05-31-2006 01:27 PM
Hi,
I am in the process of setting up radius authentication on all our routers and switches. I have configured an account on the radius server but I want to restrict access to the router to this one account only. At present any user on the radius server can log on as long as he has the correct credentials. How can I make sure that only this one users credentials allows access to the router ?
Can I do this within the IOS or is there something within AD/IAS (radius) on the authentication server ?
Any suggestions appreciated....
06-01-2006 04:21 AM
Hello Rick
I believe you are asking for a using Radius authentication on your line access to your routers.
Could you try AAA:
radius-server host IP-of-the-radius-server
radius-server key myRaDiUSpassWoRd
aaa new-model
aaa authentication default line group radius
line vty 0 4
login authentication default
check a good link:
HTH,
if it does, please rate my post,
thanks,
Vlad
06-01-2006 07:19 AM
Thanks fot the reply,
I do not have a problem with getting radius up and running, it is already working ok. What i want to do is limit the users who can log on (telnet on to the cisco etc )via radius. by this i mean there may be 250 valid dialin users but i only want to let a small number have the ability to log on to the cisco devices. the remainder should just be able to authenticate on to the domain as normal but they cant use their usernames and password to authenticate in to the cisco device itself,
cheers
richard
06-03-2006 05:00 AM
Hello,
So, maybe what you need is to set the correct authorization?
I believe you can restric user exec shell using this authorizatin.
I never configured the RADIUS server itself, but is there a way to change authorization per user?
Vlad
06-05-2006 11:11 AM
I would say it is a configuration on your AD/IAS radius server because the radius server should be setting the exec level allowing or disallowing acess, etc..
Might have to assign a reserved IP address to the one account and then configure your routers/switches with access-list allowing that IP address
Also, here is a link that might help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: