03-12-2008 07:13 AM - edited 03-10-2019 03:42 PM
I have a number of 3500XL and 2950 switches in the Enterprise. I was hoping to get away with MS Radius to control Authentication to the switches. I know these switches supported TACACS+. They do not seem to support Radius. Is there a certain revision of IOS required for these devices to support Radius?
If not, can anyone recommend a TACAS platform other than ACS? I think I read on this forum a shareware version at one time?
Thank you
03-12-2008 11:56 AM
Randy
I am not sure what the issue is that you face. I have checked on a couple of 2950 switches and Radius is supported on them. I checked the feature navigator on the Cisco web site and it appears to be supported in both SI and EI versions for the 2950. I do not have a 3500XL but would be surprised if Radius were not supported on it also.
Are you saying that you go into config mode and in global config the command radius-server is not there?
HTH
Rick
03-13-2008 06:36 AM
Thanks for the reply. Sadly Ihave a ton of 3500xl's still. Hoping in the next 24 months to get rid of them. I'll dig in a little more on the 2950s. Thank you.
03-13-2008 12:00 PM
Rick,
Hi, I actually work for Randy. Here is what I'm seeing, when I'm in global config mode, there is NO command for radius-server.
03-13-2008 12:51 PM
Looks like you didn't enable "aaa new-model".
Here is a working config example with local "fallback":
aaa new-model
aaa authentication login default group radius local-case
aaa authorization exec default group radius local
aaa accounting update periodic 60
aaa accounting exec default start-stop group radius
username admin password ...
radius-server host 172.17.172.17 auth-port 1812 acct-port 1813 key ...
03-13-2008 01:09 PM
got all that, the only problem is the "radius-server" command is still not available.
03-13-2008 01:21 PM
What exact model and IOS-version are you using?
03-12-2008 02:34 PM
Not sure what the minimal software version is (it won't hurt to go to the latest available version anyway), but these switches do support radius.
What made you think they do not?
03-13-2008 06:37 AM
Thanks, I'll have a look!
03-12-2008 11:23 PM
For the 3500XL use at least 12.0(5)WC11, it's important to supply
"Service-Type = Administrative-User" in the Access-Accept (not
necessary on routers with IOS >= 12.3)
The following test entries are for FreeRADIUS and work with
3500XL [12.0(5)WC1x] and 3550 [12.2]:
lvl15 Auth-Type:= Local, User-Password == 'geheim'
Service-Type = Administrative-User,
cisco-avpair = "shell:priv-lvl=15"
lvl1 Auth-Type:= Local, User-Password == 'geheim'
Service-Type = Administrative-User,
cisco-avpair = "shell:priv-lvl=1"
03-13-2008 01:58 PM
This link posted by Herbert does claim that at least some versions of code (specifically 12.0(5)WC4 and 12.0(5)WC5) do support Radius:
The version of code that they are running (12.0(5)WC3b) pretty clearly does not support Radius.
HTH
Rick
03-13-2008 02:08 PM
Thanks to all who responded.
Just to reiterate Rick's post, in case someone else finds themself in the same situation, the version we are running (12.0(5)WC3b) does not support Radius.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide