09-17-2008 05:26 AM - edited 03-06-2019 01:26 AM
I have entered the following configs in my catalyst 3750's but get access denied when try to authenticate via RADIUS. I need to verify my IOS configs before checking RADIUS.
s1(config)#aaa new-model
s1(config)#aaa authentication login default group radius local
s1(config)#radius-server host 10.1.1.254 auth-port 1645 acct-port 1646 key Password
s1(config)#username localaccount password password123
09-17-2008 06:50 AM
Have you configured the Radius server correctly with the 3750 as a client with the correct key? Is the 3750 routing or just layer-2? If it's routing you should tie the radius requests to a source interface with the command 'ip radius source-interface x/x'.
What you have entered should gain you access as long as the radius server is configured correctly. It might be worth looking in the radius servers logs and turning on some debug on the 3750.
HTH
Andy
09-17-2008 06:56 AM
It is routing, and I will source it from the loopback interface.
Is there a command I need to input for exec authentication?
Thanks
09-17-2008 07:31 AM
You can enable exec 'authorization' with the command 'aaa authorization exec default group xxxxx'. This then assumes your Radius server will send a Cisco AV Pair ('shell:priv-lvl=XX')to set the Privilege level of the user. You can still get to a higher privilege level with the 'enable' command, however another Radius login is sent if you do this with a username of '$enab15$' (for level 15).
My current Radius Template I use for IOS devices is this:
aaa group server radius Radius-Servers
server 10.10.10.10 auth-port 1812 acct-port 1813
server 10.10.20.10 auth-port 1812 acct-port 1813
ip radius source-interface Loopback0
!
aaa authentication login default group Radius-Servers local line
aaa authentication enable default group Radius-Servers enable
aaa authentication dot1x default group Radius-Servers
aaa authorization console
aaa authorization exec default group Radius-Servers if-authenticated
aaa authorization network default group Radius-Servers
aaa accounting dot1x default start-stop group Radius-Servers
aaa accounting exec default start-stop group Radius-Servers
aaa accounting network default start-stop group Radius-Servers
aaa accounting system default start-stop group Radius-Servers
!
radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key cisco
radius-server host 10.10.20.10 auth-port 1812 acct-port 1813 key cisco
!
I am using MS IAS for Radius and I have various policies defined that check for different attributes depending on the authentication type - i.e. Console/Terminal access, VPN, Wireless 802.1x, Wired 802.1x and WEB Proxy-Authentication.
HTH
Andy
Please rate useful posts.
09-17-2008 10:05 AM
Andy,
This is what I posted to the IOS, and I receive authorization failed. I only want to pass to radius on vty 0 4. I have also locked myself out and will reboot tonight.
aaa new-model
radius-server host 10.0.22.208 auth-port 1645 acct-port 1646 key cisco
ip radius source-interface Vlan40
aaa authentication login TRAuthList group radius local
09-17-2008 10:36 AM
You are probably going to have to post a bit more of the config....
After you have rebooted console or telnet in and set the exec-timeout to 0 so you don't get logged out automatically, you should then be able to debug what is going on by telnet'ing a 2nd time into the switch.
Are you trying this via telnet or the console? By default the console does not perform authorization automatically (you need to enter 'enable'). This can be overridden with the hidden global command 'aaa authorization console'. I am not sure this is your issue though?
HTH
Andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: