apply AAA for LAN & L3 switches

Unanswered Question
Collin Clark Mon, 03/30/2009 - 13:18

The 2950 and 3550 series support RADIUS authentication. Make sure you test it before implementing it. Also telnet/SSH in to the switch, make the change and open a new connection to test RADIUS. That way if it does not work you still have your first connection to fix it.

Hope that helps.

Collin Clark Tue, 03/31/2009 - 07:42

OK. Today you have a password assigned to the VTYs and that is all that is needed to gain access. Once you configure AAA (either locally or with an external AAA server) you need to also provide the username. The password can be removed from the VTY lines because it will no longer be used. It is best practices to add a local username/password for backup in case the AAA server fails. When you configure AAA you will specify the AAA server first and 'local' as second in the authentication list.

Collin Clark Tue, 03/31/2009 - 08:39

You need a little more-

aaa new-model

aaa group server radius RADIUS_AUTH

server 192.168.1.50 auth-port 1812 acct-port 1813

aaa authentication login DOMAIN_AUTHENTICATION group RADIUS_AUTH enable

radius-server host 192.168.1.50 auth-port 1812 acct-port 1813 key SeCrEtKeY

line vty 0 4

login authentication DOMAIN_AUTHENTICATION

this is what I've done:

aaa new-model

aaa group server radius RADIUS_AUTH

server 192.168.200.18 auth-port 1645 acct-port 1646

!

radius-server host 192.168.200.18 auth-port 1645 acct-port 1646 key SeCrEtKeY

aaa authentication login DOMAIN_AUTHENTICATION group RADIUS_AUTH enable

now the result is a username prompt BUT it doesn't connect my RADIUS and as a result, login fail.

is there a way to configure the RADIUS and test it before I apply it to the login?

Collin Clark Tue, 03/31/2009 - 09:26

Not that I know of and that's why you should keep the first telnet session open and connected! What are you using for a RADIUS server?

for the record,

from my ASA I can test successfully:

ASA(config)# test aaa-server authentication vpn

Server IP Address or name: 192.168.200.18

Username: username

Password: ********

INFO: Attempting Authentication test to IP address <192.168.200.18> (timeout: 12 seconds)

INFO: Authentication Successful

this is the config:

aaa-server vpn protocol radius

aaa-server vpn host 192.168.200.18

key ********

same IAS server, same subnet

I also tried configuring a new policy on IAS as described here: http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/

Actions

This Discussion