Cisco AAA login authentication with Radius (MS IAS)
Posted by Josh on Wed 7 Mar 2007Categories: Cisco , Cisco Routers , Windows - [84] Comments
Click to play tutorial:
This document will give you the bare minimum to provide RADIUS authentication to your Cisco Devices using Microsoft Internet Authentication Service (IAS) RADIUS server. Using RADIUS on your Microsoft server to authenticate Cisco devices allows you to use the same usernames and passwords on your Windows servers and Cisco devices.
Steps
1) Install IAS
2) Configure IAS
3) Configure Cisco Device
4) Test
=========================================
1) Install IAS
=========================================
Click "Start > Control Panel > Add & Remove Programs"
Click "Add/Remove Windows Components"
Double-Click "Networking Services"
Select "Internet Authentication Service"
Click "Ok"
=========================================
2) Configure IAS
=========================================
Click "Start>Programs>Administrative Tools>Internet Authentication Service"
*** Create Remote access Policy *** (left Pane)
Select "Remote Access Policies"
(right pane) Delete all policies
(right pane) Right-Click and Select "New Remote Access Policy"
Click "Next" Select "Set up a custom policy" and give it a name
Click "Next"
Click "Add"
Select "Windows Groups"
Click "Add" Type "Domain Admins" (or any other group you would like to use)
Click "Ok"
Click "Next"
Select "Grant remote access permission"
Click "Next"
Click "Edit Profile"
Select the "Authentication" tab
Select "Unencrypted Authentication" only
Select the "Advanced" tab
Change the service-type from "framed" to "login"
Delete "Framed-Protocol" Click "Add"
Select "Vendor Specific" Click "Add"
Select "Cisco" from the drop-down box
Select "Yes. It conforms" Click "Configure Attribute"
Change Attribute Number to "1"
Set the Attribute Format to "String"
Type "shell:priv-lvl=15" in the Attribute Value field
Click "Ok"
Click "Ok"
Click "Close"
If you get an error, select yes or no …. it doesn’t matter.
Click "Next"
Click "Finish"
*** Add Radius Clients ***
(Left Pane) Click "RADIUS Clients"
(Right Pane) Right-Click and click "New Radius Client"
Give the client a friendly name and enter the ip address
Click "Next"
Enter a shared secret password
Click "Finish"
=========================================
3) Configure Cisco Device
=========================================
*** IOS Configuration ***
aaa new-model
radius-server host 192.168.10.100 key P@ssw0rd
ip radius source-interface f0/0
aaa authentication login default group radius
local line vty 0 4
login authentication default
*** PIX Configuration ***
username blindhog password Raz0rb4ck
aaa-server RADIUS (inside) host 192.168.10.100 P@ssw0rd
aaa-server LOCAL protocol local
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL
Update: If you are having problems, here are a few holes in my tutorial … sorry – Josh
- Add ‘aaa authorization exec default group radius’ to your router config to get privilege level 15.
- Verify in the test user’s properties in Active Directory that you have ‘Allow Access’ selected under the Dial-in tab.
April 13th, 2007 at 5:41 pm
Working great !
April 22nd, 2007 at 4:08 am
Works like a charm! Just a little snag, I don’t get level 15 access after authenticating. Do I need to remove some of the standard login stuff?
April 27th, 2007 at 9:19 am
Thanks for the tip. My issue is a little different requirement. I am trying to configure Easy VPN with Windows IAS (RADIUS). I am running Cisco 3845 router.
– Kang Sun
April 28th, 2007 at 1:36 am
to Bengt Bergholm:
check the Vendor Specific Attribute you return to NAS
must be (Cisco-AVPair = “shell:priv-lvl=15″)
April 28th, 2007 at 1:41 am
See also:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml
May 27th, 2007 at 7:27 am
[...] Cisco AAA login authentication with Radius (MS IAS) [...]
June 8th, 2007 at 11:21 am
Very useful, I got my remote access users authenticated to AD instead of a local database on my router.
June 20th, 2007 at 11:19 pm
Hello! Good Site! Thanks you! vymbrvpvcqzme
August 6th, 2007 at 10:21 pm
You Rock! This was a huge help! Thank You! I got 7 routers that we used to have to password sweep down to one place to go make a change! You are as cool as JobTraQ!
September 25th, 2007 at 8:31 am
Thanks! Couldn’t find this anywhere!
October 9th, 2007 at 12:33 pm
Hvala!!!
October 14th, 2007 at 10:45 pm
If you are having problems getting IAS to authenticate go check your event viewer, click on system and there will be your failed attempts and the reason why they failed.
NOTE: You must have both the Remote Access Policy defined (stated above) AND you MUST also define a connection request policy. Just define a connection policy based on RADIUS Standards. Hope this helps, if I would have known this it would have saved me hours.
October 30th, 2007 at 3:06 pm
@ Deaths Head
Thank you very much for your info. I forgot to set the right RAS permisson.
Now it works great!
October 31st, 2007 at 8:08 am
AD intigration with Cisco device using AAA
November 28th, 2007 at 10:09 am
Works like a champ. May i also add that I had to add the line “aaa authorization exec default radius” to allow me to go into enable mode.
As a side note, does anybody know how to use this config with some type of encryption (CHAP, MS-CHAP, etc)?
November 29th, 2007 at 8:51 pm
This was the exact step by step configuration that I have been looking for for several weeks.
February 25th, 2008 at 10:36 pm
Great
Thanks Sir!!!!!!!!!!!!!!!!!!!!!!!!!
March 6th, 2008 at 3:14 am
I followed the manual and can successfully logon to my LAN switch using my AD credentials. Nevertheless I am not getting privilege level 15 – even if I have put the shell:priv-lvl=15 AV into the Radius config and I can see the statement going down to the switch using a radius debug. Anything else that has to be considered?
March 8th, 2008 at 11:14 pm
Martin,
I have had this problem before also but was not able to figure it out. I have to do this…
line vty 0 4
privilege level 15
The only problem is that anyone that us authenticated is given privilege level 15 access.
Josh
April 8th, 2008 at 10:07 am
The problem is that this line has been forgotten in the configuration of the switch/router:
aaa authorization exec default group radius
If you enter this, you should be able to get level 15 access.
Regards,
Marc
April 15th, 2008 at 1:49 pm
I tried everything suggested here, but I am not able to get level 15 access. I am using a 2950 switch.
April 15th, 2008 at 2:27 pm
@Marc, Thank you for sharing! – Josh
June 18th, 2008 at 3:50 pm
My authentication is hitting the server but not completing. I keep receiving this in the Event Viewer but can’t seem to correct it.
Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.
June 18th, 2008 at 8:51 pm
@Bryan,
You might check the user’s profile to make sure the user is allowed ‘dialin access’
Josh
July 11th, 2008 at 11:07 pm
i was able to implement this solution easily, good work. But this screwed up my routing and remote access server on my winbox. Prior to installing IAS, i had my VPN server authenticate via AD, but now i get the following error message whenever a client trys to log in.
“Authentication server did not respond to authentication requests in a timely fashion”
I have tried to use IAS as vpn authentication, but no luck yet. Might have to revert this configuration to get VPN server back up. Thx anyway !
July 19th, 2008 at 8:30 pm
@ R3AP3R,
hmmm… followed the instructions verbatim?
See the part under:
2) Configure IAS
> Select “Remote Access Policies”
> (right pane) Delete all policies
Just thinking out loud…
Perhaps you deleted the default policies as instructed? If so you will want to put these policies back in place for your MS PPTP or L2TP VPN tunnels to authenticate from IAS again.
jk
July 19th, 2008 at 8:41 pm
@ Kang Sun
Have you resolved the IAS / Cisco EasyVPN question yet? I too am working on the exact same thing. Any available information will be appreciated. I’ll work on cracking the nut and post results back here again.
jk
July 25th, 2008 at 6:05 pm
Does anyone know if IAS has to be on a DC? I have tried it on a stand-alone and it worked fine. Also works fine on a DC. But if I try it from a server that is a member of the same domain it does not function properly. I get a Reason-Code-16 error from IAS about an incorrect username or password. Thanks!
Joe
July 28th, 2008 at 7:29 am
Joe,
I am not sure. I have always performed this on a DC. Hopefully someone else will have an answer for us.
Josh
August 1st, 2008 at 3:58 am
[...] blindhog.net » Cisco AAA login authentication with Radius (MS IAS) [...]
August 3rd, 2008 at 11:32 am
It works fine on non-DC server, the only thing need it’s that machine must be domain-registered (not on a workgroup), also this machine (in my case) it’s domain-registered on my local root domain, but the users are all from parent domains, so if you something similar, you must add the machine to RAS AD group in parent domains where remote users belongs too.
August 6th, 2008 at 7:55 am
ntex,
Thanks for the contribution….I didn’t know. I have always set this up on a DC.
Josh
August 14th, 2008 at 2:06 pm
I like to connected the router via telnet over to VPN. What I need to do? Over normal link not have problem.
Thanks
August 14th, 2008 at 9:32 pm
Alexi,
I guess I don’t understand what you are asking.
Josh
August 15th, 2008 at 9:21 am
Josh
I Like authenticate and authorizate the access to the router over a VPN, each router have an independent internet connection.
thanks
November 12th, 2008 at 8:00 am
I followed the instructions line by line and I am still unable to set lower priviledge levels and suggestions
November 17th, 2008 at 11:36 am
James,
Check out comments 18, 19 and 20.
Mainly 20.
Josh
November 28th, 2008 at 3:51 am
Thanks for this great video! Would just like to add a couple of things.
If there’s a firewall in between the IAS server & the Cisco device, you’ll have to permit RADIUS traffic eg.
access-list name_of_access_list extended permit udp host ip_add_of_cisco_device host ip_add_of_ias_server eq radius
As “Deaths Head” mentioned (comment 12), you MUST have a “Connection request policy”.
For mine, I simply put 1 policy condition:
Client-Vendor matches “Cisco”
December 9th, 2008 at 8:16 am
Hey guys,I’m getting the error below,any suggestions on what I’m doing wrong?
User brianx was denied access.
Fully-Qualified-User-Name = mydoman\brianx
NAS-IP-Address = 172.16.2.1
NAS-Identifier =
Called-Station-Identifier =
Calling-Station-Identifier = 172.16.2.103
Client-Friendly-Name = local-ROUTER
Client-IP-Address = 172.16.2.1
NAS-Port-Type = Virtual
NAS-Port = 194
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name =
Authentication-Type = PAP
EAP-Type =
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
January 9th, 2009 at 7:50 am
Works fine for me…I have started implementing this on all my routers…excellent document
January 15th, 2009 at 9:49 am
bcx-lab#
*Mar 1 02:41:05.063: AAA/BIND(00000013): Bind i/f
*Mar 1 02:41:17.523: AAA/AUTHOR (0×13): Pick method list ‘default’ – FAIL
*Mar 1 02:41:17.531: AAA/AUTHOR/EXEC(00000013): Authorization FAILED
This is the message I’m getting,I’m finally managing to do authentication,I had to change the “dial-in” in the user profile properties
January 15th, 2009 at 11:28 am
finally i have finished this,I think I wasn’t paying attention to small things.I just want to see the posibility of using multiple groups with different privileges now.
February 10th, 2009 at 10:18 am
The authentication is working fine for me, but the “shell:priv-lvl=x” is not. No matter what priv level I replace the x with, I end up in exec mode. Then once I enter privileged mode, a show privilege gives me 15.
How exactly can I limit the priv level that a user can elevate to?
thanks,
Will
March 20th, 2009 at 11:53 am
Every time i come here I am not dissapointed, nice post
April 4th, 2009 at 1:54 am
I’m having the same issue as Bibo. Has anyone else encountered this problem? Any suggestions?
Thanks!
April 4th, 2009 at 2:00 am
After reading further, I see Bibo’s AAA debug. Here is mine and it is a little different than Bibo’s.
