12-05-2002 11:00 AM - edited 03-10-2019 07:04 AM
Hi,
I need to use a RADIUS Authentication in a Catalyst 2924, but not for all the authenticated RADIUS users but only for a group of users.
with this configuration, all users that have an radius login/pass can login, but the same RADIUS server authenticates many services....
Current RADIUS configuration:
aaa new-model
aaa group server radius radius_tutoia
server 9.179.123.10
!
aaa authentication login default group radius enable
aaa authentication login radius enable
aaa authentication login local enable
aaa authorization configuration default group radius
.
.
.
.
.
radius-server host *.***.***.** auth-port 1645 acct-port 1646
radius-server key *****************
if my RADIUS server is not online the command:
aaa authentication login local enable
its a good failback option?
Regards,
Willian Prando
12-05-2002 03:12 PM
If you just want certain users to be able to login to this box, then you'll have to set up authorization. In the 2924 do:
> aaa authorization exec default group radius none
Then in the user profiles on the Radius server, for those users that you want to be able to telnet into this device, you have to return the Service-Type attribute (Radius IETF attribute number 6), with a value of Nas-Prompt (7).
Anyone without this won't be authorized to get into exec mode on this box. There's a sample config for this here: http://www.cisco.com/warp/public/480/PRIV.html
As for your fallback question, you already have it configured to fallback to the enable password (that's what the "enable" keyword is after the "radius" keyword on your login authentication line). If you want it to fallback to the local username database, then you'd change your current line to look like:
> aaa authentication login default group radius local
> username blah password blah
HTH.
12-06-2002 07:01 AM
First of all thanks for your help...
ok in the 2924 I am using the following configuration:
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
radius-server host "server" auth-port 1645 acct-port 1646
radius-server key "key"
I am using Cisco Secure ACS 3.0, and I cant find the user profile where to set the Service-type atribute.
I need to set the authentication method as Cisco/IOS or IETF in the 2924 profile?
Regards,
Willian
12-06-2002 06:58 PM
Under Interface Configuration - Radius IETF, check the boxes to make the attributes appear under the User profile rather than just the Groups. Then go back under the user and select the attribute.
The authentication method can be either IETF or Cisco IOS/PIX. All hosts will use the IETF attributes, setting the NAS as something else other than IETF simply means theres a few more options for you to choose from. For example, if you use the Cisco IOS/PIX auth method, you can then check any of the IETF attributes AND anything in the Cisco IOS/PIX attribute section.
12-11-2002 02:50 PM
You fix ACS server on network configuration and user group
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide