Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Radius server question

Hello,

Before I start on a long journey if possibly setting up all our routers and switches to use a Radius server for authentication to a device I have a couple of questions I hope someone would be kind enough to answer?

1.)   I don't really what to spend money on Radius software, can I use a Windows IAS Radius server?

2.)   If the above answer is yes can I create 2 Active Directory groups (LDAP) one for Priv 15 and one for read only access to routers or switches, is that Priv 5?

3.)   If the routers and switches can't access the Radius server will it fall back to the local username and passwords?

4.)   Is anyone aware of a step-by-step guide on setting this up?  I know how to install the Windows IAS Radius server, but it is the settings on the router/switch and the attributes within IAS.

Thanks

2 REPLIES

Radius server question

Andy,

1.)   I don't really what to spend money on Radius software, can I use a Windows IAS Radius server?

Yes you can...it's been many years since I set it up, but it's possible.

2.)    If the above answer is yes can I create 2 Active Directory groups  (LDAP) one for Priv 15 and one for read only access to routers or  switches, is that Priv 5?

Yes. You send class attributes back to the router with what priv-level you want like: shell:priv-lvl=5 or shell:priv-lvl=15

3.)   If the routers and switches can't access the Radius server will it fall back to the local username and passwords?

It will if you have it set up that way, but be careful by what you mean about 'access' the radius server. If the radius server responds at all, it won't roll over. The radius server really needs to be down (unreachable) for it to roll over. I've had to remove configurations from a radius server just to get a router to roll over to the next auth method. It will look like this in your router/switch though:

aaa authentication login default radius local

Radius first and then local if the radius server doesn't respond.

4.)    Is anyone aware of a step-by-step guide on setting this up?  I know how  to install the Windows IAS Radius server, but it is the settings on the  router/switch and the attributes within IAS.

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrdat1.html

HTH,

John

HTH, John *** Please rate all useful posts ***

Radius server question

Only two nuggets in addition to John's excellent response:

1) You can also use FreeRADIUS...but if you have a Windows server already with IAS RADIUS then this may offer you no added benefit.  Just another option.

3) Just to further echo what John said here, the terminology on "accessing" the RADIUS server is very strict.  For example, if the router/switch and RADIUS server are accidentally misconfigured with pre-shared keys (if the keys do not match), the router/switch will deny access rather than fall-back to a local user.

In short:  Test thoroughly before final deployment. 

201
Views
0
Helpful
2
Replies