Solved

IAS Radius Initial setup

Posted on 2006-06-16
15
2,407 Views
Last Modified: 2013-11-30
I have been trying to setup IAS and a cisco 2950 for a month now with no luck.  I have tried to follow ciscos directions with no luck.  Can anyone point me in the right direction.
Thanks
0
Comment
Question by:wrwiii12
15 Comments
 
LVL 4

Expert Comment

by:neoponder
Comment Utility
What are  you trying to do excatly, 802.1x authentiation?  
0
 
LVL 4

Author Comment

by:wrwiii12
Comment Utility
I want to set it up so that when someone logs into a cisco switch it authenticates in a centralized location.  I have setup up the switch according to cisco documents but when I login to the switch it hangs then says % backup authentication
0
 
LVL 7

Expert Comment

by:Kumar_Jayant123
Comment Utility
0
 
LVL 12

Accepted Solution

by:
Freya28 earned 168 total points
Comment Utility
you have to enter aaa-server RADIUS commmands ont he cisco device and point it to your IAS server.  then your IAS servers config will have you add a host which will be the IP of the cisco device, you then have to create policies within IAS, and you can add your NT accounts, so people can authenticate with their domain credentials.  let me know if you need step by step help
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 166 total points
Comment Utility
Please post the cisco config (leave out all the port stuff and xxxx out the passwords, they don't matter here. Once I see that I can tell you what's wrong and/or what you need to do with IAS.
0
 
LVL 4

Author Comment

by:wrwiii12
Comment Utility
Here a stripped down version.  It seems to be going to the server OK but Microsoft has been on the phone for 4 hours trying to fix it in IAS with no luck.  The event log says "The user attempted to use an authenticaion method that is not enabled on the matching remote access policy."  We even went as far as deleting all policies.  I just want to make sure the switch is right.  It is a 3550 and 2950( i tried 2 to eliminate problems with it).


sho run
Building configuration...

Current configuration : 2623 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
aaa new-model
aaa group server radius test
 server 192.168.111.100 auth-port 1812 acct-port 1813
!
aaa authentication login default group radius
aaa authorization exec default group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
enable secret 5 $1$iXUo$rssWe1xxsoQyTLPf2VwmH0
enable password cisco1
!
ip subnet-zero
ip address 192.168.111.250 255.255.255.0
ip classless
ip http server
radius-server host 192.168.111.100 auth-port 1812 acct-port 1813 key apple
radius-server retransmit 3
radius-server key apple
radius-server vsa send accounting
radius-server vsa send authentication
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
OK... first of all, for your testing purposes dump these 3 lines:
no aaa authorization exec default group radius
no aaa accounting exec default start-stop group radius
no aaa accounting network default start-stop group radius

This doesn't do anything at the moment:
no aaa group server radius test'

and just to make sure I always have access, I like to add this to the authentication line:
aaa authentication login default group radius enable
which means that if the radius server doesn't reply for some reason, you will be asked for a password only, which will be the enable password.

Assuming that you've created the client correctly in IAS, you also need to permit PAP authentication in the IAS policy you've created. This probably why you're getting the message Microsoft seems stumped on.
0
 

Assisted Solution

by:dodgechargerfan
dodgechargerfan earned 166 total points
Comment Utility
Just a guess but I don't see where you've applied the authentication list to the lines that you want to have authenticate against the radius server.

This assumes that I've understood your question correctly. You are trying to control access to the switch management interface (console, telnet, etc.) using RADIUS, correct?

line [console | tty | vty] line-number [ending-line-number]
-----Enter line configuration mode, and configure the lines to which you want to apply the authentication list.


login authentication {default | list-name}
-----Apply the authentication list to a line or set of lines.
-----•If you specify default, use the default list created with the aaa authentication login command.
-----•For list-name, specify the list created with the aaa authentication login command.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
By the way, I like to do this for the console port, otherwise radius will be active there too. And if there's a problem with the server then I can't get in without breaking in, which isn't fun when the switch is in production:

aaa authentication login console-auth line

line con 0
login authenticaion console-auth
password my-password
0
 
LVL 4

Author Comment

by:wrwiii12
Comment Utility
Ok maybe I just dont know what I am doing when it comes to this.  I just got off the phone with microsoft.  What would a config look like from scratch to use RADIUS to a server 192.168.111.100 using the key apple?  I would like to use it for AAA.  Also where do you set the access level for users?
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
Basically your cisco config was fine.

I suspect the only that that was actually causing an authentication problem is that you need to have the PAP box checked under the authentication methods in the IAS policy. After you create the policy, open it and make sure that "Grant remote access permission" is checked. then click on "Edit profile"  and go to the Authentication tab. Check the "Unencrypted authentication" checkbox (do NOT check the one below it). Click Apply and then try it.

0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
Radius has very limited support for authorization, which includes access levels. You can set the privilege level as part of the IAS policy in the Advanced tab using the correct syntax. But it will affect anyone matching that policy. Also, the switch would need to have a bunch of privilege levels set for commands that you want to restrict. For example, the default privilege on login is 1. The privilege required to get into enable mode is 0, so anyone can go to enable mode. You can change the level required for enable to say, 2 with "privilege exec level 2 enable" so unless someone is at level 2 they can't use enable.

Then you create 2 IAS policies- one that matches a Windows group containing people that can use enable, which sets their privilege level to 2 when they log in. And another that does the default. This is really the only authorization that cisco and radius can do together.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
You can leave your accounting lines in your config. But the authorization line is telling the switch to use radius to determine permissions and it can't do that.

To set the login privilege level to 2 in IAS, go to the Advanced tab, click add, select Cisco AV-Pair and click add. In the attribute box, type in
shell:priv-lvl=2
and click apply, etc.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now