AAA using RADIUS
GOod morning all,
I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.
Dwane
For routers and IOS switches:
aaa new-model
aaa authentication banner *Unauthorized Access Prohibited*
aaa authentication login default group radius
radius-server host 10.10.10.10 (your acs device)
radius-server key cisco123
radius-server configure-nas
username nmg password telnet
aaa authentication ppp dialins group radius local
aaa authentication login nmg local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa processes 16
line 1 16
login authentication
For CatOS switches:
Set radius-server 10.10.10.10
show radius
set radius key cisco123
set authentication login radius enable
set authentication enable radius enable
show authentication
set radius timeout 5
set radius retransmit 3
set radius deadtime 3
For Pix Firewalls:
aaa authentication ssh console radius LOCAL
aaa authentication telnet console radius LOCAL
aaa-server radgroup protocol RADIUS
max-failed-attempts 2
reactivation-mode depletion deadtime 5
exit
(NOTE: This will depending on the location of the pix firewall)
aaa-server radgroup (inside) host 10.10.10.10
key XXXXXXX
exit
aaa-server radgroup(inside) host 10.10.10.10
key XXXXXX
exit
This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.
If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.
Hope this helps some. I had alot of help from Cisco TAC on this.
Dwane
Similar Messages
-
AAA using Radius with 802.1x
Hello there,
We're going to be implementing 802.1x on our network of some reaallly old switches (6509 Cat OS with MSFC 2). We use radius for AAA authentication and I've been reading that .1x uses radius. How is that going to work? Do I just add another radius server in my radius server command and, more importantly, will .1x work on Cat OS running 8.2.1? I've been trowling the forums and I can't seem to find anyone who's actually running .1x on the old Cat OS switches to see what kind of gotchas I can expect to run into.
Any advise, assistance would be greatly appreciated!
Thanks
KileySalodh,
Thanks but that document is for a 2950 and we have a 6509 but, the good thing is I just found out our Tier 3 engineers will not be adding dot1x to the 6509 since it has only trunks - no access ports. Thanks very much for your reply! -
Using RADIUS without enabling AAA
is there anyway I can use a RADIUS server without enabling/using AAA.
is there any command "ip auth radius ... " ?
cudnt find anything on cisco as such.Swapnendu
Am I correct in assuming that you are talking about on IOS based routers or catOS switches? If so I believe that the only way to use Radius is to use AAA.
HTH
Rick -
802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment
Currently Being Moderated
802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment
Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
If possible show:
1. ACS/Radius Configurations.
2. End User Switch Configurations
Variables:
Switch A
MAC Address aaaa.bbbb.cccc Vlan 10
bbbb.cccc.dddd Vlan 20
Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
Thanks in advance. .Hi Guys,
Hmmm, well if your just looking for Mac based authentication the good news is that is very easy. Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc. Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address. Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password. Then check the Separate(Chap/MS-Chap/ARAP) box. Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward. -
FlexConnect & ISE ACLs - AAA Overide/RADIUS NAC
Hi Chaps,
I have 3 ACLs configured on a WLC for CWA, Corp and Guest users. On local mode APs, theses are called up using the Airespace fields in the ISE policies dependant on what rule is hit.
ACL-WEBAUTH-REDIRECT
ACL-PERMIT-CORP-TRAFFIC
ACL-PERMIT-GUEST-TRAFFIC
Will FlexConnect APs call up the ACLs in the same way as a local mode as the WLAN will be AAA Override/RADIUS NAC or will FC ACLs be required.
Cheers,
NI believe you need to create Flex ACLs on the fWLC. These Flex ACLs can be called the same as regular ACLs so in ISE you wouldnt have to change the auth profile.
-
Local Webauth WLC using radius database
Hi all,
I was implement local Webauth WLC not using local auth . I use radius database.
at least I try to add on my WLAN:
layer 3 web auth authentication
layer 2 security is WPA/WPA2 PSK
adding aaa radius server
aaa radius "network user" check list enabled
web auth priority order
radius
LDAP
after I Test WLAN ,I cant login using radius database.
but, if I implement security method wpa/wpa2 dot1x I can login using radius database.
is there any miss in my config for implement webauth method?
