IAS Radius Initial setup
I have been trying to setup IAS and a cisco 2950 for a month now with no luck. I have tried to follow ciscos directions with no luck. Can anyone point me in the right direction.
Thanks
Thanks
What are you trying to do excatly, 802.1x authentiation?
ASKER
I want to set it up so that when someone logs into a cisco switch it authenticates in a centralized location. I have setup up the switch according to cisco documents but when I login to the switch it hangs then says % backup authentication
Hi,
Check these out:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B283829
http://support.microsoft.com/kb/319824/?sd=RMVP&fr=1
Hope this helps
kumar
Check these out:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B283829
http://support.microsoft.com/kb/319824/?sd=RMVP&fr=1
Hope this helps
kumar
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here a stripped down version. It seems to be going to the server OK but Microsoft has been on the phone for 4 hours trying to fix it in IAS with no luck. The event log says "The user attempted to use an authenticaion method that is not enabled on the matching remote access policy." We even went as far as deleting all policies. I just want to make sure the switch is right. It is a 3550 and 2950( i tried 2 to eliminate problems with it).
sho run
Building configuration...
Current configuration : 2623 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
aaa new-model
aaa group server radius test
server 192.168.111.100 auth-port 1812 acct-port 1813
!
aaa authentication login default group radius
aaa authorization exec default group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
enable secret 5 $1$iXUo$rssWe1xxsoQyTLPf2V
enable password cisco1
!
ip subnet-zero
ip address 192.168.111.250 255.255.255.0
ip classless
ip http server
radius-server host 192.168.111.100 auth-port 1812 acct-port 1813 key apple
radius-server retransmit 3
radius-server key apple
radius-server vsa send accounting
radius-server vsa send authentication
sho run
Building configuration...
Current configuration : 2623 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
aaa new-model
aaa group server radius test
server 192.168.111.100 auth-port 1812 acct-port 1813
!
aaa authentication login default group radius
aaa authorization exec default group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
enable secret 5 $1$iXUo$rssWe1xxsoQyTLPf2V
enable password cisco1
!
ip subnet-zero
ip address 192.168.111.250 255.255.255.0
ip classless
ip http server
radius-server host 192.168.111.100 auth-port 1812 acct-port 1813 key apple
radius-server retransmit 3
radius-server key apple
radius-server vsa send accounting
radius-server vsa send authentication
OK... first of all, for your testing purposes dump these 3 lines:
no aaa authorization exec default group radius
no aaa accounting exec default start-stop group radius
no aaa accounting network default start-stop group radius
This doesn't do anything at the moment:
no aaa group server radius test'
and just to make sure I always have access, I like to add this to the authentication line:
aaa authentication login default group radius enable
which means that if the radius server doesn't reply for some reason, you will be asked for a password only, which will be the enable password.
Assuming that you've created the client correctly in IAS, you also need to permit PAP authentication in the IAS policy you've created. This probably why you're getting the message Microsoft seems stumped on.
no aaa authorization exec default group radius
no aaa accounting exec default start-stop group radius
no aaa accounting network default start-stop group radius
This doesn't do anything at the moment:
no aaa group server radius test'
and just to make sure I always have access, I like to add this to the authentication line:
aaa authentication login default group radius enable
which means that if the radius server doesn't reply for some reason, you will be asked for a password only, which will be the enable password.
Assuming that you've created the client correctly in IAS, you also need to permit PAP authentication in the IAS policy you've created. This probably why you're getting the message Microsoft seems stumped on.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
By the way, I like to do this for the console port, otherwise radius will be active there too. And if there's a problem with the server then I can't get in without breaking in, which isn't fun when the switch is in production:
aaa authentication login console-auth line
line con 0
login authenticaion console-auth
password my-password
aaa authentication login console-auth line
line con 0
login authenticaion console-auth
password my-password
ASKER
Ok maybe I just dont know what I am doing when it comes to this. I just got off the phone with microsoft. What would a config look like from scratch to use RADIUS to a server 192.168.111.100 using the key apple? I would like to use it for AAA. Also where do you set the access level for users?
Basically your cisco config was fine.
I suspect the only that that was actually causing an authentication problem is that you need to have the PAP box checked under the authentication methods in the IAS policy. After you create the policy, open it and make sure that "Grant remote access permission" is checked. then click on "Edit profile" and go to the Authentication tab. Check the "Unencrypted authentication" checkbox (do NOT check the one below it). Click Apply and then try it.
I suspect the only that that was actually causing an authentication problem is that you need to have the PAP box checked under the authentication methods in the IAS policy. After you create the policy, open it and make sure that "Grant remote access permission" is checked. then click on "Edit profile" and go to the Authentication tab. Check the "Unencrypted authentication" checkbox (do NOT check the one below it). Click Apply and then try it.
Radius has very limited support for authorization, which includes access levels. You can set the privilege level as part of the IAS policy in the Advanced tab using the correct syntax. But it will affect anyone matching that policy. Also, the switch would need to have a bunch of privilege levels set for commands that you want to restrict. For example, the default privilege on login is 1. The privilege required to get into enable mode is 0, so anyone can go to enable mode. You can change the level required for enable to say, 2 with "privilege exec level 2 enable" so unless someone is at level 2 they can't use enable.
Then you create 2 IAS policies- one that matches a Windows group containing people that can use enable, which sets their privilege level to 2 when they log in. And another that does the default. This is really the only authorization that cisco and radius can do together.
Then you create 2 IAS policies- one that matches a Windows group containing people that can use enable, which sets their privilege level to 2 when they log in. And another that does the default. This is really the only authorization that cisco and radius can do together.
You can leave your accounting lines in your config. But the authorization line is telling the switch to use radius to determine permissions and it can't do that.
To set the login privilege level to 2 in IAS, go to the Advanced tab, click add, select Cisco AV-Pair and click add. In the attribute box, type in
shell:priv-lvl=2
and click apply, etc.
To set the login privilege level to 2 in IAS, go to the Advanced tab, click add, select Cisco AV-Pair and click add. In the attribute box, type in
shell:priv-lvl=2
and click apply, etc.