Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3189
Views
5
Helpful
4
Replies

AAA RADIUS Authentication in Catalyst 2924

willianp
Level 1
Level 1

‎12-05-2002 11:00 AM - edited ‎03-10-2019 07:04 AM

Hi,

I need to use a RADIUS Authentication in a Catalyst 2924, but not for all the authenticated RADIUS users but only for a group of users.

with this configuration, all users that have an radius login/pass can login, but the same RADIUS server authenticates many services....

Current RADIUS configuration:

aaa new-model

aaa group server radius radius_tutoia

server 9.179.123.10

!

aaa authentication login default group radius enable

aaa authentication login radius enable

aaa authentication login local enable

aaa authorization configuration default group radius

.

.

.

.

.

radius-server host *.***.***.** auth-port 1645 acct-port 1646

radius-server key *****************

if my RADIUS server is not online the command:

aaa authentication login local enable

its a good failback option?

Regards,

Willian Prando

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎12-05-2002 03:12 PM

If you just want certain users to be able to login to this box, then you'll have to set up authorization. In the 2924 do:

> aaa authorization exec default group radius none

Then in the user profiles on the Radius server, for those users that you want to be able to telnet into this device, you have to return the Service-Type attribute (Radius IETF attribute number 6), with a value of Nas-Prompt (7).

Anyone without this won't be authorized to get into exec mode on this box. There's a sample config for this here: http://www.cisco.com/warp/public/480/PRIV.html

As for your fallback question, you already have it configured to fallback to the enable password (that's what the "enable" keyword is after the "radius" keyword on your login authentication line). If you want it to fallback to the local username database, then you'd change your current line to look like:

> aaa authentication login default group radius local

> username blah password blah

HTH.

willianp
Level 1
Level 1
In response to gfullage

‎12-06-2002 07:01 AM

First of all thanks for your help...

ok in the 2924 I am using the following configuration:

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

radius-server host "server" auth-port 1645 acct-port 1646

radius-server key "key"

I am using Cisco Secure ACS 3.0, and I cant find the user profile where to set the Service-type atribute.

I need to set the authentication method as Cisco/IOS or IETF in the 2924 profile?

Regards,

Willian

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to willianp

‎12-06-2002 06:58 PM

Under Interface Configuration - Radius IETF, check the boxes to make the attributes appear under the User profile rather than just the Groups. Then go back under the user and select the attribute.

The authentication method can be either IETF or Cisco IOS/PIX. All hosts will use the IETF attributes, setting the NAS as something else other than IETF simply means theres a few more options for you to choose from. For example, if you use the Cisco IOS/PIX auth method, you can then check any of the IETF attributes AND anything in the Cisco IOS/PIX attribute section.

0 Helpful

snguyen
Level 1
Level 1

‎12-11-2002 02:50 PM

You fix ACS server on network configuration and user group

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents