Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Radius authentication help

Hello,

I'm am just working out how to set up radius authentication on our LAN to authenticate users.  I have build a Windows radius server based on this short but excellent tutorial:

http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/

1.) I'm hoping to have 2 groups one for priv 5 and one for priv 15, I guess this is possible?

Anyway I can remotely access the first router I've configure using these settings:

username <usr-name> password <password> privilege 15

aaa new-model

aaa authentication login default group radius local

 

aaa accounting exec default start-stop group radius

aaa accounting system default start-stop group radius

radius-server host <ip-radius> auth-port 1812 acct-port 1813 key <secretkey>

radius-server vsa send accounting

radius-server vsa send authentication

I have a couple of questions:

2.)  I havent configure the line vty 0 4 or con 0 and I turned the Radius server off and I could still logon using that local username and password, how is this possible?

control-plane

!

!

line con 0

line aux 0

line vty 0 4

!

end

3.)  Is the Radius authentication sent in clear text or encrypted?

4.)  In your experience how have you configured Radius on routers and switches, I just want to make sure it is all encrypted and it will fail back to the local authentication should the radius server be offline?

Thanks

2 REPLIES

Radius authentication help

The configuration you posted is for users to login into your router. This is a service called "device administration". On the other hand you mentioned you want the LAN users to authenticate in order to access the LAN. This is a service called "network access".

So, if you want "device administration" it's recommended you use TACACS+. If you want "network access" it's recommended you use Radius. Particularly if you want your LAN users to access your network I will recomend you deploy IEEE 802.1x along with radius.

Now back to your config.

1.) I'm hoping to have 2 groups one for priv 5 and one for priv 15, I guess this is possible?

Yes that's possible but depends on your AAA server

2.)  I havent configure the line vty 0 4 or con 0 and I turned the Radius server off and I could still logon using that local username and password, how is this possible?

If you analyze the command "aaa authentication login default group radius local":

     the word "default" works with the default configuration of "line con" and "line vty"

     the word "radius" tells your router to use all your radius servers in order for a user to login into your router

     the word "local" after "radius" states that if all your radius servers are unavailable then the router will use the local database to authenticate the users. Remember the local database is built with  "username " commands.

So the behavior you mentioned is expected.

3.)  Is the Radius authentication sent in clear text or encrypted?

Radius only encrypts the password.  The remainder of the packet is unencrypted. On the other hand TACACS+ does encrypt all the packet.

4.)  In your experience how have you configured Radius on routers and switches, I just want to make sure it is all encrypted and it will fail back to the local authentication should the radius server be offline?

Your basic config is fine. More advanced config depends on your exact requirements. One detail, if you configure "username" don't use "username password " because it's not secure, you should use "username secret <".

Please rate if it helps. Kind regards.

New Member

Re: Radius authentication help

Hi,

Thanks for the detailed explaination.  I come from a background of only using telnet, SSH so not having to configure line vty or line con really confuses me.

1.) So using a radius server means configuring SSH is no longer required as authentication is done remotely?

2.) We don't currently have budget for a TACACS+ server, so how can I make the authentication and connection encrypted like in SSH?

3.) As I mentioned I am using radius for "device administration", for network access can I just use an access list?  If so how? As I normally add the access list to vty 0 4 for inbound connections?  I still need to only allow certain IP addresses access.

4.) Should I have an enable secret still as I want priv 15 and priv 5 (read only) users to log in?  If I login in with a user in either priv 15 or 5  (controlled on my radius server) I can enter the "enable" command and do what I want which defeats the object, if I remove the secret I get the error:

Test321>en

% Error in authentication.

5.) I thought radius could force you into a certain type of priv?  how do yo do it so you have differnt level's accessing plus need the local database to fail back to?

Thanks

Message was edited by: A. White

423
Views
0
Helpful
2
Replies
CreatePlease to create content