Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Authenticating via RADIUS on IOS

I have entered the following configs in my catalyst 3750's but get access denied when try to authenticate via RADIUS. I need to verify my IOS configs before checking RADIUS.

s1(config)#aaa new-model

s1(config)#aaa authentication login default group radius local

s1(config)#radius-server host 10.1.1.254 auth-port 1645 acct-port 1646 key Password

s1(config)#username localaccount password password123

5 REPLIES

Re: Authenticating via RADIUS on IOS

Have you configured the Radius server correctly with the 3750 as a client with the correct key? Is the 3750 routing or just layer-2? If it's routing you should tie the radius requests to a source interface with the command 'ip radius source-interface x/x'.

What you have entered should gain you access as long as the radius server is configured correctly. It might be worth looking in the radius servers logs and turning on some debug on the 3750.

HTH

Andy

Community Member

Re: Authenticating via RADIUS on IOS

It is routing, and I will source it from the loopback interface.

Is there a command I need to input for exec authentication?

Thanks

Re: Authenticating via RADIUS on IOS

You can enable exec 'authorization' with the command 'aaa authorization exec default group xxxxx'. This then assumes your Radius server will send a Cisco AV Pair ('shell:priv-lvl=XX')to set the Privilege level of the user. You can still get to a higher privilege level with the 'enable' command, however another Radius login is sent if you do this with a username of '$enab15$' (for level 15).

My current Radius Template I use for IOS devices is this:

aaa group server radius Radius-Servers

server 10.10.10.10 auth-port 1812 acct-port 1813

server 10.10.20.10 auth-port 1812 acct-port 1813

ip radius source-interface Loopback0

!

aaa authentication login default group Radius-Servers local line

aaa authentication enable default group Radius-Servers enable

aaa authentication dot1x default group Radius-Servers

aaa authorization console

aaa authorization exec default group Radius-Servers if-authenticated

aaa authorization network default group Radius-Servers

aaa accounting dot1x default start-stop group Radius-Servers

aaa accounting exec default start-stop group Radius-Servers

aaa accounting network default start-stop group Radius-Servers

aaa accounting system default start-stop group Radius-Servers

!

radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key cisco

radius-server host 10.10.20.10 auth-port 1812 acct-port 1813 key cisco

!

I am using MS IAS for Radius and I have various policies defined that check for different attributes depending on the authentication type - i.e. Console/Terminal access, VPN, Wireless 802.1x, Wired 802.1x and WEB Proxy-Authentication.

HTH

Andy

Please rate useful posts.

Community Member

Re: Authenticating via RADIUS on IOS

Andy,

This is what I posted to the IOS, and I receive authorization failed. I only want to pass to radius on vty 0 4. I have also locked myself out and will reboot tonight.

aaa new-model

radius-server host 10.0.22.208 auth-port 1645 acct-port 1646 key cisco

ip radius source-interface Vlan40

aaa authentication login TRAuthList group radius local

Re: Authenticating via RADIUS on IOS

You are probably going to have to post a bit more of the config....

After you have rebooted console or telnet in and set the exec-timeout to 0 so you don't get logged out automatically, you should then be able to debug what is going on by telnet'ing a 2nd time into the switch.

Are you trying this via telnet or the console? By default the console does not perform authorization automatically (you need to enter 'enable'). This can be overridden with the hidden global command 'aaa authorization console'. I am not sure this is your issue though?

HTH

Andy

355
Views
4
Helpful
5
Replies
CreatePlease to create content