Authenticating via RADIUS on IOS

Unanswered Question
Sep 17th, 2008

I have entered the following configs in my catalyst 3750's but get access denied when try to authenticate via RADIUS. I need to verify my IOS configs before checking RADIUS.

s1(config)#aaa new-model

s1(config)#aaa authentication login default group radius local

s1(config)#radius-server host auth-port 1645 acct-port 1646 key Password

s1(config)#username localaccount password password123

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
andrew.butterworth Wed, 09/17/2008 - 06:50

Have you configured the Radius server correctly with the 3750 as a client with the correct key? Is the 3750 routing or just layer-2? If it's routing you should tie the radius requests to a source interface with the command 'ip radius source-interface x/x'.

What you have entered should gain you access as long as the radius server is configured correctly. It might be worth looking in the radius servers logs and turning on some debug on the 3750.



jgorman1977 Wed, 09/17/2008 - 06:56

It is routing, and I will source it from the loopback interface.

Is there a command I need to input for exec authentication?


andrew.butterworth Wed, 09/17/2008 - 07:31

You can enable exec 'authorization' with the command 'aaa authorization exec default group xxxxx'. This then assumes your Radius server will send a Cisco AV Pair ('shell:priv-lvl=XX')to set the Privilege level of the user. You can still get to a higher privilege level with the 'enable' command, however another Radius login is sent if you do this with a username of '$enab15$' (for level 15).

My current Radius Template I use for IOS devices is this:

aaa group server radius Radius-Servers

server auth-port 1812 acct-port 1813

server auth-port 1812 acct-port 1813

ip radius source-interface Loopback0


aaa authentication login default group Radius-Servers local line

aaa authentication enable default group Radius-Servers enable

aaa authentication dot1x default group Radius-Servers

aaa authorization console

aaa authorization exec default group Radius-Servers if-authenticated

aaa authorization network default group Radius-Servers

aaa accounting dot1x default start-stop group Radius-Servers

aaa accounting exec default start-stop group Radius-Servers

aaa accounting network default start-stop group Radius-Servers

aaa accounting system default start-stop group Radius-Servers


radius-server host auth-port 1812 acct-port 1813 key cisco

radius-server host auth-port 1812 acct-port 1813 key cisco


I am using MS IAS for Radius and I have various policies defined that check for different attributes depending on the authentication type - i.e. Console/Terminal access, VPN, Wireless 802.1x, Wired 802.1x and WEB Proxy-Authentication.



Please rate useful posts.

jgorman1977 Wed, 09/17/2008 - 10:05


This is what I posted to the IOS, and I receive authorization failed. I only want to pass to radius on vty 0 4. I have also locked myself out and will reboot tonight.

aaa new-model

radius-server host auth-port 1645 acct-port 1646 key cisco

ip radius source-interface Vlan40

aaa authentication login TRAuthList group radius local

andrew.butterworth Wed, 09/17/2008 - 10:36

You are probably going to have to post a bit more of the config....

After you have rebooted console or telnet in and set the exec-timeout to 0 so you don't get logged out automatically, you should then be able to debug what is going on by telnet'ing a 2nd time into the switch.

Are you trying this via telnet or the console? By default the console does not perform authorization automatically (you need to enter 'enable'). This can be overridden with the hidden global command 'aaa authorization console'. I am not sure this is your issue though?




This Discussion