Showing results for 
Search instead for 
Did you mean: 

SSH & RADIUS Authentication

Level 1
Level 1

Hi all,

I need some advice on the authentication of my switches.

I have a network set up where every switch uses telnet only for the transport input method. I need this to change to SSHv2 only.

I also have a RADIUS server backing off to Active Directory that I can use for AAA authentication against users of the switches.

Once I use SSH to login, I am in User EXEC mode. I would like to use RADIUS authentication to authenticate users to enter Privileged EXEC mode.

Is this possible to do?

I have been working on this for a while, now I have got to the point where I have to give in and ask for help.

Thank you.

7 Replies 7

Hi Simon,

Are you using AAA authentication with ACS?

Hi Javier!

No unfortunately I don't have ACS at my disposal; I have only a RADUIS server. I currently have some Wireless LAN Controllers authenticating clients on RADIUS and I was told that it can authenticate users going into Privileged EXEC (Enable) on a switch too. I have tired configuring this many times however I can't seem to get it to work.

Hi Simon,

ACS use TACACS+ for authentication but we have ISE now, which doesn't support TACACS+ instead it use RADIUS to authenticate switches/users.

You can integrate your AD with ISE and then with the proper configuration on switches and ISE, we can restrict user to go to Enable mode.

Gurpreet S Puri

Keep Smiling, Peace :)

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

@Gurpreet Puri

That's true, but I think Simon does not have an ISE neither.

Simon, are you using NPS, IAS or any other vendor?

If so, we would need to check the vendor's documentation to see how to send the privilege level 15 to the SW.

You can check this one:

Cisco Privilege Level Access with Radius and NPS Server


How-to : Integrating Cisco devices CLI access with Microsoft NPS/RADIUS


Hi all,

Thanks for your feedback. I have Cisco ISE being deployed within the next couple of months so hopefully that will help to solve this problem. I'll wait until then to start configuring it.

Thank you for your replies, this has been very helpful.


You welcome.

Please rate any helpful posts.

Level 3
Level 3

From security perspective, I would still recommend applying an ACL to the VTY lines to prevent DoS on the network device. You can go beyond that and apply control plane policing.

1. The VTY access-list needs to add to all VTY lines (e.g. 0 ~ 15 on a Cisco 3K) to be effective.

2. On a 3560X running IOS 15.0(1)SE3, I added the following line before the SSH client IP address showing up as calling-station-id in RADIUS access requests:

radius-server attribute 31 send nas-port-detail