Radius Support for AAA

moorera · ‎03-12-2008

I have a number of 3500XL and 2950 switches in the Enterprise. I was hoping to get away with MS Radius to control Authentication to the switches. I know these switches supported TACACS+. They do not seem to support Radius. Is there a certain revision of IOS required for these devices to support Radius?

If not, can anyone recommend a TACAS platform other than ACS? I think I read on this forum a shareware version at one time?

Thank you

Richard Burts · ‎03-12-2008

Randy

I am not sure what the issue is that you face. I have checked on a couple of 2950 switches and Radius is supported on them. I checked the feature navigator on the Cisco web site and it appears to be supported in both SI and EI versions for the 2950. I do not have a 3500XL but would be surprised if Radius were not supported on it also.

Are you saying that you go into config mode and in global config the command radius-server is not there?

HTH

Rick

HTH

Rick

moorera · ‎03-13-2008

Thanks for the reply. Sadly Ihave a ton of 3500xl's still. Hoping in the next 24 months to get rid of them. I'll dig in a little more on the 2950s. Thank you.

Lori St. John · ‎03-13-2008

Rick,

Hi, I actually work for Randy. Here is what I'm seeing, when I'm in global config mode, there is NO command for radius-server.

kka · ‎03-13-2008

Looks like you didn't enable "aaa new-model".

Here is a working config example with local "fallback":

aaa new-model

aaa authentication login default group radius local-case

aaa authorization exec default group radius local

aaa accounting update periodic 60

aaa accounting exec default start-stop group radius

username admin password ...

radius-server host 172.17.172.17 auth-port 1812 acct-port 1813 key ...

Lori St. John · ‎03-13-2008

got all that, the only problem is the "radius-server" command is still not available.

kka · ‎03-13-2008

What exact model and IOS-version are you using?

Herbert Baerten · ‎03-12-2008

Not sure what the minimal software version is (it won't hurt to go to the latest available version anyway), but these switches do support radius.

cfr. http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/release12.0_5_wc5/swg/swsyst.html#wp1097321

What made you think they do not?

moorera · ‎03-13-2008

Thanks, I'll have a look!

kka · ‎03-12-2008

For the 3500XL use at least 12.0(5)WC11, it's important to supply

"Service-Type = Administrative-User" in the Access-Accept (not

necessary on routers with IOS >= 12.3)

The following test entries are for FreeRADIUS and work with

3500XL [12.0(5)WC1x] and 3550 [12.2]:

lvl15 Auth-Type:= Local, User-Password == 'geheim'

Service-Type = Administrative-User,

cisco-avpair = "shell:priv-lvl=15"

lvl1 Auth-Type:= Local, User-Password == 'geheim'

Service-Type = Administrative-User,

cisco-avpair = "shell:priv-lvl=1"

Richard Burts · ‎03-13-2008

This link posted by Herbert does claim that at least some versions of code (specifically 12.0(5)WC4 and 12.0(5)WC5) do support Radius:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/release12.0_5_wc5/swg/swsyst.html#wp1097321

The version of code that they are running (12.0(5)WC3b) pretty clearly does not support Radius.

HTH

Rick

HTH

Rick

Lori St. John · ‎03-13-2008

Thanks to all who responded.

Just to reiterate Rick's post, in case someone else finds themself in the same situation, the version we are running (12.0(5)WC3b) does not support Radius.