Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Configuring IOS authentication with Windows IAS

I've successfully configured both a test switch (Catalyst 3560) and Windows Server 2003 IAS to allow RADIUS authentication on the switch. The problem I'm having is that the switch will apparently allow anyone who can authenticate through IAS to access the switch. In testing with a non-admin account, I found that IAS is allowing this account to authenticate through a lower ranked policy which is used for generic VPN access. I thought I could control this by using a named list on the switch in the aaa authentication command, but it doesn't seem to be working.

Relevant switch config:

aaa new-model

aaa authentication login NetworkAdmin group radius local

!

!

radius-server host 172.16.0.42 auth-port 1645 acct-port 1646 key <key removed>

radius-server source-ports 1645-1646

!

line vty 0 4

login authentication NetworkAdmin

line vty 5 15

login authentication NetworkAdmin

On the IAS server, NetworkAdmin is the name of a policy, which points to a specific AD group.

Am I missing something in the config? I only want to allow this one group logon access to this test switch.

3 REPLIES
Silver

Re: Configuring IOS authentication with Windows IAS

Change the aaa line to "aaa authentication login default group radius line" and add "login authentication connect" command under line vty 0 4. Following link may help you

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080094501.shtml#windows2000

Community Member

Re: Configuring IOS authentication with Windows IAS

Thanks for the reply. This is how I had things set up initially. The problem is that users able to login under a lower-ranking remote access policy for VPN can gain access to the switch. I only want the NetworkAdmin group to have access. I'd also rather not filter by client IP, as we have several switches across multiple VLANs that I would like to roll this out to once it's working.

Community Member

Re: Configuring IOS authentication with Windows IAS

you can use the NAR that can solve your need

202
Views
0
Helpful
3
Replies
CreatePlease to create content