Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Radius Support for AAA

I have a number of 3500XL and 2950 switches in the Enterprise. I was hoping to get away with MS Radius to control Authentication to the switches. I know these switches supported TACACS+. They do not seem to support Radius. Is there a certain revision of IOS required for these devices to support Radius?

If not, can anyone recommend a TACAS platform other than ACS? I think I read on this forum a shareware version at one time?

Thank you

11 REPLIES
Hall of Fame Super Silver

Re: Radius Support for AAA

Randy

I am not sure what the issue is that you face. I have checked on a couple of 2950 switches and Radius is supported on them. I checked the feature navigator on the Cisco web site and it appears to be supported in both SI and EI versions for the 2950. I do not have a 3500XL but would be surprised if Radius were not supported on it also.

Are you saying that you go into config mode and in global config the command radius-server is not there?

HTH

Rick

New Member

Re: Radius Support for AAA

Thanks for the reply. Sadly Ihave a ton of 3500xl's still. Hoping in the next 24 months to get rid of them. I'll dig in a little more on the 2950s. Thank you.

New Member

Re: Radius Support for AAA

Rick,

Hi, I actually work for Randy. Here is what I'm seeing, when I'm in global config mode, there is NO command for radius-server.

kka
New Member

Re: Radius Support for AAA

Looks like you didn't enable "aaa new-model".

Here is a working config example with local "fallback":

aaa new-model

aaa authentication login default group radius local-case

aaa authorization exec default group radius local

aaa accounting update periodic 60

aaa accounting exec default start-stop group radius

username admin password ...

radius-server host 172.17.172.17 auth-port 1812 acct-port 1813 key ...

New Member

Re: Radius Support for AAA

got all that, the only problem is the "radius-server" command is still not available.

kka
New Member

Re: Radius Support for AAA

What exact model and IOS-version are you using?

Cisco Employee

Re: Radius Support for AAA

Not sure what the minimal software version is (it won't hurt to go to the latest available version anyway), but these switches do support radius.

cfr. http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/release12.0_5_wc5/swg/swsyst.html#wp1097321

What made you think they do not?

New Member

Re: Radius Support for AAA

Thanks, I'll have a look!

kka
New Member

Re: Radius Support for AAA

For the 3500XL use at least 12.0(5)WC11, it's important to supply

"Service-Type = Administrative-User" in the Access-Accept (not

necessary on routers with IOS >= 12.3)

The following test entries are for FreeRADIUS and work with

3500XL [12.0(5)WC1x] and 3550 [12.2]:

lvl15 Auth-Type:= Local, User-Password == 'geheim'

Service-Type = Administrative-User,

cisco-avpair = "shell:priv-lvl=15"

lvl1 Auth-Type:= Local, User-Password == 'geheim'

Service-Type = Administrative-User,

cisco-avpair = "shell:priv-lvl=1"

Hall of Fame Super Silver

Re: Radius Support for AAA

This link posted by Herbert does claim that at least some versions of code (specifically 12.0(5)WC4 and 12.0(5)WC5) do support Radius:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/release12.0_5_wc5/swg/swsyst.html#wp1097321

The version of code that they are running (12.0(5)WC3b) pretty clearly does not support Radius.

HTH

Rick

New Member

Re: Radius Support for AAA

Thanks to all who responded.

Just to reiterate Rick's post, in case someone else finds themself in the same situation, the version we are running (12.0(5)WC3b) does not support Radius.

781
Views
11
Helpful
11
Replies
CreatePlease login to create content