Technology: Management & Monitoring
Area: AAA
Title: Logging to device via radius / aaa configuration
Vendor: Cisco
Software: 12.X , 15.X, IP Base, IP Services, LAN Base, LAN Light
Platform: Catalyst 2960-X, Catalyst 3560
For better security of the network device itself, you can restict access for remote management sessions (VTY – SSH / TELNET) and console access. In general there are two options:
The first method uses Radius protocol to authenticate network admins that means every authentication and authorization packet is bundled and therefore there is no way to distinguish between authentication and following consecutive authorization requests whe user is already authenticated. That is with Radius you can not verify each command the admin is typing. This is allowed when TACACS+ is in play. TACACS+ separates authentication and authorization packets that is why you are able to granularly authorize every command admi types into a console of device and based on this grant or deny particular command for particular admin.
Hovever Radius is dedicated protocol for 802.1X mechanisms and other applications like URL redirections, VPN authentication etc. and is still in use in most organizations. To configure Radius to work for admin login and authentication:
Enable AAA (Authentication, Authorization, Accounting) methods:
Router(config)# aaa new-model
Define Radius servers:
Router(config)#aaa group server radius RADIUS-SERVERS
server-private 10.10.10.1 timeout 2 key 7 KEY
server-private 10.10.10.2 timeout 2 key 7 KEY
!
Define Radius servers for console authentication. If there is a communication failure between radius server and device, use local defined user and password:
aaa authentication login console RADIUS-SERVERS local
! authentication method for vty ssh / telnet auth by our radius servers
aaa authentication login RADIUS-ADMIN-ACCESS group RADIUS-SERVERS local
! authentication method for vty ssh / telnet auth by our radius servers
aaa authentication enable default group RADIUS-SERVERS enable
aaa authorization config-commands
aaa authorization exec default group RADIUS-SERVERS local if-authenticated
aaa authorization commands 1 default group RADIUS-SERVERS local if-authenticated
aaa authorization commands 15 default group RADIUS-SERVERS local if-authenticated
aaa accounting exec default start-stop group RADIUS-SERVERS
aaa accounting commands 1 default start-stop group RADIUS-SERVERS
aaa accounting commands 15 default start-stop group RADIUS-SERVERS
aaa accounting network default start-stop group RADIUS-SERVERS
aaa accounting connection default start-stop group RADIUS-SERVERS
aaa accounting system default start-stop group RADIUS-SERVERS