Re: Where to start configure radius with cisco devices

u346874_2 · ‎08-29-2007

Any good hints/links where is information how to start do authentication with microsoft ias server.

Now we use ssh to connect our devices but now is need to start to use aaa. Our devices are cisco 3500, 4500, 6500 series devices. Pictures, configuring examples anything is now needed.

Thanks

Juha

Jagdeep Gambhir · ‎08-29-2007

Juha,

Here are the IOS commands for setting up AAA,

Router(config)# username [username] password [password]

radius-server host [ip]

radius-server key [key]

aaa new-model

aaa authentication login default group radius+ local

Guidelines for Placing Radius in the Network,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080092567.shtml

Configuring RADIUS

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7ab.html#1000872

Hope that helps.

Regards,

~JG

Please rate helpful posts

u346874_2 · ‎09-12-2007

Thanks JG

I have set router with commands and i can see from sniffer that my router sends 4 times Access reguest to MS IAS server but no response comes. My settings is now

aaa new-model

aaa authentication login default group radius none

radius-server host 10.x.x.x auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key mykey

radius-server vsa send authentication

MS IAS server is set to communicate with MS AD. I have set radius client(cisco device) and remote access policy to MS IAS but no response comes from that when i try to connect via vlan to my device. I found one advice how to set MS IAS but iam not sure is that OK. Any idea where to found advice what attributes and settings have to be set in MS IAS server so that i could login to my device with radius authentication.

thanks

Juha

Jagdeep Gambhir · ‎09-12-2007

Juha,

This doc will help you.

Regards,

~JG

u346874_2 · ‎09-13-2007

Thanks.

That was very good pdf document. Now i can use radius and MS IAS successfully. Only one thing i cant understand. I can only use PAP protocol. If i try to use any other athentication fails. Usernames will sent in the clear. Is it really so that cisco devices does not support any other Authentication protocol.? Fortunately password is not in clear text because of shared secret.

Juha

Jagdeep Gambhir · ‎09-13-2007

Juha,

The issue is not with Cisco. Telnet sessions uses PAP password authentication. Because of this reason, IAS authentication is working with PAP password and fails for other password authentication attempts.

PAP password authentication will send username is clear text and password is encrypted.

For other sessions like PPP, we can specify password authentication methods as CHAP or

MS-CHAP methods.

Regards,

~JG

u346874_2 · ‎09-13-2007

OK

Thanks

Normally we use ssh when connect to device. My test device is now configured for telnet.

Is ssh able to use those better secure methods.

Juha

Jagdeep Gambhir · ‎09-17-2007

It provides high confidentiality and integrity of data.

u346874_2 · ‎09-17-2007

Is there any document where is explanation how does that algorithm work.(when using that shared security with pap) Our security people is not pleased because of that pap protocol. I could not found how is that password encrypted.

Juha

Jagdeep Gambhir · ‎09-18-2007

Juha,

The password is encrypted using an MD5 hash when passed between the router and Radius and they use the shared secret as part of that hash. The RFCs can explain it a lot better than I can.

http://www.ietf.org/rfc/rfc2865.txt

Hope that helps

Regards,

~JG