(9 votes, average: 4.33 out of 5)
Loading ...Wed 7 Mar 2007
Cisco AAA login authentication with Radius (MS IAS)
Posted by Josh under Cisco , Cisco Routers , Windows -Click to play tutorial:
This document will give you the bare minimum to provide RADIUS authentication to your Cisco Devices using Microsoft Internet Authentication Service (IAS) RADIUS server. Using RADIUS on your Microsoft server to authenticate Cisco devices allows you to use the same usernames and passwords on your Windows servers and Cisco devices.
Steps
1) Install IAS
2) Configure IAS
3) Configure Cisco Device
4) Test
=========================================
1) Install IAS
=========================================
Click "Start > Control Panel > Add & Remove Programs"
Click "Add/Remove Windows Components"
Double-Click "Networking Services"
Select "Internet Authentication Service"
Click "Ok"
=========================================
2) Configure IAS
=========================================
Click "Start>Programs>Administrative Tools>Internet Authentication Service"
*** Create Remote access Policy *** (left Pane)
Select "Remote Access Policies"
(right pane) Delete all policies
(right pane) Right-Click and Select "New Remote Access Policy"
Click "Next" Select "Set up a custom policy" and give it a name
Click "Next"
Click "Add"
Select "Windows Groups"
Click "Add" Type "Domain Admins" (or any other group you would like to use)
Click "Ok"
Click "Next"
Select "Grant remote access permission"
Click "Next"
Click "Edit Profile"
Select the "Authentication" tab
Select "Unencrypted Authentication" only
Select the "Advanced" tab
Change the service-type from "framed" to "login"
Delete "Framed-Protocol" Click "Add"
Select "Vendor Specific" Click "Add"
Select "Cisco" from the drop-down box
Select "Yes. It conforms" Click "Configure Attribute"
Change Attribute Number to "1"
Set the Attribute Format to "String"
Type "shell:priv-lvl=15" in the Attribute Value field
Click "Ok"
Click "Ok"
Click "Close"
If you get an error, select yes or no …. it doesn’t matter.
Click "Next"
Click "Finish"
*** Add Radius Clients ***
(Left Pane) Click "RADIUS Clients"
(Right Pane) Right-Click and click "New Radius Client"
Give the client a friendly name and enter the ip address
Click "Next"
Enter a shared secret password
Click "Finish"
=========================================
3) Configure Cisco Device
=========================================
*** IOS Configuration ***
aaa new-model
radius-server host 192.168.10.100 key P@ssw0rd
ip radius source-interface f0/0
aaa authentication login default group radius
local line vty 0 4
login authentication default
*** PIX Configuration ***
username blindhog password Raz0rb4ck
aaa-server RADIUS (inside) host 192.168.10.100 P@ssw0rd
aaa-server LOCAL protocol local
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL
April 13th, 2007 at 5:41 pm
Working great !
April 22nd, 2007 at 4:08 am
Works like a charm! Just a little snag, I don’t get level 15 access after authenticating. Do I need to remove some of the standard login stuff?
April 27th, 2007 at 9:19 am
Thanks for the tip. My issue is a little different requirement. I am trying to configure Easy VPN with Windows IAS (RADIUS). I am running Cisco 3845 router.
– Kang Sun
April 28th, 2007 at 1:36 am
to Bengt Bergholm:
check the Vendor Specific Attribute you return to NAS
must be (Cisco-AVPair = “shell:priv-lvl=15″)
April 28th, 2007 at 1:41 am
See also:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml
May 27th, 2007 at 7:27 am
[...] Cisco AAA login authentication with Radius (MS IAS) [...]
June 8th, 2007 at 11:21 am
Very useful, I got my remote access users authenticated to AD instead of a local database on my router.
June 20th, 2007 at 11:19 pm
Hello! Good Site! Thanks you! vymbrvpvcqzme
August 6th, 2007 at 10:21 pm
You Rock! This was a huge help! Thank You! I got 7 routers that we used to have to password sweep down to one place to go make a change! You are as cool as JobTraQ!
September 25th, 2007 at 8:31 am
Thanks! Couldn’t find this anywhere!
October 9th, 2007 at 12:33 pm
Hvala!!!
October 14th, 2007 at 10:45 pm
If you are having problems getting IAS to authenticate go check your event viewer, click on system and there will be your failed attempts and the reason why they failed.
NOTE: You must have both the Remote Access Policy defined (stated above) AND you MUST also define a connection request policy. Just define a connection policy based on RADIUS Standards. Hope this helps, if I would have known this it would have saved me hours.
October 30th, 2007 at 3:06 pm
@ Deaths Head
Thank you very much for your info. I forgot to set the right RAS permisson.
Now it works great!
October 31st, 2007 at 8:08 am
AD intigration with Cisco device using AAA
November 28th, 2007 at 10:09 am
Works like a champ. May i also add that I had to add the line “aaa authorization exec default radius” to allow me to go into enable mode.
As a side note, does anybody know how to use this config with some type of encryption (CHAP, MS-CHAP, etc)?
November 29th, 2007 at 8:51 pm
This was the exact step by step configuration that I have been looking for for several weeks.
February 25th, 2008 at 10:36 pm
Great
Thanks Sir!!!!!!!!!!!!!!!!!!!!!!!!!
March 6th, 2008 at 3:14 am
I followed the manual and can successfully logon to my LAN switch using my AD credentials. Nevertheless I am not getting privilege level 15 - even if I have put the shell:priv-lvl=15 AV into the Radius config and I can see the statement going down to the switch using a radius debug. Anything else that has to be considered?
March 8th, 2008 at 11:14 pm
Martin,
I have had this problem before also but was not able to figure it out. I have to do this…
line vty 0 4
privilege level 15
The only problem is that anyone that us authenticated is given privilege level 15 access.
Josh
April 8th, 2008 at 10:07 am
The problem is that this line has been forgotten in the configuration of the switch/router:
aaa authorization exec default group radius
If you enter this, you should be able to get level 15 access.
Regards,
Marc
April 15th, 2008 at 1:49 pm
I tried everything suggested here, but I am not able to get level 15 access. I am using a 2950 switch.
April 15th, 2008 at 2:27 pm
@Marc, Thank you for sharing! - Josh
June 18th, 2008 at 3:50 pm
My authentication is hitting the server but not completing. I keep receiving this in the Event Viewer but can’t seem to correct it.
Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.
June 18th, 2008 at 8:51 pm
@Bryan,
You might check the user’s profile to make sure the user is allowed ‘dialin access’
Josh
July 11th, 2008 at 11:07 pm
i was able to implement this solution easily, good work. But this screwed up my routing and remote access server on my winbox. Prior to installing IAS, i had my VPN server authenticate via AD, but now i get the following error message whenever a client trys to log in.
“Authentication server did not respond to authentication requests in a timely fashion”
I have tried to use IAS as vpn authentication, but no luck yet. Might have to revert this configuration to get VPN server back up. Thx anyway !
July 19th, 2008 at 8:30 pm
@ R3AP3R,
hmmm… followed the instructions verbatim?
See the part under:
2) Configure IAS
> Select “Remote Access Policies”
> (right pane) Delete all policies
Just thinking out loud…
Perhaps you deleted the default policies as instructed? If so you will want to put these policies back in place for your MS PPTP or L2TP VPN tunnels to authenticate from IAS again.
jk
July 19th, 2008 at 8:41 pm
@ Kang Sun
Have you resolved the IAS / Cisco EasyVPN question yet? I too am working on the exact same thing. Any available information will be appreciated. I’ll work on cracking the nut and post results back here again.
jk
July 25th, 2008 at 6:05 pm
Does anyone know if IAS has to be on a DC? I have tried it on a stand-alone and it worked fine. Also works fine on a DC. But if I try it from a server that is a member of the same domain it does not function properly. I get a Reason-Code-16 error from IAS about an incorrect username or password. Thanks!
Joe
July 28th, 2008 at 7:29 am
Joe,
I am not sure. I have always performed this on a DC. Hopefully someone else will have an answer for us.
Josh
August 1st, 2008 at 3:58 am
[...] blindhog.net » Cisco AAA login authentication with Radius (MS IAS) [...]
August 3rd, 2008 at 11:32 am
It works fine on non-DC server, the only thing need it’s that machine must be domain-registered (not on a workgroup), also this machine (in my case) it’s domain-registered on my local root domain, but the users are all from parent domains, so if you something similar, you must add the machine to RAS AD group in parent domains where remote users belongs too.
August 6th, 2008 at 7:55 am
ntex,
Thanks for the contribution….I didn’t know. I have always set this up on a DC.
Josh
August 14th, 2008 at 2:06 pm
I like to connected the router via telnet over to VPN. What I need to do? Over normal link not have problem.
Thanks
August 14th, 2008 at 9:32 pm
Alexi,
I guess I don’t understand what you are asking.
Josh
August 15th, 2008 at 9:21 am
Josh
I Like authenticate and authorizate the access to the router over a VPN, each router have an independent internet connection.
thanks