cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4141
Views
31
Helpful
20
Replies

RADIUS authentication question

bryan.lofland
Level 1
Level 1

Hello all,

I am trying to use my normal Active Directory username to authenticate to my switches. I currently have a RADIUS server setup (Microsoft IAS 2003). I know that it works because my VPN concentrator uses it to authenticate people. I am unable to login to my switch with the following configuration:

aaa new-model

aaa group server radius RADIUS

server 10.101.64.14 auth-port 1645 acct-port 1646

!

aaa authentication login use-radius group radius local

aaa authentication login localuser local

aaa authentication dot1x default group radius

aaa authorization exec default local

aaa authorization network default group radius

...

radius-server host 10.x.64.14 auth-port 1645 acct-port 1646 key xxx

radius-server source-ports 1645-1646

The logs on my server don't even show that a request was attempted which leads me to believe that I have a misconfiguration somewhere. I can only authenticate using the localuser user account and none from my domain. Is there something I need to change or do on the AD side of things to tell the switch to allow on my AD account to authenticate to it? Does my configuration look good? I know the key is correct as well.

Thanks,

Bryan

20 Replies 20

Bryan

I hope that we can get this resolved. I do not want to be overly picky, but I still am getting some ambiguity about what you want it to do. First you say:

"What I am expecting is the AAA should use RADIUS primarily and if that is unavailable to then use local accounts"

and you say that this is working. But then you say:

"What if I want to use the local account "dharmacon" to login instead of my AD account"

The local account will function as a backup if the router can not get to the Radius server. But as long as the router can get to the Radius server it will not use the local account.

Perhaps part of the issue is who will determine if it is time to fall back. You do not decide "this time I would like to use my local account" but the router will decide that if it has attempted to authenticate with Radius and the server is not available then it will choose to fall back to the local account.

I have a couple of comments about the AAA in the config that you posted.

As configured the console will authenticate with this line (the default method):

aaa authentication login default group radius local

and the vty lines will authenticate with this line:

aaa authentication login RADIUS group radius local

I do not see anything in the config that uses the line:

aaa authentication login dharmacon local

and I do not see any line for authentication of enable mode.

I am glad to see that you added the if-authenticated to the authorization line.

HTH

Rick

HTH

Rick

I appreciate your help! I was mistaken about the definition of "falling back". I was thinking that even if the RADIUS server was up I could still use the local login but that is not the case. I have removed the:

aaa authentication login dharmacon local

line because of it's lack of use. I haven't added any line about authentication of enable mode because I don't know what that would get me? When I type en at the prompt I am prompted for a password and it lets me so I assumed that that was good enough.

So as I understand it and as I have it configured RADIUS is used anytime I login UNLESS it is unavailable and THEN local authentication is used.

Thanks

Bryan

I think that you now have the correct understanding of the fall back logic of AAA and Radius server. It is one OR the other at any point in time and the primary (in our discussion primary is Radius) will be used when it is available.

If you are satisfied to have everyone access enable mode by entering the enable password, then what you have in the configuration works ok. I suggested configuring aaa authentication for enable because I think that it gives you more control. You can configure enable authentication similar to login authentication so that it will go to the Radius server as primary and use the local enable password as a backup. Going to the Radius server means that you can configure at the individual level who should have enable access, gives you an option to periodically force change in passwords, and when someone leaves the organization it is easy to remove their enable access to all routers and switches without having to configure new enable passwords on all devices. It is certainly your choice to do it either way.

HTH

Rick

HTH

Rick

Thanks for the explanation(s)today. I will consider this a resolved issue as far as the initial issue goes.

What would I need to do to make only certain users have enable access via RADIUS? Is it something that is done on the switch/router or in AD?

Bryan

It has been a good discussion. I am glad that we have helped you achieve a better understanding. Thank you for the ratings and the resolved check mark.

Limiting users enable access is not something that is done on the switch/router. I have done it using Cisco ACS. I assume that the capability also exists in Radius/AD. But I can not give you specifics of how to do it there.

HTH

Rick

HTH

Rick

Thanks! I have no ACS server so if I get ambitious one of these days I might give it a try but until then I think the regular enable password will do! :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco