
Dwane
02-21-2008 01:20 PM
This has been resolved.
02-22-2008 10:34 PM
Hi!!!
I also want to perform similar activities within my network.
I also do have ACS 4.1 SE, Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers etc in my network. I want to have radius based authentication for the same.
I want telnet, ssh has to be verified by radius server & console by local authentication.
could u plz send me the config that is required to be done in the active devices as well as ACS!!!!
02-27-2008 09:01 AM
For routers and IOS switches:
aaa new-model
aaa authentication banner *Unauthorized Access Prohibited*
aaa authentication login default group radius
radius-server host 10.10.10.10 (your acs device)
radius-server key cisco123
radius-server configure-nas
username nmg password telnet
aaa authentication ppp dialins group radius local
aaa authentication login nmg local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa processes 16
line 1 16
login authentication
For CatOS switches:
Set radius-server 10.10.10.10
show radius
set radius key cisco123
set authentication login radius enable
set authentication enable radius enable
show authentication
set radius timeout 5
set radius retransmit 3
set radius deadtime 3
For Pix Firewalls:
aaa authentication ssh console radius LOCAL
aaa authentication telnet console radius LOCAL
aaa-server radgroup protocol RADIUS
max-failed-attempts 2
reactivation-mode depletion deadtime 5
exit
(NOTE: This will depending on the location of the pix firewall)
aaa-server radgroup (inside) host 10.10.10.10
key XXXXXXX
exit
aaa-server radgroup(inside) host 10.10.10.10
key XXXXXX
exit
This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.
If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.
Hope this helps some. I had alot of help from Cisco TAC on this.
Dwane
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: