Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

apply AAA for LAN & L3 switches

I have a RADIUS server that I want to use as a central authentication location

I have a 3560, 3550 & 2950s. I know the 3560 can be configured with AAA, what about the other switches?

what is the best and safe way applying it?

14 REPLIES

Re: apply AAA for LAN & L3 switches

The 2950 and 3550 series support RADIUS authentication. Make sure you test it before implementing it. Also telnet/SSH in to the switch, make the change and open a new connection to test RADIUS. That way if it does not work you still have your first connection to fix it.

Hope that helps.

New Member

Re: apply AAA for LAN & L3 switches

how would it work?

on the 3560 I'm prompt for user\pwd. on both 3550 & 2950 there is only a pwd prompt...

Re: apply AAA for LAN & L3 switches

It should be prompting for both. Can you post your AAA config?

New Member

Re: apply AAA for LAN & L3 switches

I didn't config it yet, I'm learning the HowTo at the moment

when I said that I get only the password prompt I refered to the existing IOS built in telnet login

Re: apply AAA for LAN & L3 switches

OK. Today you have a password assigned to the VTYs and that is all that is needed to gain access. Once you configure AAA (either locally or with an external AAA server) you need to also provide the username. The password can be removed from the VTY lines because it will no longer be used. It is best practices to add a local username/password for backup in case the AAA server fails. When you configure AAA you will specify the AAA server first and 'local' as second in the authentication list.

New Member

Re: apply AAA for LAN & L3 switches

yes, currently I'm using local database for VTY access which only require password, no usernames

I want to make all VTY connection authenticated via RADIUS

are these the correct commands?

aaa new-model

aaa authentication login

where\how to configure RADIUS?

looking at the commands I see TACTAS but not RADIUS

Re: apply AAA for LAN & L3 switches

You need a little more-

aaa new-model

aaa group server radius RADIUS_AUTH

server 192.168.1.50 auth-port 1812 acct-port 1813

aaa authentication login DOMAIN_AUTHENTICATION group RADIUS_AUTH enable

radius-server host 192.168.1.50 auth-port 1812 acct-port 1813 key SeCrEtKeY

line vty 0 4

login authentication DOMAIN_AUTHENTICATION

New Member

Re: apply AAA for LAN & L3 switches

this is what I've done:

aaa new-model

aaa group server radius RADIUS_AUTH

server 192.168.200.18 auth-port 1645 acct-port 1646

!

radius-server host 192.168.200.18 auth-port 1645 acct-port 1646 key SeCrEtKeY

aaa authentication login DOMAIN_AUTHENTICATION group RADIUS_AUTH enable

now the result is a username prompt BUT it doesn't connect my RADIUS and as a result, login fail.

is there a way to configure the RADIUS and test it before I apply it to the login?

Re: apply AAA for LAN & L3 switches

Not that I know of and that's why you should keep the first telnet session open and connected! What are you using for a RADIUS server?

New Member

Re: apply AAA for LAN & L3 switches

I'm using Microsoft IAS

it is working with my ASA5505 for the VPN clients

and don't worry, I did keep the telnet open and tested on a different screen

oh, and I'm currently testing this on a 3550

New Member

Re: apply AAA for LAN & L3 switches

for the record,

from my ASA I can test successfully:

ASA(config)# test aaa-server authentication vpn

Server IP Address or name: 192.168.200.18

Username: username

Password: ********

INFO: Attempting Authentication test to IP address <192.168.200.18> (timeout: 12 seconds)

INFO: Authentication Successful

this is the config:

aaa-server vpn protocol radius

aaa-server vpn host 192.168.200.18

key ********

same IAS server, same subnet

I also tried configuring a new policy on IAS as described here: http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/

New Member

Re: apply AAA for LAN & L3 switches

found a solution :)

credit to this link: http://briandesmond.com/blog/how-to-authenticate-against-active-directory-from-cisco-ios/

conf t

aaa new-model

radius-server host 192.168.2.18 auth-port 1812 acct-port 1813 key ********

ip radius source-interface vlan200

aaa group server radius RadiusServers

server 192.168.2.18 auth-port 1812 acct-port 1813

exit

aaa authentication login default group RadiusServers local

exit

Re: apply AAA for LAN & L3 switches

Great, so everything is working correct?

New Member

Re: apply AAA for LAN & L3 switches

yes it does

thanks for the help

273
Views
0
Helpful
14
Replies