IAS Radius Initial setup

Posted on 2006-06-16
Last Modified: 2013-11-30
I have been trying to setup IAS and a cisco 2950 for a month now with no luck.  I have tried to follow ciscos directions with no luck.  Can anyone point me in the right direction.
Question by:wrwiii12
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 16922078
What are  you trying to do excatly, 802.1x authentiation?  

Author Comment

ID: 16922152
I want to set it up so that when someone logs into a cisco switch it authenticates in a centralized location.  I have setup up the switch according to cisco documents but when I login to the switch it hangs then says % backup authentication

Expert Comment

ID: 16922189
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 12

Accepted Solution

Freya28 earned 168 total points
ID: 16922684
you have to enter aaa-server RADIUS commmands ont he cisco device and point it to your IAS server.  then your IAS servers config will have you add a host which will be the IP of the cisco device, you then have to create policies within IAS, and you can add your NT accounts, so people can authenticate with their domain credentials.  let me know if you need step by step help
LVL 28

Assisted Solution

mikebernhardt earned 166 total points
ID: 16923661
Please post the cisco config (leave out all the port stuff and xxxx out the passwords, they don't matter here. Once I see that I can tell you what's wrong and/or what you need to do with IAS.

Author Comment

ID: 16923868
Here a stripped down version.  It seems to be going to the server OK but Microsoft has been on the phone for 4 hours trying to fix it in IAS with no luck.  The event log says "The user attempted to use an authenticaion method that is not enabled on the matching remote access policy."  We even went as far as deleting all policies.  I just want to make sure the switch is right.  It is a 3550 and 2950( i tried 2 to eliminate problems with it).

sho run
Building configuration...

Current configuration : 2623 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
aaa new-model
aaa group server radius test
 server auth-port 1812 acct-port 1813
aaa authentication login default group radius
aaa authorization exec default group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
enable secret 5 $1$iXUo$rssWe1xxsoQyTLPf2VwmH0
enable password cisco1
ip subnet-zero
ip address
ip classless
ip http server
radius-server host auth-port 1812 acct-port 1813 key apple
radius-server retransmit 3
radius-server key apple
radius-server vsa send accounting
radius-server vsa send authentication
LVL 28

Expert Comment

ID: 16924031
OK... first of all, for your testing purposes dump these 3 lines:
no aaa authorization exec default group radius
no aaa accounting exec default start-stop group radius
no aaa accounting network default start-stop group radius

This doesn't do anything at the moment:
no aaa group server radius test'

and just to make sure I always have access, I like to add this to the authentication line:
aaa authentication login default group radius enable
which means that if the radius server doesn't reply for some reason, you will be asked for a password only, which will be the enable password.

Assuming that you've created the client correctly in IAS, you also need to permit PAP authentication in the IAS policy you've created. This probably why you're getting the message Microsoft seems stumped on.

Assisted Solution

dodgechargerfan earned 166 total points
ID: 16924037
Just a guess but I don't see where you've applied the authentication list to the lines that you want to have authenticate against the radius server.

This assumes that I've understood your question correctly. You are trying to control access to the switch management interface (console, telnet, etc.) using RADIUS, correct?

line [console | tty | vty] line-number [ending-line-number]
-----Enter line configuration mode, and configure the lines to which you want to apply the authentication list.

login authentication {default | list-name}
-----Apply the authentication list to a line or set of lines.
-----•If you specify default, use the default list created with the aaa authentication login command.
-----•For list-name, specify the list created with the aaa authentication login command.
LVL 28

Expert Comment

ID: 16924095
By the way, I like to do this for the console port, otherwise radius will be active there too. And if there's a problem with the server then I can't get in without breaking in, which isn't fun when the switch is in production:

aaa authentication login console-auth line

line con 0
login authenticaion console-auth
password my-password

Author Comment

ID: 16924118
Ok maybe I just dont know what I am doing when it comes to this.  I just got off the phone with microsoft.  What would a config look like from scratch to use RADIUS to a server using the key apple?  I would like to use it for AAA.  Also where do you set the access level for users?
LVL 28

Expert Comment

ID: 16924265
Basically your cisco config was fine.

I suspect the only that that was actually causing an authentication problem is that you need to have the PAP box checked under the authentication methods in the IAS policy. After you create the policy, open it and make sure that "Grant remote access permission" is checked. then click on "Edit profile"  and go to the Authentication tab. Check the "Unencrypted authentication" checkbox (do NOT check the one below it). Click Apply and then try it.

LVL 28

Expert Comment

ID: 16924285
Radius has very limited support for authorization, which includes access levels. You can set the privilege level as part of the IAS policy in the Advanced tab using the correct syntax. But it will affect anyone matching that policy. Also, the switch would need to have a bunch of privilege levels set for commands that you want to restrict. For example, the default privilege on login is 1. The privilege required to get into enable mode is 0, so anyone can go to enable mode. You can change the level required for enable to say, 2 with "privilege exec level 2 enable" so unless someone is at level 2 they can't use enable.

Then you create 2 IAS policies- one that matches a Windows group containing people that can use enable, which sets their privilege level to 2 when they log in. And another that does the default. This is really the only authorization that cisco and radius can do together.
LVL 28

Expert Comment

ID: 16924321
You can leave your accounting lines in your config. But the authorization line is telling the switch to use radius to determine permissions and it can't do that.

To set the login privilege level to 2 in IAS, go to the Advanced tab, click add, select Cisco AV-Pair and click add. In the attribute box, type in
and click apply, etc.

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question