Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AAA RADIUS Authentication in Catalyst 2924

Hi,

I need to use a RADIUS Authentication in a Catalyst 2924, but not for all the authenticated RADIUS users but only for a group of users.

with this configuration, all users that have an radius login/pass can login, but the same RADIUS server authenticates many services....

Current RADIUS configuration:

aaa new-model

aaa group server radius radius_tutoia

server 9.179.123.10

!

aaa authentication login default group radius enable

aaa authentication login radius enable

aaa authentication login local enable

aaa authorization configuration default group radius

.

.

.

.

.

radius-server host *.***.***.** auth-port 1645 acct-port 1646

radius-server key *****************

if my RADIUS server is not online the command:

aaa authentication login local enable

its a good failback option?

Regards,

Willian Prando

4 REPLIES
Cisco Employee

Re: AAA RADIUS Authentication in Catalyst 2924

If you just want certain users to be able to login to this box, then you'll have to set up authorization. In the 2924 do:

> aaa authorization exec default group radius none

Then in the user profiles on the Radius server, for those users that you want to be able to telnet into this device, you have to return the Service-Type attribute (Radius IETF attribute number 6), with a value of Nas-Prompt (7).

Anyone without this won't be authorized to get into exec mode on this box. There's a sample config for this here: http://www.cisco.com/warp/public/480/PRIV.html

As for your fallback question, you already have it configured to fallback to the enable password (that's what the "enable" keyword is after the "radius" keyword on your login authentication line). If you want it to fallback to the local username database, then you'd change your current line to look like:

> aaa authentication login default group radius local

> username blah password blah

HTH.

New Member

Re: AAA RADIUS Authentication in Catalyst 2924

First of all thanks for your help...

ok in the 2924 I am using the following configuration:

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

radius-server host "server" auth-port 1645 acct-port 1646

radius-server key "key"

I am using Cisco Secure ACS 3.0, and I cant find the user profile where to set the Service-type atribute.

I need to set the authentication method as Cisco/IOS or IETF in the 2924 profile?

Regards,

Willian

Cisco Employee

Re: AAA RADIUS Authentication in Catalyst 2924

Under Interface Configuration - Radius IETF, check the boxes to make the attributes appear under the User profile rather than just the Groups. Then go back under the user and select the attribute.

The authentication method can be either IETF or Cisco IOS/PIX. All hosts will use the IETF attributes, setting the NAS as something else other than IETF simply means theres a few more options for you to choose from. For example, if you use the Cisco IOS/PIX auth method, you can then check any of the IETF attributes AND anything in the Cisco IOS/PIX attribute section.

New Member

Re: AAA RADIUS Authentication in Catalyst 2924

You fix ACS server on network configuration and user group

951
Views
5
Helpful
4
Replies
CreatePlease to create content