Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

rsa/ace server radius authentication

Hi ,

I am in the process of setting up cisco routers/swithces to authenticate to an RSA/ACE radius server. Basically I would like it to work as follows.

SSH/Telnet to router switch.I have ace side configured. I have added the necessary users to authenticate list on agent host.

Username:joebloggs

Password : ( rsa secure id token here ). Do I have to authenticate then using enable password or what is best practice here ??

router>en

router#

I have the following lines added so far and need some help on the aaa authentication as there seems to be a lot of options

aaa new-model

aaa authentication banner # Connection to this device is for authorized users only #

aaa authentication fail-message # You are not authorized to log on to this device #

radius-server host x.x.x.x auth-port 1645 acct-port 1813

radius-server retransmit 3

radius-server key xxxxxx

2 REPLIES
Hall of Fame Super Silver

Re: rsa/ace server radius authentication

francis

if you want users who telnet/SSH to vty ports or who are on the console to authenticate with the radius server you should add something like this to your configuration:

aaa authentication login default group radius line

This will send an authentication request to the configured radius server and if there is an error from the radius server (this is different from a negative response) then the router will authenticate using the configured line password. This will work for both telnet and SSH connections and for login from the console.

You are correct that there are quite a few optional parameters. These are to allow flexibility in what is the primary authentication method and what (if any) fall back methods you wish to use.

From user mode going to enable mode you could configure the router to use the enable password/enable secret or you can configure it to use radius. I believe that best practice is to use radius rather than the local enable password/enable secret.

aaa authentication enable default group radius enable

HTH

Rick

New Member

Re: rsa/ace server radius authentication

Rick , Thanks for reply but still have problem.I have below now on router.Do I need to add anything on vty / console lines ? I have just myself on the ace side of things setup for testing.

Some questions.

What is the default authentication list ?

Also I currently have a local database username and password setup on the router with the login local command applied to vty and console lines.

If I just want to authenticate one user eg myself xxx can i just put this in instead of'default'.

aaa new-model

aaa authentication login default group radius line

aaa authentication enable default group radius enable

radius-server host x.x.x.x auth-port 1645 acct-port 1813

radius-server retransmit 3

radius-server key xxxxx

thanks

613
Views
0
Helpful
2
Replies