cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
533
Views
0
Helpful
3
Replies

AAA using RADIUS

dpatkins
Level 1
Level 1

GOod morning all,

I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.

Dwane

3 Replies 3

dpatkins
Level 1
Level 1

This has been resolved.

acharyr123
Level 3
Level 3

Hi!!!

I also want to perform similar activities within my network.

I also do have ACS 4.1 SE, Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers etc in my network. I want to have radius based authentication for the same.

I want telnet, ssh has to be verified by radius server & console by local authentication.

could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

For routers and IOS switches:

aaa new-model

aaa authentication banner *Unauthorized Access Prohibited*

aaa authentication login default group radius

radius-server host 10.10.10.10 (your acs device)

radius-server key cisco123

radius-server configure-nas

username nmg password telnet

aaa authentication ppp dialins group radius local

aaa authentication login nmg local

aaa authorization network default group radius local

aaa accounting network default start-stop group radius

aaa processes 16

line 1 16

login authentication

For CatOS switches:

Set radius-server 10.10.10.10

show radius

set radius key cisco123

set authentication login radius enable

set authentication enable radius enable

show authentication

set radius timeout 5

set radius retransmit 3

set radius deadtime 3

For Pix Firewalls:

aaa authentication ssh console radius LOCAL

aaa authentication telnet console radius LOCAL

aaa-server radgroup protocol RADIUS

max-failed-attempts 2

reactivation-mode depletion deadtime 5

exit

(NOTE: This will depending on the location of the pix firewall)

aaa-server radgroup (inside) host 10.10.10.10

key XXXXXXX

exit

aaa-server radgroup(inside) host 10.10.10.10

key XXXXXX

exit

This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.

If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.

Hope this helps some. I had alot of help from Cisco TAC on this.

Dwane

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: