Radius Support for AAA

Unanswered Question
Mar 12th, 2008
User Badges:

I have a number of 3500XL and 2950 switches in the Enterprise. I was hoping to get away with MS Radius to control Authentication to the switches. I know these switches supported TACACS+. They do not seem to support Radius. Is there a certain revision of IOS required for these devices to support Radius?


If not, can anyone recommend a TACAS platform other than ACS? I think I read on this forum a shareware version at one time?


Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
Loading.
Richard Burts Wed, 03/12/2008 - 11:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Randy


I am not sure what the issue is that you face. I have checked on a couple of 2950 switches and Radius is supported on them. I checked the feature navigator on the Cisco web site and it appears to be supported in both SI and EI versions for the 2950. I do not have a 3500XL but would be surprised if Radius were not supported on it also.


Are you saying that you go into config mode and in global config the command radius-server is not there?


HTH


Rick

moorera Thu, 03/13/2008 - 06:36
User Badges:

Thanks for the reply. Sadly Ihave a ton of 3500xl's still. Hoping in the next 24 months to get rid of them. I'll dig in a little more on the 2950s. Thank you.

Lori St. John Thu, 03/13/2008 - 12:00
User Badges:

Rick,

Hi, I actually work for Randy. Here is what I'm seeing, when I'm in global config mode, there is NO command for radius-server.



kka Thu, 03/13/2008 - 12:51
User Badges:

Looks like you didn't enable "aaa new-model".


Here is a working config example with local "fallback":



aaa new-model

aaa authentication login default group radius local-case

aaa authorization exec default group radius local

aaa accounting update periodic 60

aaa accounting exec default start-stop group radius


username admin password ...


radius-server host 172.17.172.17 auth-port 1812 acct-port 1813 key ...


Lori St. John Thu, 03/13/2008 - 13:09
User Badges:

got all that, the only problem is the "radius-server" command is still not available.

kka Thu, 03/13/2008 - 13:21
User Badges:

What exact model and IOS-version are you using?

kka Wed, 03/12/2008 - 23:23
User Badges:

For the 3500XL use at least 12.0(5)WC11, it's important to supply

"Service-Type = Administrative-User" in the Access-Accept (not

necessary on routers with IOS >= 12.3)


The following test entries are for FreeRADIUS and work with

3500XL [12.0(5)WC1x] and 3550 [12.2]:


lvl15 Auth-Type:= Local, User-Password == 'geheim'

Service-Type = Administrative-User,

cisco-avpair = "shell:priv-lvl=15"


lvl1 Auth-Type:= Local, User-Password == 'geheim'

Service-Type = Administrative-User,

cisco-avpair = "shell:priv-lvl=1"


Richard Burts Thu, 03/13/2008 - 13:58
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

This link posted by Herbert does claim that at least some versions of code (specifically 12.0(5)WC4 and 12.0(5)WC5) do support Radius:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/release12.0_5_wc5/swg/swsyst.html#wp1097321


The version of code that they are running (12.0(5)WC3b) pretty clearly does not support Radius.


HTH


Rick

Lori St. John Thu, 03/13/2008 - 14:08
User Badges:

Thanks to all who responded.


Just to reiterate Rick's post, in case someone else finds themself in the same situation, the version we are running (12.0(5)WC3b) does not support Radius.


Actions

This Discussion