Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
3
Replies

Radius Auth for Login and VPN... conflicts

Go to solution
kitkat0981
Level 1
Level 1

‎05-16-2011 12:46 PM - edited ‎03-10-2019 06:05 PM

Hi,

Im trying to configure a 7204 for radius login authentication, although the router is also configured with radius for VPN access. How can I configure it for both using 2 different raidus servers? the login via radius is working fine on another router, although that one is not doing VPN access so there's no conflict.

My config:

aaa group server radius RADIUS_AUTH
     server x.x.3.11 auth-port 1645 acct-port 1646

aaa authentication login networkaccess group radius local

aaa authorization exec default group RADIUS_AUTH if-authenticated

radius-server host x.x.3.11 auth-port 1645 acct-port 1646 key xxxxxx

line vty 0 15

     login authentication networkaccess

The bellow line is used for the VPN auth:

radius-server host x.x.8.12 auth-port 1812 acct-port 1813 key xxxxxx

aaa authentication ppp default local
aaa authentication ppp vpdn group radius

aaa authorization network default local
aaa authorization network vpdn group radius
aaa authorization auth-proxy default group radius
aaa accounting delay-start
aaa accounting update periodic 5
aaa accounting network default start-stop group radius

For some reason, this does not work. I cannot access the router and authenticate via x.x.3.11 radius server. I think there's a conflict between the VPN and the login authentication but im unsure how to resolve this.

any help would be greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee
In response to kitkat0981

‎05-17-2011 06:12 AM

"aaa authentication ppp vpdn group radius"

"group radius" means "take any radius server from the global list".

Change it to "group mygroup" and boom, you give it a selected subset of radius servers

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎05-16-2011 11:17 PM

I'm no vpn dude, but I think the "aaa authentication ppp" refers to vpn right ? You're pointing it to the default radius group.

For device login it's "aaa authentication login".

You have to define the new radius server first (radius-server host ...) and then define radius groups

aaa server group radius

     server

from there you will be able to separate the 2. For example "Aaa authentication login default group "

0 Helpful

Go to solution
kitkat0981
Level 1
Level 1
In response to Nicolas Darchis

‎05-17-2011 06:09 AM

hmmm... ok, so how would I put the VPN stuff in it's own group?

0 Helpful

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee
In response to kitkat0981

‎05-17-2011 06:12 AM

"aaa authentication ppp vpdn group radius"

"group radius" means "take any radius server from the global list".

Change it to "group mygroup" and boom, you give it a selected subset of radius servers

0 Helpful
Customers Also Viewed These Support Documents