07-29-2010 02:02 AM - edited 03-06-2019 12:14 PM
Hi all
I would like the username and password on my switches to be authenticated by my windows IAS server, are there any docs about this or can anyone tell me the basic commands?
is it also possible to put a backup radius server in ?
many thanks
Carl
Solved! Go to Solution.
07-29-2010 02:11 AM
1) Install IAS
=========================================
Click "Start > Control Panel > Add & Remove Programs"
Click "Add/Remove Windows Components"
Double-Click "Networking Services"
Select "Internet Authentication Service"
Click "Ok"
=========================================
2) Configure IAS
=========================================
Click "Start>Programs>Administrative Tools>Internet Authentication Service"
*** Create Remote access Policy *** (left Pane)
Select "Remote Access Policies"
(right pane) Delete all policies
(right pane) Right-Click and Select "New Remote Access Policy"
Click "Next" Select "Set up a custom policy" and give it a name
Click "Next"
Click "Add"
Select "Windows Groups"
Click "Add" Type "Domain Admins" (or any other group you would like to use)
Click "Ok"
Click "Next"
Select "Grant remote access permission"
Click "Next"
Click "Edit Profile"
Select the "Authentication" tab
Select "Unencrypted Authentication" only
Select the "Advanced" tab
Change the service-type from "framed" to "login"
Delete "Framed-Protocol" Click "Add"
Select "Vendor Specific" Click "Add"
Select "Cisco" from the drop-down box
Select "Yes. It conforms" Click "Configure Attribute"
Change Attribute Number to "1"
Set the Attribute Format to "String"
Type "shell:priv-lvl=15" in the Attribute Value field
Click "Ok"
Click "Ok"
Click "Close"
If you get an error, select yes or no …. it doesn’t matter.
Click "Next"
Click "Finish"
*** Add Radius Clients ***
(Left Pane) Click "RADIUS Clients"
(Right Pane) Right-Click and click "New Radius Client"
Give the client a friendly name and enter the ip address
Click "Next"
Enter a shared secret password
Click "Finish"
=========================================
3) Configure Cisco Device
=========================================
*** IOS Configuration ***
aaa new-model
radius-server host 192.168.10.100 key P@ssw0rd
ip radius source-interface f0/0
aaa authentication login default group radius
local line vty 0 4
login authentication default
*** PIX Configuration ***
username blindhog password Raz0rb4ck
aaa-server RADIUS (inside) host 192.168.10.100 P@ssw0rd
aaa-server LOCAL protocol local
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL
Notes:
You may have back IAS server for authentication. you have to add one more statement in the router or switch
radius-server host 192.168.10.101 key P@ssw0rd
Source : http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/
HTH
Hitesh Vinzoda
Pls rate useful posts
07-29-2010 02:11 AM
1) Install IAS
=========================================
Click "Start > Control Panel > Add & Remove Programs"
Click "Add/Remove Windows Components"
Double-Click "Networking Services"
Select "Internet Authentication Service"
Click "Ok"
=========================================
2) Configure IAS
=========================================
Click "Start>Programs>Administrative Tools>Internet Authentication Service"
*** Create Remote access Policy *** (left Pane)
Select "Remote Access Policies"
(right pane) Delete all policies
(right pane) Right-Click and Select "New Remote Access Policy"
Click "Next" Select "Set up a custom policy" and give it a name
Click "Next"
Click "Add"
Select "Windows Groups"
Click "Add" Type "Domain Admins" (or any other group you would like to use)
Click "Ok"
Click "Next"
Select "Grant remote access permission"
Click "Next"
Click "Edit Profile"
Select the "Authentication" tab
Select "Unencrypted Authentication" only
Select the "Advanced" tab
Change the service-type from "framed" to "login"
Delete "Framed-Protocol" Click "Add"
Select "Vendor Specific" Click "Add"
Select "Cisco" from the drop-down box
Select "Yes. It conforms" Click "Configure Attribute"
Change Attribute Number to "1"
Set the Attribute Format to "String"
Type "shell:priv-lvl=15" in the Attribute Value field
Click "Ok"
Click "Ok"
Click "Close"
If you get an error, select yes or no …. it doesn’t matter.
Click "Next"
Click "Finish"
*** Add Radius Clients ***
(Left Pane) Click "RADIUS Clients"
(Right Pane) Right-Click and click "New Radius Client"
Give the client a friendly name and enter the ip address
Click "Next"
Enter a shared secret password
Click "Finish"
=========================================
3) Configure Cisco Device
=========================================
*** IOS Configuration ***
aaa new-model
radius-server host 192.168.10.100 key P@ssw0rd
ip radius source-interface f0/0
aaa authentication login default group radius
local line vty 0 4
login authentication default
*** PIX Configuration ***
username blindhog password Raz0rb4ck
aaa-server RADIUS (inside) host 192.168.10.100 P@ssw0rd
aaa-server LOCAL protocol local
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL
Notes:
You may have back IAS server for authentication. you have to add one more statement in the router or switch
radius-server host 192.168.10.101 key P@ssw0rd
Source : http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/
HTH
Hitesh Vinzoda
Pls rate useful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide