topic Re: Configuring Radius Authentication/Authorization on a 6509 in Network Access Control

Configuring Radius Authentication/Authorization on a 6509

kimlong — Sun, 10 Mar 2019 21:03:57 GMT

Hello,

I can't seem to find the commands to do what I need. I have a 6509 running 7.5.1 Cat OS. I want the Radius server to authenticate and authorize privilege based on the user database in Radius. Could someone point me to the set commands to do this?

The way it is now, no matter what attributes are given to the user in the Radius db, they are can execute 'enable' and type the password and they are in enable mode.

Thanks,

Kim

Re: Configuring Radius Authentication/Authorization on a 6509

Richard Burts — Fri, 18 Mar 2005 16:14:38 GMT

Would you post the configuration you have for authentication? It sounds to me like you have configured user login to use radius but have not configured enable access to use radius. It would be easier to find your answer if we can see the config.

HTH

Rick

Re: Configuring Radius Authentication/Authorization on a 6509

kimlong — Sat, 19 Mar 2005 14:07:39 GMT

Hi Rick,

Unfortunately, I am unable to post the config. However, it sems like it would only be a one line command to do what you suggest. Can you provide the command line to enter?

Thanks,

Kim

Re: Configuring Radius Authentication/Authorization on a 6509

Tim Glen — Mon, 21 Mar 2005 01:50:34 GMT

Hey

I dont think this can be done with Cat OS. I know if your running IOS and the RADIUS servers sends a Cisco AV Pair of shell:priv-lvl=15 the the IOS box will set you up with Enable Access. However this does not work when it is sent to any of my CatOS boxes. I looked a few months back and wasnt able to find a way to do it.

Timo

Re: Configuring Radius Authentication/Authorization on a 6509

kimlong — Wed, 23 Mar 2005 13:04:55 GMT

Thanks for your help.

Kim

Re: Configuring Radius Authentication/Authorization on a 6509

Richard Burts — Wed, 23 Mar 2005 14:56:07 GMT

Kim

We configure our Catalyst 6500 switches with these commands:

set authentication enable tacacs enable console primary

set authentication enable tacacs enable telnet primary

and it works fine for us. When a user enters the enable command the switch sends an authentication request to the tacacs server and if the user is not configured for enable access in the server then the attmept is denied.

I know this works for us with tacacs. I do not believe that there is any significant difference between tacacs and radius though I am not able to verify the function on radius. I did test this on a switch running 7.6(6) and believe that the functionality should be the same on your switch running 7.5(1).

HTH

Rick

Re: Configuring Radius Authentication/Authorization on a 6509

kimlong — Wed, 30 Mar 2005 13:01:18 GMT

Hi Rick,

The big difference between RADIUS and TACACS is

that RADIUS is 'open source' and TACACS is Cisco

Proprietary 🙂 So, implementing TACACS on Cisco

products is really sweet. Not so much on the RADIUS

side, though. Cat OS is the fly in the ointment.

With IOS commands I found the 'attribute' command which would allow RADIUS to utilize TACACS attributes. At least, that's what it looks like at

first glance. I haven't been able to read through the doc at this time.

Thanks to everyone for your suggestions. I appreciate your time.

Kim