000161: Apr 4 01:58:24.111 MDT: AAA/BIND(00000050): Bind i/f
000162: Apr 4 01:58:24.115 MDT: AAA/AUTHEN/LOGIN (00000050): Pick method list ‘
access’ radius_decrypt: null length
radius_decrypt: null length
radius_decrypt: null length
radius_decrypt: null length
000163: Apr 4 01:58:50.216 MDT: AAA/AUTHEN/LOGIN (00000050): Pick method list ‘
access’
April 4th, 2009 at 2:55 pm
My problem is resolved now. I wiped out all AAA configs in the router and redid them. It’s all good now. Thanks for this post!!
April 19th, 2009 at 8:19 am
Brian,
Glad you were able to get it fixed!
Josh
April 20th, 2009 at 11:15 pm
It says Authentication Failed when I try to telnet the router . I have also tried changing the IOS but the problem remains the same . I think the problem is with the IAS
April 21st, 2009 at 7:45 am
Mate, you’re a star, there’s always someone who has a reality walkthrough rather than the hard reading docs!
April 21st, 2009 at 10:13 pm
@Mistabe
I am not able to get the client authenticated , the Router says
*Mar 1 02:30:54.967: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.16.1.243:1812,1813 is not responding.
*Mar 1 02:30:54.971: AAA/MEMORY: free_user (0x64CA07A8) user=’Administrator’ ruser=’NULL’ port=” rem_addr=’NULL’ authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
*Mar 1 02:30:54.971: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.16.1.243:1812,1813 is being marked alive.
When I telnet into the router it asks for username and then password then after few seconds it says that Authentication failed , When i am checking the event manager it shows a Sucess of Radius in Security Audit
April 22nd, 2009 at 1:41 am
THanks……
Working fine… I reinstalled Windows Server , the GPO crashed.
Now its working fine
April 29th, 2009 at 8:24 am
This is great but I am looking to set this up for WLAN access through Cisco Wireless Controllers. Any thoughts on the procedure?
May 20th, 2009 at 2:50 am
i cant work with this
where my server ip 192.168.7.20
device ip 192.168.0.241
cient pc ip from where i access 192.168.0.241 is 192.168.0.35
here i give the logging message at the time of login.
can u help me pls
*May 20 08:42:42.659: RADIUS/ENCODE(0000000B): ask “Username: ”
*May 20 08:42:42.659: RADIUS/ENCODE(0000000B): send packet; GET_USER
*May 20 08:42:51.939: RADIUS/ENCODE(0000000B): ask “Password: ”
*May 20 08:42:51.939: RADIUS/ENCODE(0000000B): send packet; GET_PASSWORD
*May 20 08:43:02.799: RADIUS/ENCODE(0000000B):Orig. component type = EXEC
*May 20 08:43:02.799: RADIUS: AAA Unsupported Attr: interface [158] 6
*May 20 08:43:02.799: RADIUS: 74 74 79 31
[tty1]
*May 20 08:43:02.799: RADIUS/ENCODE(0000000B): dropping service type, “radius-se
rver attribute 6 on-for-login-auth” is off
*May 20 08:43:02.799: RADIUS(0000000B): Config NAS IP: 192.168.0.241
*May 20 08:43:02.799: RADIUS/ENCODE(0000000B): acct_session_id: 6
*May 20 08:43:02.799: RADIUS(0000000B): sending
*May 20 08:43:02.799: RADIUS(0000000B): Send Access-Request to 192.168.7.20:1812
id 1645/9, len 83
*May 20 08:43:02.799: RADIUS: authenticator 2C B1 C9 37 C8 ED 41 96 – FB C4 A7
F0 0A 64 86 21
*May 20 08:43:02.799: RADIUS: User-Name [1] 5 “csm”
*May 20 08:43:02.799: RADIUS: User-Password [2] 18 *
*May 20 08:43:02.799: RADIUS: NAS-Port [5] 6 195
*May 20 08:43:02.799: RADIUS: NAS-Port-Id [87] 8 “tty195″
*May 20 08:43:02.799: RADIUS: NAS-Port-Type [61] 6 Virtual
[5]
*May 20 08:43:02.803: RADIUS: Calling-Station-Id [31] 14 “192.168.0.35″
*May 20 08:43:02.803: RADIUS: NAS-IP-Address [4] 6 192.168.0.241
*May 20 08:43:02.811: RADIUS: Received from id 1645/9 192.168.7.20:1812, Access-
Reject, len 20
*May 20 08:43:02.811: RADIUS: authenticator 8E 99 88 14 F5 14 1D 7F – 00 6D 4A
4F 53 D0 52 D8
*May 20 08:43:02.811: RADIUS(0000000B): Received from id 1645/9
*May 20 08:43:04.811: RADIUS/ENCODE(0000000B): ask “Username: ”
*May 20 08:43:04.811: RADIUS/ENCODE(0000000B): send packet; GET_USER
June 5th, 2009 at 11:21 pm
The site was really perfact and my cisco devices are working with IAS
June 8th, 2009 at 2:37 pm
I am not able to view the video, it shows error on page. Can you please re-upload it.
