Menu

US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

  • en
  • pl

    • Radius AAA Configuration

    Home Knowledge Base Design & Configure Radius AAA Configuration

    Design & Configure

    Radius AAA Configuration

    Technology: Management & Monitoring
    Area: AAA
    Title: Logging to device via radius / aaa configuration
    Vendor: Cisco
    Software: 12.X , 15.X, IP Base, IP Services, LAN Base, LAN Light
    Platform: Catalyst 2960-X, Catalyst 3560

    For better security of the network device itself, you can restict access for remote management sessions (VTY – SSH / TELNET) and console access. In general there are two options:

    • connect device to Radius Server
    • connect device to TACACS+ server.

    The first method uses Radius protocol to authenticate network admins that means every authentication and authorization packet is bundled and therefore there is no way to distinguish between authentication and following consecutive authorization requests whe user is already authenticated. That is with Radius you can not verify each command the admin is typing. This is allowed when TACACS+ is in play. TACACS+ separates authentication and authorization packets that is why you are able to granularly authorize every command admi types into a console of device and based on this grant or deny particular command for particular admin.

    Hovever Radius is dedicated protocol for 802.1X mechanisms and other applications like URL redirections, VPN authentication etc. and is still in use in most organizations. To configure Radius to work for admin login and authentication:

     

    Enable AAA (Authentication, Authorization, Accounting) methods:

    Router(config)# aaa new-model

     

    Define Radius servers:


    Router(config)#aaa group server radius RADIUS-SERVERS
    server-private 10.10.10.1 timeout 2 key 7 KEY
    server-private 10.10.10.2 timeout 2 key 7 KEY
    !

    Define Radius servers for console authentication. If there is a communication failure between radius server and device, use local defined user and password:

    aaa authentication login console RADIUS-SERVERS local
    ! authentication method for vty ssh / telnet auth by our radius servers
    aaa authentication login RADIUS-ADMIN-ACCESS group RADIUS-SERVERS local
    ! authentication method for vty ssh / telnet auth by our radius servers
    aaa authentication enable default group RADIUS-SERVERS enable
    aaa authorization config-commands
    aaa authorization exec default group RADIUS-SERVERS local if-authenticated
    aaa authorization commands 1 default group RADIUS-SERVERS local if-authenticated
    aaa authorization commands 15 default group RADIUS-SERVERS local if-authenticated
    aaa accounting exec default start-stop group RADIUS-SERVERS
    aaa accounting commands 1 default start-stop group RADIUS-SERVERS
    aaa accounting commands 15 default start-stop group RADIUS-SERVERS
    aaa accounting network default start-stop group RADIUS-SERVERS
    aaa accounting connection default start-stop group RADIUS-SERVERS
    aaa accounting system default start-stop group RADIUS-SERVERS

    Author: Marcin Bialy
     
    Previous
    Tags
    active standby Adaptive Security Appliance authentication authorization broadcast Cisco Cisco ASA Firepower cisco EIGRP Cisco FMC Cisco FMC - installing certificate for pxGRID cisco ise cisco ise deployment config configuration containers devops docker dockerfile eigrp Enhanced Interior Gateway Routing Protocol firewall high availability How to install FMC Cisco identity services engine ise deployment ise distributed deployment ospf radius routing security context virtual firewall
    Grandmetric