Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
4
Replies

Restrict users who can telnet/console via radius

rickd12345
Level 1
Level 1

‎05-31-2006 01:27 PM

Hi,

I am in the process of setting up radius authentication on all our routers and switches. I have configured an account on the radius server but I want to restrict access to the router to this one account only. At present any user on the radius server can log on as long as he has the correct credentials. How can I make sure that only this one users credentials allows access to the router ?

Can I do this within the IOS or is there something within AD/IAS (radius) on the authentication server ?

Any suggestions appreciated....

Labels:
0 Helpful
4 Replies 4

vladrac-ccna
Level 5
Level 5

‎06-01-2006 04:21 AM

Hello Rick

I believe you are asking for a using Radius authentication on your line access to your routers.

Could you try AAA:

radius-server host IP-of-the-radius-server

radius-server key myRaDiUSpassWoRd

aaa new-model

aaa authentication default line group radius

line vty 0 4

login authentication default

check a good link:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part05/ch05/schathen.htm#wp1001032

HTH,

if it does, please rate my post,

thanks,

Vlad

0 Helpful

rickd12345
Level 1
Level 1
In response to vladrac-ccna

‎06-01-2006 07:19 AM

Thanks fot the reply,

I do not have a problem with getting radius up and running, it is already working ok. What i want to do is limit the users who can log on (telnet on to the cisco etc )via radius. by this i mean there may be 250 valid dialin users but i only want to let a small number have the ability to log on to the cisco devices. the remainder should just be able to authenticate on to the domain as normal but they cant use their usernames and password to authenticate in to the cisco device itself,

cheers

richard

0 Helpful

vladrac-ccna
Level 5
Level 5
In response to rickd12345

‎06-03-2006 05:00 AM

Hello,

So, maybe what you need is to set the correct authorization?

I believe you can restric user exec shell using this authorizatin.

I never configured the RADIUS server itself, but is there a way to change authorization per user?

Vlad

0 Helpful

thomuff
Level 3
Level 3

‎06-05-2006 11:11 AM

I would say it is a configuration on your AD/IAS radius server because the radius server should be setting the exec level allowing or disallowing acess, etc..

Might have to assign a reserved IP address to the one account and then configure your routers/switches with access-list allowing that IP address

Also, here is a link that might help

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a8.html#30518

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents