Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
978
Views
5
Helpful
4
Replies

RADIUS Authentication

Go to solution
christopher_hall
Level 1
Level 1

‎08-01-2005 05:44 AM - edited ‎03-10-2019 02:15 PM

Greetings,

I want to setup our routers (1700s & 2600s) to use a RADIUS server to authenticate all users telneting into the router. I have IAS setup on a Win2k server. Also, is there a fallback in case the server goes down or communications are down between a remote site and the site with the IAS server? I've experienced where I would try to get a console connection to a router in a remote location that was setup to use IAS, but I would get prompted to enter my network username/password. The only way I could get in was to restart the router and enter the register config.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to christopher_hall

‎08-01-2005 10:51 AM

Chris

There are several alternative ways to configure it and what prompt you would get would depend on what you configured.

The bit of config that I gave in my first post is the way that I generally configure routers for my customers. If you do it this way then if the router can communicate with the server you get a prompt for name and then for password and if the router is not communicating with the server you get a prompt just for password.

I am not sure that I understand your question about if you are local and want console access. In particular I am not clear whether you are saying that you would want the console to authenticate with something other than Radius as its primary method of authentication or if you want a different backup method.

In general the console for local access and the vty ports for remote access use the same authentication method(s) (the same primary method and the same backup method). If you want one of them to be different you can define the default method to use on one and define a different method and assign it to the other. So for example if you want the vty to have their primary method being to try the Radius server and use the line password as backup and want the console to use the line password as primary and have no backup method then the config would look something like this:

aaa authentication login auth_con line

aaa authentication login default group radius line

line con 0

login authentication auth_con

HTH

Rick

HTH

Rick

View solution in original post

4 Replies 4

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎08-01-2005 08:23 AM

Chris

You certainly can configure the routers to use Radius for authentication for anyone who logs in to the router. The facility on the router which does this is aaa. It is possible (and I would say it is advisable) to configure aaa such that Radius is the primary authentication method and there are other methods as backup to cover situations where there is no access to the server.

Your configuration might look something like this:

radius-server host a.b.c.d

radius-server key

aaa authentication login default group radius line

aaa authentication enable default group radius enable

This configuration sets up the radius server and instructs the router that when someone log in to the router to use the radius server as primary and to use the line passwords and enable passwords if the radius server does not respond. It is also possible to set up local authentication with local user IDs if you want to go that way.

This configuration would use the same authentication for access through vty ports and through the console. If you wanted a different approach to access through the console it is possible to set that up.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
christopher_hall
Level 1
Level 1
In response to Richard Burts

‎08-01-2005 09:45 AM

Rick,

Thanks for the quick reply.

If the server doesn't respond to the routers username/password request, would I get a enable password prompt? Or would I see the Username prompt again and just enter through that?

Alternately, if I'm local to the router, and wanted to console in, how would I change the configuration to allow for that?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to christopher_hall

‎08-01-2005 10:51 AM

Chris

There are several alternative ways to configure it and what prompt you would get would depend on what you configured.

The bit of config that I gave in my first post is the way that I generally configure routers for my customers. If you do it this way then if the router can communicate with the server you get a prompt for name and then for password and if the router is not communicating with the server you get a prompt just for password.

I am not sure that I understand your question about if you are local and want console access. In particular I am not clear whether you are saying that you would want the console to authenticate with something other than Radius as its primary method of authentication or if you want a different backup method.

In general the console for local access and the vty ports for remote access use the same authentication method(s) (the same primary method and the same backup method). If you want one of them to be different you can define the default method to use on one and define a different method and assign it to the other. So for example if you want the vty to have their primary method being to try the Radius server and use the line password as backup and want the console to use the line password as primary and have no backup method then the config would look something like this:

aaa authentication login auth_con line

aaa authentication login default group radius line

line con 0

login authentication auth_con

HTH

Rick

HTH

Rick

Go to solution
christopher_hall
Level 1
Level 1
In response to Richard Burts

‎08-01-2005 11:07 AM

Rick,

That covers it! I'm going to give this a shot and if I have any follow-up questions, I'll drop another line.

Thanks,

Chris

0 Helpful
Customers Also Viewed These Support Documents