IAS Radius Initial setup

Posted on 2006-06-16
Last Modified: 2013-11-30
I have been trying to setup IAS and a cisco 2950 for a month now with no luck.  I have tried to follow ciscos directions with no luck.  Can anyone point me in the right direction.
Question by:wrwiii12

Expert Comment

ID: 16922078
What are  you trying to do excatly, 802.1x authentiation?  

Author Comment

ID: 16922152
I want to set it up so that when someone logs into a cisco switch it authenticates in a centralized location.  I have setup up the switch according to cisco documents but when I login to the switch it hangs then says % backup authentication

Expert Comment

ID: 16922189
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

LVL 12

Accepted Solution

Freya28 earned 168 total points
ID: 16922684
you have to enter aaa-server RADIUS commmands ont he cisco device and point it to your IAS server.  then your IAS servers config will have you add a host which will be the IP of the cisco device, you then have to create policies within IAS, and you can add your NT accounts, so people can authenticate with their domain credentials.  let me know if you need step by step help
LVL 28

Assisted Solution

mikebernhardt earned 166 total points
ID: 16923661
Please post the cisco config (leave out all the port stuff and xxxx out the passwords, they don't matter here. Once I see that I can tell you what's wrong and/or what you need to do with IAS.

Author Comment

ID: 16923868
Here a stripped down version.  It seems to be going to the server OK but Microsoft has been on the phone for 4 hours trying to fix it in IAS with no luck.  The event log says "The user attempted to use an authenticaion method that is not enabled on the matching remote access policy."  We even went as far as deleting all policies.  I just want to make sure the switch is right.  It is a 3550 and 2950( i tried 2 to eliminate problems with it).

sho run
Building configuration...

Current configuration : 2623 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
aaa new-model
aaa group server radius test
 server auth-port 1812 acct-port 1813
aaa authentication login default group radius
aaa authorization exec default group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
enable secret 5 $1$iXUo$rssWe1xxsoQyTLPf2VwmH0
enable password cisco1
ip subnet-zero
ip address
ip classless
ip http server
radius-server host auth-port 1812 acct-port 1813 key apple
radius-server retransmit 3
radius-server key apple
radius-server vsa send accounting
radius-server vsa send authentication
LVL 28

Expert Comment

ID: 16924031
OK... first of all, for your testing purposes dump these 3 lines:
no aaa authorization exec default group radius
no aaa accounting exec default start-stop group radius
no aaa accounting network default start-stop group radius

This doesn't do anything at the moment:
no aaa group server radius test'

and just to make sure I always have access, I like to add this to the authentication line:
aaa authentication login default group radius enable
which means that if the radius server doesn't reply for some reason, you will be asked for a password only, which will be the enable password.

Assuming that you've created the client correctly in IAS, you also need to permit PAP authentication in the IAS policy you've created. This probably why you're getting the message Microsoft seems stumped on.

Assisted Solution

dodgechargerfan earned 166 total points
ID: 16924037
Just a guess but I don't see where you've applied the authentication list to the lines that you want to have authenticate against the radius server.

This assumes that I've understood your question correctly. You are trying to control access to the switch management interface (console, telnet, etc.) using RADIUS, correct?

line [console | tty | vty] line-number [ending-line-number]
-----Enter line configuration mode, and configure the lines to which you want to apply the authentication list.

login authentication {default | list-name}
-----Apply the authentication list to a line or set of lines.
-----•If you specify default, use the default list created with the aaa authentication login command.
-----•For list-name, specify the list created with the aaa authentication login command.
LVL 28

Expert Comment

ID: 16924095
By the way, I like to do this for the console port, otherwise radius will be active there too. And if there's a problem with the server then I can't get in without breaking in, which isn't fun when the switch is in production:

aaa authentication login console-auth line

line con 0
login authenticaion console-auth
password my-password

Author Comment

ID: 16924118
Ok maybe I just dont know what I am doing when it comes to this.  I just got off the phone with microsoft.  What would a config look like from scratch to use RADIUS to a server using the key apple?  I would like to use it for AAA.  Also where do you set the access level for users?
LVL 28

Expert Comment

ID: 16924265
Basically your cisco config was fine.

I suspect the only that that was actually causing an authentication problem is that you need to have the PAP box checked under the authentication methods in the IAS policy. After you create the policy, open it and make sure that "Grant remote access permission" is checked. then click on "Edit profile"  and go to the Authentication tab. Check the "Unencrypted authentication" checkbox (do NOT check the one below it). Click Apply and then try it.

LVL 28

Expert Comment

ID: 16924285
Radius has very limited support for authorization, which includes access levels. You can set the privilege level as part of the IAS policy in the Advanced tab using the correct syntax. But it will affect anyone matching that policy. Also, the switch would need to have a bunch of privilege levels set for commands that you want to restrict. For example, the default privilege on login is 1. The privilege required to get into enable mode is 0, so anyone can go to enable mode. You can change the level required for enable to say, 2 with "privilege exec level 2 enable" so unless someone is at level 2 they can't use enable.

Then you create 2 IAS policies- one that matches a Windows group containing people that can use enable, which sets their privilege level to 2 when they log in. And another that does the default. This is really the only authorization that cisco and radius can do together.
LVL 28

Expert Comment

ID: 16924321
You can leave your accounting lines in your config. But the authorization line is telling the switch to use radius to determine permissions and it can't do that.

To set the login privilege level to 2 in IAS, go to the Advanced tab, click add, select Cisco AV-Pair and click add. In the attribute box, type in
and click apply, etc.

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Trouble enabling network for Hyper-V client 10 44
Switch ports not working 8 52
VPN Connection WIndows 10 5 60
Home firewall recommendations 11 45
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question