topic Re: rsa/ace server radius authentication in Network Access Control

rsa/ace server radius authentication

FrancisHoban — Sun, 10 Mar 2019 21:50:39 GMT

Hi ,

I am in the process of setting up cisco routers/swithces to authenticate to an RSA/ACE radius server. Basically I would like it to work as follows.

SSH/Telnet to router switch.I have ace side configured. I have added the necessary users to authenticate list on agent host.

Username:joebloggs

Password : ( rsa secure id token here ). Do I have to authenticate then using enable password or what is best practice here ??

router>en

router#

I have the following lines added so far and need some help on the aaa authentication as there seems to be a lot of options

aaa new-model

aaa authentication banner # Connection to this device is for authorized users only #

aaa authentication fail-message # You are not authorized to log on to this device #

radius-server host x.x.x.x auth-port 1645 acct-port 1813

radius-server retransmit 3

radius-server key xxxxxx

Re: rsa/ace server radius authentication

Richard Burts — Wed, 15 Nov 2006 17:17:42 GMT

francis

if you want users who telnet/SSH to vty ports or who are on the console to authenticate with the radius server you should add something like this to your configuration:

aaa authentication login default group radius line

This will send an authentication request to the configured radius server and if there is an error from the radius server (this is different from a negative response) then the router will authenticate using the configured line password. This will work for both telnet and SSH connections and for login from the console.

You are correct that there are quite a few optional parameters. These are to allow flexibility in what is the primary authentication method and what (if any) fall back methods you wish to use.

From user mode going to enable mode you could configure the router to use the enable password/enable secret or you can configure it to use radius. I believe that best practice is to use radius rather than the local enable password/enable secret.

aaa authentication enable default group radius enable

HTH

Rick

Re: rsa/ace server radius authentication

FrancisHoban — Thu, 16 Nov 2006 12:14:44 GMT

Rick , Thanks for reply but still have problem.I have below now on router.Do I need to add anything on vty / console lines ? I have just myself on the ace side of things setup for testing.

Some questions.

What is the default authentication list ?

Also I currently have a local database username and password setup on the router with the login local command applied to vty and console lines.

If I just want to authenticate one user eg myself xxx can i just put this in instead of'default'.

aaa new-model

aaa authentication login default group radius line

aaa authentication enable default group radius enable

radius-server host x.x.x.x auth-port 1645 acct-port 1813

radius-server retransmit 3

radius-server key xxxxx

thanks