https://community.cisco.com/t5/network-access-control/configuring-ios-authentication-with-windows-ias/m-p/841384#M407823 <P>I've successfully configured both a test switch (Catalyst 3560) and Windows Server 2003 IAS to allow RADIUS authentication on the switch. The problem I'm having is that the switch will apparently allow anyone who can authenticate through IAS to access the switch. In testing with a non-admin account, I found that IAS is allowing this account to authenticate through a lower ranked policy which is used for generic VPN access. I thought I could control this by using a named list on the switch in the aaa authentication command, but it doesn't seem to be working.</P><P>Relevant switch config:</P><P>aaa new-model</P><P>aaa authentication login NetworkAdmin group radius local </P><P>!</P><P>!</P><P>radius-server host 172.16.0.42 auth-port 1645 acct-port 1646 key &lt;key removed&gt;</P><P>radius-server source-ports 1645-1646</P><P>!</P><P>line vty 0 4</P><P> login authentication NetworkAdmin</P><P>line vty 5 15</P><P> login authentication NetworkAdmin</P><P></P><P>On the IAS server, NetworkAdmin is the name of a policy, which points to a specific AD group.</P><P>Am I missing something in the config? I only want to allow this one group logon access to this test switch.</P><P></P><P></P> Sun, 10 Mar 2019 22:37:41 GMT jeff.velten 2019-03-10T22:37:41Z https://community.cisco.com/t5/network-access-control/configuring-ios-authentication-with-windows-ias/m-p/841384#M407823 <P>I've successfully configured both a test switch (Catalyst 3560) and Windows Server 2003 IAS to allow RADIUS authentication on the switch. The problem I'm having is that the switch will apparently allow anyone who can authenticate through IAS to access the switch. In testing with a non-admin account, I found that IAS is allowing this account to authenticate through a lower ranked policy which is used for generic VPN access. I thought I could control this by using a named list on the switch in the aaa authentication command, but it doesn't seem to be working.</P><P>Relevant switch config:</P><P>aaa new-model</P><P>aaa authentication login NetworkAdmin group radius local </P><P>!</P><P>!</P><P>radius-server host 172.16.0.42 auth-port 1645 acct-port 1646 key &lt;key removed&gt;</P><P>radius-server source-ports 1645-1646</P><P>!</P><P>line vty 0 4</P><P> login authentication NetworkAdmin</P><P>line vty 5 15</P><P> login authentication NetworkAdmin</P><P></P><P>On the IAS server, NetworkAdmin is the name of a policy, which points to a specific AD group.</P><P>Am I missing something in the config? I only want to allow this one group logon access to this test switch.</P><P></P><P></P> Sun, 10 Mar 2019 22:37:41 GMT https://community.cisco.com/t5/network-access-control/configuring-ios-authentication-with-windows-ias/m-p/841384#M407823 jeff.velten 2019-03-10T22:37:41Z https://community.cisco.com/t5/network-access-control/configuring-ios-authentication-with-windows-ias/m-p/841385#M407824 <HTML><HEAD></HEAD><BODY><P>Change the aaa line to "aaa authentication login default group radius line" and add "login authentication connect" command under line vty 0 4. Following link may help you</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080094501.shtml#windows2000" target="_blank">http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080094501.shtml#windows2000</A></P></BODY></HTML> Mon, 04 Feb 2008 19:34:36 GMT https://community.cisco.com/t5/network-access-control/configuring-ios-authentication-with-windows-ias/m-p/841385#M407824 didyap 2008-02-04T19:34:36Z https://community.cisco.com/t5/network-access-control/configuring-ios-authentication-with-windows-ias/m-p/841386#M407825 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply. This is how I had things set up initially. The problem is that users able to login under a lower-ranking remote access policy for VPN can gain access to the switch. I only want the NetworkAdmin group to have access. I'd also rather not filter by client IP, as we have several switches across multiple VLANs that I would like to roll this out to once it's working.</P></BODY></HTML> Tue, 05 Feb 2008 16:22:17 GMT https://community.cisco.com/t5/network-access-control/configuring-ios-authentication-with-windows-ias/m-p/841386#M407825 jeff.velten 2008-02-05T16:22:17Z https://community.cisco.com/t5/network-access-control/configuring-ios-authentication-with-windows-ias/m-p/841387#M407826 <HTML><HEAD></HEAD><BODY><P>you can use the NAR that can solve your need</P></BODY></HTML> Thu, 07 Feb 2008 12:55:19 GMT https://community.cisco.com/t5/network-access-control/configuring-ios-authentication-with-windows-ias/m-p/841387#M407826 datou1984923 2008-02-07T12:55:19Z