Thanks
Sandeep
June 18th, 2009 at 7:55 am
I am using the above on all my routers with no problems. Thanx.
However, on the Catalyst switches running CatOS, the initial connect validates OK, but the user is not in enable. When attempting to enter enable mode, the username is apparently hardcoded to
$enabl15$. I can (and will) create this username on my DC, but I was wondering if anyone had a way to make the shell:priv-lvl=15 take the initial login straight to enable mode.
July 6th, 2009 at 11:40 pm
This is a great post. I have implemented on my network devices and works fine.
Thanks
July 10th, 2009 at 8:43 pm
Great help thanks.
July 16th, 2009 at 2:18 pm
Really helpful post here. I just wanted to add in my information for setting up the privileged 15 access on a router/switch.
Following Marcs post above to allow authorization you need to add
aaa authorization exec default group radius
and then also add
line vty 0 4
authorization exec default.
Then assuming you added the vendor specific attribute string “shell:priv-lvl=15″ it should take specified usernames directly to privileged mode on login.
July 18th, 2009 at 9:49 am
I followed all the steps everything is setup as shown in these posts, but i still can’t authenticate my users,
Whe i try to access with a test account that is a member of the group i authorized, the authentication fails on the switch IAS logs a access-request then an access-reject message and when i open the systems event log it says that the reason was becouse the username or incorrect password was used, after a few tries the account locks in active directory and IAS starts logging that the account is locked.
Please help i might be doing something wrong
July 20th, 2009 at 1:16 pm
In response to Nsilu:
Verify in the test user’s properties in Active Directory that you have ‘Allow Access’ selected under the Dial-in tab.
July 20th, 2009 at 1:35 pm
Thanks John!
August 5th, 2009 at 12:23 am
Thanks for this helpful article!
You dont need dial in access enabled for this to work though.. its working fine here without that setting.
August 13th, 2009 at 3:33 am
Good effort for making the video!
I still encounter problem for authenticating the switch with radius user. It cant telnet! May I know how the switch identify the radius user?
August 19th, 2009 at 12:31 am
I have got it done! thank you!
August 30th, 2009 at 11:42 pm
It works. Thank you very much.
September 19th, 2009 at 11:25 pm
All i can really say is THANK YOU… from dynamips, to vpns, ias etc. Amazing resources
October 6th, 2009 at 10:30 am
Hi,
I’ve followed this guide one by one, but I still cannot authenticate, the cisco debug messages say something about “decrypt fail”
I’ve checked and double checked the shared key on both sides, that’s not the problem.
Also, regarding the update that says
“Verify in the test user’s properties in Active Directory that you have ‘Allow Access’ selected under the Dial-in tab.”
Well, I don’t have that “Dial-In” tab at all!!
One weird thing is that during some tests, I suceeded logging in but the privilege wasn’t set, but this was from a console port, from telnet I coudln’t even log in, isn’t it weird?
October 17th, 2009 at 2:42 pm
Hi,
I’ve been trying to get this working from a couple of Cisco devices authenticating/authorizing against Microsoft SBS 2008.
I got the authentication bit working quite easily but was stuggling with getting EXEC level 15 access.
I tried the suggestions in these comments but found that I had to add the following to the NPS part on SBS.
As well as the shell:priv-lvl=15 I added
Service-Type := Administrative
This made it work for me.
October 19th, 2009 at 11:35 pm
first time doing this i was just wondering what ip address should you put under the “New Radius Client” setup? …pardon the novice question….J Dub
November 6th, 2009 at 2:15 pm
I have the same problem. I have it working on some of my firewalls, routers and switches but when I add the aaa config on new switches I get ‘authentication failed’. I get the message really fast so it seems that I am not communicationg with the RSA Server. Here is my config.
aaa new-model
aaa authentication login group group radius
aaa accounting exec group start-stop group radius
aaa accounting network group start-stop group radius
radius-server host 172.16.1.161 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key (shared key)
Anyone have any ideas????
November 12th, 2009 at 6:58 am
Great walk though and got me up and running for the log in, but I still cant get it to auto logme in at privilage level 15?
do i need a
aaa authorisation mode set up as well?
I really would like to get this working, as I need to be able to get people logging on with mutiply view and if I can intergrate it in to AD this would be great.
I am also looking at 802.1x portbased authentication and this is a nice step in the right direction..
Cheers..
November 12th, 2009 at 7:09 am
having looked at the debug the problem is not haveing an authorisation method set up
aaa authorization exec default group radius local
this then seems to work fine.
whith out this command the debug error was showing
*Mar 1 05:01:40.058: AAA/BIND(00000009): Bind i/f
*Mar 1 05:01:40.058: AAA/AUTHEN/LOGIN (00000009): Pick method list ‘first’
*Mar 1 05:01:40.074: AAA/AUTHOR (00000009): Method list id=0 not configured. Skip author
now it shows
*Mar 1 05:03:26.742: AAA/BIND(0000000A): Bind i/f
*Mar 1 05:03:26.742: AAA/AUTHEN/LOGIN (0000000A): Pick method list ‘first’
*Mar 1 05:03:26.754: AAA/AUTHOR/EXEC(0000000A): processing AV priv-lvl=15
*Mar 1 05:03:26.754: AAA/AUTHOR/EXEC(0000000A): processing AV priv-lvl=15
*Mar 1 05:03:26.754: AAA/AUTHOR/EXEC(0000000A): processing AV service-type=6
*Mar 1 05:03:26.754: AAA/AUTHOR/EXEC(0000000A): Authorization successful
December 12th, 2009 at 10:44 pm
hi,
I have got the authentication right. But i want to set different privelege levels for users depending on their roles. Plz let me know how tis can be done.
I have tried changing the parameters in the shell command for the attribute value.
December 17th, 2009 at 11:21 pm
A very nice write up.
Can you please let me know why Select “Unencrypted Authentication” only is used.
Is it by anyway insecure mechanism while cisco devices send login credentials to IAS server for authentication?
Does CHAP or any other secure encryption be used between cisco devices and IAS radius server?
Thanks
March 17th, 2010 at 8:06 am
Very helpful, thanks.
One question though, if the RADIUS Server fails can I still connect to the device using telnet ?
April 8th, 2010 at 12:59 am
Very helpful, thanks.
One question though, if the RADIUS Server fails can I still connect to the device using telnet ?
=====================
Yes. You need to define a local user database and add a second authentication method which is local authentication.
!
username user password test123
!
enable secret test321
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
!
April 8th, 2010 at 1:45 pm
Thanks for helping out Sam!
June 4th, 2010 at 7:29 am
Do you have any info on authenticating a cisco 1250 wireless access point with an IAS server. Thanks
June 11th, 2010 at 2:30 am
Thnx alot Anthony!!
I had troubles with the authorization part with a 2008 standard radius server.
The Service-Type := Administrative did the trick! Works fine now!
June 20th, 2010 at 12:26 pm
[...] http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ Categories: Cisco Tags: Cisco Comments (0) Trackbacks (0) Leave a comment Trackback [...]
August 31st, 2010 at 2:21 pm
NOTE: I struggled to get authentication/authorization working. Kept getting decrypt fail errors. Finally found that Cisco doesn’t support some characters (my radius key was built like helloworld#9 and the show run came back as helloworld09). Watch out for special character issues on radius keys!
August 31st, 2010 at 3:40 pm
Joe,
Thanks for the great tip!
Josh