Radius Support for AAA

Unanswered Question
Mar 12th, 2008

I have a number of 3500XL and 2950 switches in the Enterprise. I was hoping to get away with MS Radius to control Authentication to the switches. I know these switches supported TACACS+. They do not seem to support Radius. Is there a certain revision of IOS required for these devices to support Radius?

If not, can anyone recommend a TACAS platform other than ACS? I think I read on this forum a shareware version at one time?

Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
Richard Burts Wed, 03/12/2008 - 11:56


I am not sure what the issue is that you face. I have checked on a couple of 2950 switches and Radius is supported on them. I checked the feature navigator on the Cisco web site and it appears to be supported in both SI and EI versions for the 2950. I do not have a 3500XL but would be surprised if Radius were not supported on it also.

Are you saying that you go into config mode and in global config the command radius-server is not there?



moorera Thu, 03/13/2008 - 06:36

Thanks for the reply. Sadly Ihave a ton of 3500xl's still. Hoping in the next 24 months to get rid of them. I'll dig in a little more on the 2950s. Thank you.

Lori St. John Thu, 03/13/2008 - 12:00


Hi, I actually work for Randy. Here is what I'm seeing, when I'm in global config mode, there is NO command for radius-server.

kka Thu, 03/13/2008 - 12:51

Looks like you didn't enable "aaa new-model".

Here is a working config example with local "fallback":

aaa new-model

aaa authentication login default group radius local-case

aaa authorization exec default group radius local

aaa accounting update periodic 60

aaa accounting exec default start-stop group radius

username admin password ...

radius-server host auth-port 1812 acct-port 1813 key ...

Lori St. John Thu, 03/13/2008 - 13:09

got all that, the only problem is the "radius-server" command is still not available.

kka Thu, 03/13/2008 - 13:21

What exact model and IOS-version are you using?

kka Wed, 03/12/2008 - 23:23

For the 3500XL use at least 12.0(5)WC11, it's important to supply

"Service-Type = Administrative-User" in the Access-Accept (not

necessary on routers with IOS >= 12.3)

The following test entries are for FreeRADIUS and work with

3500XL [12.0(5)WC1x] and 3550 [12.2]:

lvl15 Auth-Type:= Local, User-Password == 'geheim'

Service-Type = Administrative-User,

cisco-avpair = "shell:priv-lvl=15"

lvl1 Auth-Type:= Local, User-Password == 'geheim'

Service-Type = Administrative-User,

cisco-avpair = "shell:priv-lvl=1"

Lori St. John Thu, 03/13/2008 - 14:08

Thanks to all who responded.

Just to reiterate Rick's post, in case someone else finds themself in the same situation, the version we are running (12.0(5)WC3b) does not support Radius.


This Discussion