Thanks
ridhoAre you trying to use LDAP or Radius to authenticate the webauth users? Since you have 802.1x working, I don't see why you would use LDAP. What radius server are you using also? Typically if your using Microsoft IAS or NPS, you have to
Change the device type to Login to get webauth with radius to work. Here is an example of 3 ways to authenticate webauth users. You should be able to find others out there also.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
Sent from Cisco Technical Support iPhone App -
Assigning privilege level using Radius
I'm trying to assigned a privilege level on a Cisco router via Radius. I'm using the Cisco Secure ACS (Windows 2K).
I have set the privilege level to 15. But when I telnet to the router, I always get the router> prompt instead of the router# prompt.
How can I configured the Radius/router so that when I get successfully authenticated, the router# prompt is shown.
I've configured the router as below:
aaa authentication login vtymethod group radius enable
aaa authorization exec vtymethod group radius local
radius-server host 202.x.x.195 auth-port 1645 acct-port 1646 key cisco
line vty 0 4
authorization exec vtymethod
login authentication vtymethod
On the Radius, I've configured as below:
In the group settings for IETF Radius attributes, the Service-Type is set to Nas Prompt.
Also in the group settings, I've checked the Cisco-av-pair with the following configured: shell:priv-lvl=15.
Is there something I'm missing.
Appreciate the help.
Thanks.
sweeannHi
Im curious... what is the perceived benefit of using RADIUS instead of TACACS+ ?
Given that ACS supports both and that T+ is a superior protocol for device admin.
I once heard someone mutter that T+ was proprietry... but all they were doing was sending (effectively) T+ av-pairs via a Cisco RADIUS VSAs. Not significantly different one could argue! -
Hey Everyone,
I am configuring AAA with RADIUS on our remote ASA firewalls. This is pretty straight forward, but I have some firewalls that this is not working on. I have upgraded the IOS image on the ASA 5510 to ASA804-K8.BIN on all of them. The strange part is some of them are working and some of them are not working.
Just wondering if anyone else has come across this before and what info do you need to give me an assist.
Thanks in advance,
KimberlyHi Kimberly,
just curious: why 8.0.4 and not 8.0.5 ?
What are you using radius for ? What is the radius server? Did you configure all the ASAs on the radius server(s) ? Did you use the correct shared secret?
Is there anything different between the working ASAs and the failing ones? Configuration, location in the network, etc?
If the above doesn't help please post the config of a failing ASA (or at least the relevant parts, and make sure to remove any sensitive data) and the output of:
debug radius
debug aaa authen
debug aaa common 254
You can test just the radius part with the cli command "test aaa-server authentication ..."
hth
Herbert -
Ise 1.1 ActivatedGuest not able to authenticate using radius pap
Hi,
I want to create guest accounts using the sponsor portal and use radius to authenticate with these accounts; Afaik this is supported as from 1.1mr1 (Show Version output : 1.1.1.268)
When we create an account with the ActivatedGuest Identity group, in the sponsor portal the account is marked as active.
Username Status First Name Last Name Email Address
aazeaze1 ACTIVE azea azeaze
However in ise, using radius, we receive an access-reject:
24210 Looking up User in Internal Users IDStore - aazeaze1
24206 User disabled
after logging in successfully to the guest portal with this account, the radius request also succeeds.
Questions
1) is this scenario supported?
2) is there anything else that should configured?
RegardsHi,
FYI it works if you don't use the fromlogin time profile , that's only for LWA/CWA.
cheers -
LMS , AAA via Radius and cisco AV pair
We are trying to authenticate users on a Ciscoworks LMS server 2.6 using Radius.
Is there a radius vendor specific attribute that can be used to make the authenticated user part of the admin groups ?
Ex : a Cisco-AV-pair , ?LMS?:groups="Network Administrator"
I have tried a few, but none seem to work. And i havent found documentation on this.No, It is pure authentication that is done.
There is not way to select a role in LMS based on an AV pair.
With tacacs+ something like that is possible.
