Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

RADIUS integration 1

Status
Not open for further replies.
debcu

debcu

Technical User
Sep 3, 2004
48
PL
Hello,
I'm using Cisco Router 1721. I would like to use RADIUS for client to access to my network. What should I do (from router point of view) to enable RADIUS authentification. IP of RADIUS server is 10.39.222.10. Please write full config for this service (step by step). Thanks a lot.

P.S.
When I try to enable RADIUS (my guide was e-book) nothing happen I mean:
when I try to use dialup connection (I put wrong user name and password), router allow me to enter to LAN (router should denied access).
 
Sort by date Sort by votes
From Global config, type:

aaa new-model
aaa authentication password-prompt Password:
aaa authentication username-prompt Username:
aaa authentication login default group radius local
aaa authentication login LOCAL local
aaa authentication ppp default group radius local
aaa authentication ppp users group radius
aaa authorization network users group radius
aaa accounting network default start-stop group radius

The above sets all RADIUS authen, author, acct options you should need. Below is how to create a local user on the router in the event that you can't contact the RADIUS server:

username exec privilege 15 password xxxxxxx

Below is the entry for specifying your actual RADIUS server.

radius-server host XXX.XXX.XXX.XXX auth-port 1645 acct-port 1646 non-standard timeout 10 key xxxxxxxxxxxxxxx

Key = a shared key that is set up on your RADIUS server. I'm familiar with Windows IAS, but not so much the UNIX side. What are you using for the RADIUS server?
 
Upvote 0 Downvote
Hello,
thanks for config but as I see you use on the first lines local authentification. I'm using RADIUS on remote ISA Server. I would like to enable RADIUS but authentification only from remote RADIUS server.
Could you wrote me new config?
 
Upvote 0 Downvote
The above config will do exactly that. The problem with your suggestion is that if your remote RADIUS server goes down, you cannot log in to your router at all.

The line that has local on it is in order of precedence, so for authentication, it checks RADIUS first, and then goes to LOCAL only if RADIUS fails. Unless you've got multiple RADIUS servers, I'd highly recommend having that local entry in there, along with the "username" command.

If you insist upon not having local enabled, then just go ahead and remove that word. That's the only change. However, I'd highly recommend configuring your console port for local in case you need to get in if your RADIUS server goes down, for example:

line con 0
session-timeout 60
password XXXXXXXXXXXXXXX
login authentication LOCAL
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
868
DigiByte34
DigiByte34
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
296
acabezas2014
acabezas2014
joblack23
  • Locked
  • Question
cisco SG300 - Radius
Replies
1
Views
139
joblack23
joblack23
7740090
  • Locked
  • Question
radius server authentication
Replies
0
Views
144
7740090
7740090
Almin
  • Locked
  • Question
Cisco 881W User authentication via Radius
Replies
0
Views
118
Almin
Almin

Part and Inventory Search

Sponsor

Back
Top