Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
982
Views
0
Helpful
2
Replies

rsa/ace server radius authentication

FrancisHoban
Level 1
Level 1

‎11-15-2006 03:26 AM - edited ‎03-10-2019 02:50 PM

Hi ,

I am in the process of setting up cisco routers/swithces to authenticate to an RSA/ACE radius server. Basically I would like it to work as follows.

SSH/Telnet to router switch.I have ace side configured. I have added the necessary users to authenticate list on agent host.

Username:joebloggs

Password : ( rsa secure id token here ). Do I have to authenticate then using enable password or what is best practice here ??

router>en

router#

I have the following lines added so far and need some help on the aaa authentication as there seems to be a lot of options

aaa new-model

aaa authentication banner # Connection to this device is for authorized users only #

aaa authentication fail-message # You are not authorized to log on to this device #

radius-server host x.x.x.x auth-port 1645 acct-port 1813

radius-server retransmit 3

radius-server key xxxxxx

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎11-15-2006 09:17 AM

francis

if you want users who telnet/SSH to vty ports or who are on the console to authenticate with the radius server you should add something like this to your configuration:

aaa authentication login default group radius line

This will send an authentication request to the configured radius server and if there is an error from the radius server (this is different from a negative response) then the router will authenticate using the configured line password. This will work for both telnet and SSH connections and for login from the console.

You are correct that there are quite a few optional parameters. These are to allow flexibility in what is the primary authentication method and what (if any) fall back methods you wish to use.

From user mode going to enable mode you could configure the router to use the enable password/enable secret or you can configure it to use radius. I believe that best practice is to use radius rather than the local enable password/enable secret.

aaa authentication enable default group radius enable

HTH

Rick

HTH

Rick
0 Helpful

FrancisHoban
Level 1
Level 1
In response to Richard Burts

‎11-16-2006 04:14 AM

Rick , Thanks for reply but still have problem.I have below now on router.Do I need to add anything on vty / console lines ? I have just myself on the ace side of things setup for testing.

Some questions.

What is the default authentication list ?

Also I currently have a local database username and password setup on the router with the login local command applied to vty and console lines.

If I just want to authenticate one user eg myself xxx can i just put this in instead of'default'.

aaa new-model

aaa authentication login default group radius line

aaa authentication enable default group radius enable

radius-server host x.x.x.x auth-port 1645 acct-port 1813

radius-server retransmit 3

radius-server key xxxxx

thanks

0 Helpful
Customers Also Viewed These Support Documents