IAS Radius Initial setup

I have been trying to setup IAS and a cisco 2950 for a month now with no luck.  I have tried to follow ciscos directions with no luck.  Can anyone point me in the right direction.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Freya28Connect With a Mentor Commented:
you have to enter aaa-server RADIUS commmands ont he cisco device and point it to your IAS server.  then your IAS servers config will have you add a host which will be the IP of the cisco device, you then have to create policies within IAS, and you can add your NT accounts, so people can authenticate with their domain credentials.  let me know if you need step by step help
What are  you trying to do excatly, 802.1x authentiation?  
wrwiii12Author Commented:
I want to set it up so that when someone logs into a cisco switch it authenticates in a centralized location.  I have setup up the switch according to cisco documents but when I login to the switch it hangs then says % backup authentication
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

mikebernhardtConnect With a Mentor Commented:
Please post the cisco config (leave out all the port stuff and xxxx out the passwords, they don't matter here. Once I see that I can tell you what's wrong and/or what you need to do with IAS.
wrwiii12Author Commented:
Here a stripped down version.  It seems to be going to the server OK but Microsoft has been on the phone for 4 hours trying to fix it in IAS with no luck.  The event log says "The user attempted to use an authenticaion method that is not enabled on the matching remote access policy."  We even went as far as deleting all policies.  I just want to make sure the switch is right.  It is a 3550 and 2950( i tried 2 to eliminate problems with it).

sho run
Building configuration...

Current configuration : 2623 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
aaa new-model
aaa group server radius test
 server auth-port 1812 acct-port 1813
aaa authentication login default group radius
aaa authorization exec default group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
enable secret 5 $1$iXUo$rssWe1xxsoQyTLPf2VwmH0
enable password cisco1
ip subnet-zero
ip address
ip classless
ip http server
radius-server host auth-port 1812 acct-port 1813 key apple
radius-server retransmit 3
radius-server key apple
radius-server vsa send accounting
radius-server vsa send authentication
OK... first of all, for your testing purposes dump these 3 lines:
no aaa authorization exec default group radius
no aaa accounting exec default start-stop group radius
no aaa accounting network default start-stop group radius

This doesn't do anything at the moment:
no aaa group server radius test'

and just to make sure I always have access, I like to add this to the authentication line:
aaa authentication login default group radius enable
which means that if the radius server doesn't reply for some reason, you will be asked for a password only, which will be the enable password.

Assuming that you've created the client correctly in IAS, you also need to permit PAP authentication in the IAS policy you've created. This probably why you're getting the message Microsoft seems stumped on.
dodgechargerfanConnect With a Mentor Commented:
Just a guess but I don't see where you've applied the authentication list to the lines that you want to have authenticate against the radius server.

This assumes that I've understood your question correctly. You are trying to control access to the switch management interface (console, telnet, etc.) using RADIUS, correct?

line [console | tty | vty] line-number [ending-line-number]
-----Enter line configuration mode, and configure the lines to which you want to apply the authentication list.

login authentication {default | list-name}
-----Apply the authentication list to a line or set of lines.
-----•If you specify default, use the default list created with the aaa authentication login command.
-----•For list-name, specify the list created with the aaa authentication login command.
By the way, I like to do this for the console port, otherwise radius will be active there too. And if there's a problem with the server then I can't get in without breaking in, which isn't fun when the switch is in production:

aaa authentication login console-auth line

line con 0
login authenticaion console-auth
password my-password
wrwiii12Author Commented:
Ok maybe I just dont know what I am doing when it comes to this.  I just got off the phone with microsoft.  What would a config look like from scratch to use RADIUS to a server using the key apple?  I would like to use it for AAA.  Also where do you set the access level for users?
Basically your cisco config was fine.

I suspect the only that that was actually causing an authentication problem is that you need to have the PAP box checked under the authentication methods in the IAS policy. After you create the policy, open it and make sure that "Grant remote access permission" is checked. then click on "Edit profile"  and go to the Authentication tab. Check the "Unencrypted authentication" checkbox (do NOT check the one below it). Click Apply and then try it.

Radius has very limited support for authorization, which includes access levels. You can set the privilege level as part of the IAS policy in the Advanced tab using the correct syntax. But it will affect anyone matching that policy. Also, the switch would need to have a bunch of privilege levels set for commands that you want to restrict. For example, the default privilege on login is 1. The privilege required to get into enable mode is 0, so anyone can go to enable mode. You can change the level required for enable to say, 2 with "privilege exec level 2 enable" so unless someone is at level 2 they can't use enable.

Then you create 2 IAS policies- one that matches a Windows group containing people that can use enable, which sets their privilege level to 2 when they log in. And another that does the default. This is really the only authorization that cisco and radius can do together.
You can leave your accounting lines in your config. But the authorization line is telling the switch to use radius to determine permissions and it can't do that.

To set the login privilege level to 2 in IAS, go to the Advanced tab, click add, select Cisco AV-Pair and click add. In the attribute box, type in
and click apply, etc.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.