alkhaleej
asked on
How to use Windows IAS server as a radius server for Cisco Switches
Dear Experts,
I am trying to configure RADIUS server (Windows 2003 IAS) for AAA services for Cisco 6513,3560 and 3550 Series Switches. I need my network technicians to get authernticated using the IAS server. I did configured the IAS server and did enable AAA in one my cisco 3560 Switch with following commands but unfortunately it seems not working
aaa new-model
aaa group server radius nms-rad
radius-server host 10.0.0.14 auth-port 1812 acct-port 1813 key cisco
radius-server source-ports 1645-1646
Just please let me know where i am doing wrong. I need a sample configuration as well
Thanks a lot
I am trying to configure RADIUS server (Windows 2003 IAS) for AAA services for Cisco 6513,3560 and 3550 Series Switches. I need my network technicians to get authernticated using the IAS server. I did configured the IAS server and did enable AAA in one my cisco 3560 Switch with following commands but unfortunately it seems not working
aaa new-model
aaa group server radius nms-rad
radius-server host 10.0.0.14 auth-port 1812 acct-port 1813 key cisco
radius-server source-ports 1645-1646
Just please let me know where i am doing wrong. I need a sample configuration as well
Thanks a lot
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Member_2_3654191
Yes, thats a very good article and I used it myself to enable radius with domain authentication on our switches.
Make sure you also have a user for local authentication on the devices to prevent getting locked out in case radius is unavailable.
You need to add the
aaa authentication login <LIST NAME> group radius(could be a names server group) local enable
aaa authorization exec <LIST NAME> group radius(could be a names server group) local
then
line console 0
login authentication <LIST NAME>(should be the same as athentication list above)
authorization exec <LIST NAME>(same autorization list name as above)
line vty 0 15 (for switches; 0 4 for routers)
login authentication <LIST NAME>(should be the same as athentication list above)
authorization exec <LIST NAME>(same autorization list name as above)
You could use default for your list, but I like to name my list just in case I need to come back and make adjustments later, like if I need one set of users to use one radius server or group of radius servers and another group of users to use a different radius server.
to enable ssh
(config)#ip domain-name example.com
(config)#crypto key generate rsa
line con 0
transport input ssh
line vty 0 15
transport input ssh
aaa authentication login <LIST NAME> group radius(could be a names server group) local enable
aaa authorization exec <LIST NAME> group radius(could be a names server group) local
then
line console 0
login authentication <LIST NAME>(should be the same as athentication list above)
authorization exec <LIST NAME>(same autorization list name as above)
line vty 0 15 (for switches; 0 4 for routers)
login authentication <LIST NAME>(should be the same as athentication list above)
authorization exec <LIST NAME>(same autorization list name as above)
You could use default for your list, but I like to name my list just in case I need to come back and make adjustments later, like if I need one set of users to use one radius server or group of radius servers and another group of users to use a different radius server.
to enable ssh
(config)#ip domain-name example.com
(config)#crypto key generate rsa
line con 0
transport input ssh
line vty 0 15
transport input ssh
I almost forgot. To enable your users to go straight to the enable mode you can add this to your IAS server. You go to your policy and double click it. Click edit profile. Select advance. Click add. Select the Cisco av pair (I think, I am writing this out of my head). Enter the below in the string field. You can adjust it as need to allow the privileges as granularly as necessary.
"shell:priv-lvl=15"
level from 1 - 15
If you have any questions let me know. I will be glad to help.
"shell:priv-lvl=15"
level from 1 - 15
If you have any questions let me know. I will be glad to help.