Cheers,
Michel -
Lobby User using RADIUS Server in the NCS
Hello,
I need to know if i can use the RADIUS to classify users such as looby and specify in these users the SSID for the guest user and the time for connection like the local database in the NCS.
Actually i'm using the local database for lobby and i'd like to migrate to RADIUS database all these information.
Thanks.Hello,
Yes, you could use RADIUS to authenticate lobby ambassador users. But the information like default WLAN & time period can't be passed as attributes using attributes.
As a work-around, you could create a local lobby admin account with the same username, define the lobby admin defaults locally. The user will be authenticated using RADIUS but the defaults would be picked up based on the definitions set locally in NCS.
Ram. -
Can't auth to Nortels networks devices using RADIUS with ACS 5.1
Hi,
I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
I can't manage to login using RADIUS and i get the following message.
"Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
But in my ACS View, I can see : "Authentication succeeded."
I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
I've got no problems with RADIUS Auth using other brand devices
Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS Authentication ?
Regards.Are you sure that setting up a compound condition will help ?
To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
Here is my steps in the ACS View
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - radius
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
So I think the ACS does its job -
I am a member of a team working on a solution to provide VPN connectivity to 2000 remote locations running BSD server. We consulted our Cisco SE about this and received a recommendation to purchase a 7206VXR and use RADIUS to provide the L2L configuration to the router. We are having difficulties getting information on how to complete the build. I am curious if anyone has any experience using a Cisco router and RADIUS to do L2L VPN? Is it possible? Thanks!
Thanks George.
Yes I tried it and it works. But with web-auth it works a bit stupid if you have LDAP or local as backup.
With normal dot1x/EAP with radius if primary server rejects the request it does not try the secondary.
With web auth, if you choose more than method (local, radius or LDAP), then if first method ejects the request it will try the next one.
+5 from me to you as well
Sent from Cisco Technical Support iPad App -
Control access using Radius without ACS
I want to log into my IPS using my existing RSA SecurID using Radius. Is it possible to use a Radius attribute in the RSA to tell the IPS what privillege\role the user is? The idea is I dont create users on the IPS, if a user tries to logon it authenticates them via radius running on the RSA server and if the user is allowed to log onto that clietn IP (the IPS) then it will allow them to logon but also pass a message back to the IPS to say this person has full admin access. Is that possible using an attribute? ANy guidance would be great.
Yes, you should be able to specify the user role on the radius server.
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_setup.html#wp1276213
Regards,
Sawan Gupta -
Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS
I have a Nexus 7010 running
Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
>>ip radius source-interface mgmt 0
>>radius-server key XXXXX
>>radius-server host X.X.X.X key XXXXX authentication accounting
>>radius-server host X.X.X.X key XXXXX authentication accounting aaa
>>authentication login default group Radius_Group aaa authentication
>>login console local aaa group server radius Radius_Group
>> server X.X.X.X
>> server X.X.X.X
>> source-interface mgmt0
Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
shell:roles="vdc-admin" in the Attribute Value field in the RADIUS server
Does anyone know if this works????
ThanksI have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts!
Maybe you are looking for
-
Fixed Asset procedure For acquirsion Throught Landed Cost
I Have To Import A Fixed Asset From Foreign Vendor.But How Can i Able Charge Landed Cost To That Asset.means Simple Landed Cost procedure just Cost the Charge to Inventory item But How To Fixed Asset Regards Naveed
-
LPA changes are not reflected fully in 2LIS_02_SCL
The changes done to scheduling agreement, schedule lines are not reflecting in 2LIS_02_SCL, and there by resulting errors in delta update in BI system. For example LPA RM SCL Quantity (2LIS_02_SCL)
-
I have a class which runs as a daemon thread. I want this class to start right after tomcat boots. Is there a way to make Tomcat execute a class on startup? The only way I can think of is creating a simple class which fetches a JSP that starts the th
-
Dear All, I need to do database export and Import method.we are using win2003 and oracle 9i with ecc5 IA64. What is the process to R3load and what caution do i have to take when export the data form PRD system. Regards,
-
When I try to sync my iPad iTunes says required disk not found
When I sync it it says required disk not found??