cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
652
Views
0
Helpful
3
Replies

Radius Auth for Login and VPN... conflicts

kitkat0981
Level 1
Level 1

Hi,

Im trying to configure a 7204 for radius login authentication, although the router is also configured with radius for VPN access. How can I configure it for both using 2 different raidus servers? the login via radius is working fine on another router, although that one is not doing VPN access so there's no conflict.

My config:

aaa group server radius RADIUS_AUTH
     server x.x.3.11 auth-port 1645 acct-port 1646

aaa authentication login networkaccess group radius local

aaa authorization exec default group RADIUS_AUTH if-authenticated

radius-server host x.x.3.11 auth-port 1645 acct-port 1646 key xxxxxx

line vty 0 15

     login authentication networkaccess

The bellow line is used for the VPN auth:

radius-server host x.x.8.12 auth-port 1812 acct-port 1813 key xxxxxx

aaa authentication ppp default local
aaa authentication ppp vpdn group radius

aaa authorization network default local
aaa authorization network vpdn group radius
aaa authorization auth-proxy default group radius
aaa accounting delay-start
aaa accounting update periodic 5
aaa accounting network default start-stop group radius

For some reason, this does not work. I cannot access the router and authenticate via x.x.3.11 radius server. I think there's a conflict between the VPN and the login authentication but im unsure how to resolve this.

any help would be greatly appreciated.

1 Accepted Solution

Accepted Solutions

"aaa authentication ppp vpdn group radius"

"group radius" means "take any radius server from the global list".

Change it to "group mygroup" and boom, you give it a selected subset of radius servers

View solution in original post

3 Replies 3

Nicolas Darchis
Cisco Employee
Cisco Employee

I'm no vpn dude, but I think the "aaa authentication ppp" refers to vpn right ? You're pointing it to the default radius group.

For device login it's "aaa authentication login".

You have to define the new radius server first (radius-server host ...) and then define radius groups

aaa server group radius

     server

from there you will be able to separate the 2. For example "Aaa authentication login default group "

hmmm... ok, so how would I put the VPN stuff in it's own group?

"aaa authentication ppp vpdn group radius"

"group radius" means "take any radius server from the global list".

Change it to "group mygroup" and boom, you give it a selected subset of radius servers