Comments on: Cisco AAA login authentication with Radius (MS IAS)

By: RADIUS Authentication for Cisco Router Logins « Aaron Walrath – Another IT Guy's Meanderings

Sun, 20 Jun 2010 18:26:24 +0000

[...] http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ Categories: Cisco Tags: Cisco Comments (0) Trackbacks (0) Leave a comment Trackback [...]

By: Frank

Frank — Fri, 11 Jun 2010 08:30:12 +0000

Thnx alot Anthony!!

I had troubles with the authorization part with a 2008 standard radius server.

The Service-Type := Administrative did the trick! Works fine now!

By: Hugh

Hugh — Fri, 04 Jun 2010 13:29:29 +0000

Do you have any info on authenticating a cisco 1250 wireless access point with an IAS server. Thanks

By: Josh

Josh — Thu, 08 Apr 2010 19:45:04 +0000

Thanks for helping out Sam!

By: Sam

Sam — Thu, 08 Apr 2010 06:59:56 +0000

Very helpful, thanks.

One question though, if the RADIUS Server fails can I still connect to the device using telnet ?

=====================

Yes. You need to define a local user database and add a second authentication method which is local authentication.
!
username user password test123
!
enable secret test321
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
!

By: David

David — Wed, 17 Mar 2010 14:06:36 +0000

Very helpful, thanks.

One question though, if the RADIUS Server fails can I still connect to the device using telnet ?

By: Nitya

Nitya — Fri, 18 Dec 2009 05:21:08 +0000

A very nice write up.
Can you please let me know why Select “Unencrypted Authentication” only is used.

Is it by anyway insecure mechanism while cisco devices send login credentials to IAS server for authentication?

Does CHAP or any other secure encryption be used between cisco devices and IAS radius server?

Thanks

By: amit vaity

amit vaity — Sun, 13 Dec 2009 04:44:15 +0000

hi,

I have got the authentication right. But i want to set different privelege levels for users depending on their roles. Plz let me know how tis can be done.

I have tried changing the parameters in the shell command for the attribute value.

By: Aaron

Aaron — Thu, 12 Nov 2009 13:09:05 +0000

having looked at the debug the problem is not haveing an authorisation method set up

aaa authorization exec default group radius local

this then seems to work fine.

whith out this command the debug error was showing

*Mar 1 05:01:40.058: AAA/BIND(00000009): Bind i/f
*Mar 1 05:01:40.058: AAA/AUTHEN/LOGIN (00000009): Pick method list ‘first’
*Mar 1 05:01:40.074: AAA/AUTHOR (00000009): Method list id=0 not configured. Skip author

now it shows

*Mar 1 05:03:26.742: AAA/BIND(0000000A): Bind i/f
*Mar 1 05:03:26.742: AAA/AUTHEN/LOGIN (0000000A): Pick method list ‘first’
*Mar 1 05:03:26.754: AAA/AUTHOR/EXEC(0000000A): processing AV priv-lvl=15
*Mar 1 05:03:26.754: AAA/AUTHOR/EXEC(0000000A): processing AV priv-lvl=15
*Mar 1 05:03:26.754: AAA/AUTHOR/EXEC(0000000A): processing AV service-type=6
*Mar 1 05:03:26.754: AAA/AUTHOR/EXEC(0000000A): Authorization successful

By: Aaron

Aaron — Thu, 12 Nov 2009 12:58:45 +0000

Great walk though and got me up and running for the log in, but I still cant get it to auto logme in at privilage level 15?

do i need a

aaa authorisation mode set up as well?

I really would like to get this working, as I need to be able to get people logging on with mutiply view and if I can intergrate it in to AD this would be great.

I am also looking at 802.1x portbased authentication and this is a nice step in the right direction..

Cheers..