logins via radius

Unanswered Question
Feb 9th, 2009

Hello. I was wondering if anyone had implemented a radius server that would allow for logins to switches and routers to be able to control what level of access a user had. An example might be that if the main network guy wanted full access, he could log in and authenticate through a radius server (something like IAS) and get the level of permissions he needs to administer the switch. And the JR network guy comes along and does the same, but with a smaller set of abilities. Can this be done with radius authentication integrated with AD?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (5 ratings)
andrew.butterworth Mon, 02/09/2009 - 13:54

As Edison says for command authorisation you need TACACS+. However......

I have implemented what I think is a good workaround using MS IAS. What I have is multiple IAS polcies for terminal access, each one representing a privilege level, in the advanced settings for each policy I push down a Cisco AV pair that sets the privilege level (shell:priv-lvl=15). In AD I have the equivalent Security Groups configured and I make users members of the relevant group. I.e. someone who requires full access to the switches and routers has Level-15 access and matches the Level-15 IAS policy. Someone who can only login and get level-0 privilege matches the Level-0 policy and gets the AV pair shell:priv-lvl=0.

You also need to configure your IOS devices to change the privilege level of certain commands, however once you have a template it is pretty easy to apply this to all your IOS devices.

As I said this isn't a replacement for TACACS+ as that allows each command to be authorised, but I think it's a neat workaround. Plus if you use IAS as the Radius Server it's included in the OS.



mikedurbin Tue, 02/10/2009 - 06:39

Ive never used a Tacacs server before. Is there a free version available?

Also, I like the IAS solution andrew, as Im a little more familiar with it. Is there any way you could provide more detail on that?

andrew.butterworth Tue, 02/10/2009 - 07:50

With regards to IAS this is what I have done, however you can make it more or less complex as I only have three privilege levels:

I have created three Global Security Groups in AD - each representing an IOS privilege level - Level-0, Level-1 and Level-15.

I then make the user a member of the appropriate group.

In IAS I then have three separate policies, each representing the Privilege Level (I actually have more but the policy conditions are different - i.e. VPN, dot1x etc).

For admission to each IAS policy I match against 'Windows-Group matches=xxxx' where 'xxxx' represents the AD Global Security group. 'NAS-Port-Type matches=Async (modem) or Virtual (VPN)' & 'Authentication Type matches=PAP'

In the advanced Tab for each policy I have the two RADIUS Standard attributes 'Reply-Message' and 'Service-Type' selected, plus the Cisco-AV-Pair. The Service-Type is set to 'NAS Prompt' and the Reply-Message is set to 'Level X login successful, access time recorded' - this is just text though and is displayed after a user sucessfully logs in and can be anything you wish. The Cisco-AV-Pair is set to 'shell:priv-lvl=X' where 'X' is the privilege level.

On each of the IOS devices I have the configuration:

aaa new-model



aaa group server radius IAS-Servers

server auth-port 1812 acct-port 1813

server auth-port 1812 acct-port 1813

ip radius source-interface Loopback0


aaa authentication login default group IAS-Servers local

aaa authentication enable default group IAS-Servers enable

aaa authorization console

aaa authorization exec default group IAS-Servers if-authenticated


radius-server host auth-port 1812 acct-port 1813 key xxxxxxxxxxxx

radius-server host auth-port 1812 acct-port 1813 key xxxxxxxxxxxx


There are additional commands on some IOS devices for different access (VPN, 802.1x & WEBVPN), however this is the basics and you should be able to work out how to get the other stuff working quite easily.

Additionally I have added some commands to change the privilege level of certain commands using the global configuration command:

privilege level X



hunnetvl01 Thu, 02/19/2009 - 13:02

Andy ,

I have something like you have in the IAS set-up , but I cant get the accounting to work properly. It displays usernaem/workstation , but does not want to log the commands issued on the device.

Any advice?



andrew.butterworth Sat, 02/21/2009 - 04:25

I don't think this is possible with Radius. I just tried adding the command 'aaa accounting commands 15 default start-stop group Radius-Servers' and I get an error telling me the server-group 'Radius-Servers' is not a tacacs+ server group:

091058: Feb 21 12:23:14: %AAAA-4-SERVNOTACPLUS: The server-group "Radius-Servers" is not a tacacs+ server group. Please define "Radius-Servers" as a tacacs+ server group.

This was on a Catalyst 3550 running the latest IOS.


aamercado Sun, 03/08/2009 - 11:42

I can't seem to get my wireless AP1230 to work. All my AP hostname start with "caap" so I have

Remote Access Policy:

Client-Friendly-Name matches "caap*"

Windows-Group is tied to my AD security group

Service-Type is set to Radius Login

Cisco-AV-Pair is set to shell:priv-lvl=15

and "Grant Remote Access permission" is checked

On the AP, I have

aaa authentication login SECURE group radius local enable

aaa authorization exec SECURE group radius local

radius-server host auth-port 1812 acct-port 1813 key xxxxx

radius-server host auth-port 1812 acct-port 1813 key xxxxx

line vty 0 15

authorization exec SECURE

login authentication SECURE

This works for my routers/switches but not for the AP. Any ideas why AP are different?


This Discussion