I've successfully configured both a test switch (Catalyst 3560) and Windows Server 2003 IAS to allow RADIUS authentication on the switch. The problem I'm having is that the switch will apparently allow anyone who can authenticate through IAS to access the switch. In testing with a non-admin account, I found that IAS is allowing this account to authenticate through a lower ranked policy which is used for generic VPN access. I thought I could control this by using a named list on the switch in the aaa authentication command, but it doesn't seem to be working.
Relevant switch config:
aaa authentication login NetworkAdmin group radius local
Re: Configuring IOS authentication with Windows IAS
Thanks for the reply. This is how I had things set up initially. The problem is that users able to login under a lower-ranking remote access policy for VPN can gain access to the switch. I only want the NetworkAdmin group to have access. I'd also rather not filter by client IP, as we have several switches across multiple VLANs that I would like to roll this out to once it's working.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...