Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Restrict users who can telnet/console via radius

Hi,

I am in the process of setting up radius authentication on all our routers and switches. I have configured an account on the radius server but I want to restrict access to the router to this one account only. At present any user on the radius server can log on as long as he has the correct credentials. How can I make sure that only this one users credentials allows access to the router ?

Can I do this within the IOS or is there something within AD/IAS (radius) on the authentication server ?

Any suggestions appreciated....

4 REPLIES

Re: Restrict users who can telnet/console via radius

Hello Rick

I believe you are asking for a using Radius authentication on your line access to your routers.

Could you try AAA:

radius-server host IP-of-the-radius-server

radius-server key myRaDiUSpassWoRd

aaa new-model

aaa authentication default line group radius

line vty 0 4

login authentication default

check a good link:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part05/ch05/schathen.htm#wp1001032

HTH,

if it does, please rate my post,

thanks,

Vlad

New Member

Re: Restrict users who can telnet/console via radius

Thanks fot the reply,

I do not have a problem with getting radius up and running, it is already working ok. What i want to do is limit the users who can log on (telnet on to the cisco etc )via radius. by this i mean there may be 250 valid dialin users but i only want to let a small number have the ability to log on to the cisco devices. the remainder should just be able to authenticate on to the domain as normal but they cant use their usernames and password to authenticate in to the cisco device itself,

cheers

richard

Re: Restrict users who can telnet/console via radius

Hello,

So, maybe what you need is to set the correct authorization?

I believe you can restric user exec shell using this authorizatin.

I never configured the RADIUS server itself, but is there a way to change authorization per user?

Vlad

New Member

Re: Restrict users who can telnet/console via radius

I would say it is a configuration on your AD/IAS radius server because the radius server should be setting the exec level allowing or disallowing acess, etc..

Might have to assign a reserved IP address to the one account and then configure your routers/switches with access-list allowing that IP address

Also, here is a link that might help

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a8.html#30518

293
Views
0
Helpful
4
Replies
CreatePlease to create content