08-29-2007 03:48 AM - edited 03-10-2019 03:21 PM
Any good hints/links where is information how to start do authentication with microsoft ias server.
Now we use ssh to connect our devices but now is need to start to use aaa. Our devices are cisco 3500, 4500, 6500 series devices. Pictures, configuring examples anything is now needed.
Thanks
Juha
08-29-2007 07:36 AM
Juha,
Here are the IOS commands for setting up AAA,
Router(config)# username [username] password [password]
radius-server host [ip]
radius-server key [key]
aaa new-model
aaa authentication login default group radius+ local
Guidelines for Placing Radius in the Network,
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080092567.shtml
Configuring RADIUS
Hope that helps.
Regards,
~JG
Please rate helpful posts
09-12-2007 01:34 AM
Thanks JG
I have set router with commands and i can see from sniffer that my router sends 4 times Access reguest to MS IAS server but no response comes. My settings is now
aaa new-model
aaa authentication login default group radius none
radius-server host 10.x.x.x auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key mykey
radius-server vsa send authentication
MS IAS server is set to communicate with MS AD. I have set radius client(cisco device) and remote access policy to MS IAS but no response comes from that when i try to connect via vlan to my device. I found one advice how to set MS IAS but iam not sure is that OK. Any idea where to found advice what attributes and settings have to be set in MS IAS server so that i could login to my device with radius authentication.
thanks
Juha
09-12-2007 12:29 PM
09-13-2007 03:22 AM
Thanks.
That was very good pdf document. Now i can use radius and MS IAS successfully. Only one thing i cant understand. I can only use PAP protocol. If i try to use any other athentication fails. Usernames will sent in the clear. Is it really so that cisco devices does not support any other Authentication protocol.? Fortunately password is not in clear text because of shared secret.
Juha
09-13-2007 06:15 AM
Juha,
The issue is not with Cisco. Telnet sessions uses PAP password authentication. Because of this reason, IAS authentication is working with PAP password and fails for other password authentication attempts.
PAP password authentication will send username is clear text and password is encrypted.
For other sessions like PPP, we can specify password authentication methods as CHAP or
MS-CHAP methods.
Regards,
~JG
09-13-2007 08:19 PM
OK
Thanks
Normally we use ssh when connect to device. My test device is now configured for telnet.
Is ssh able to use those better secure methods.
Juha
09-17-2007 02:59 PM
It provides high confidentiality and integrity of data.
09-17-2007 11:14 PM
Is there any document where is explanation how does that algorithm work.(when using that shared security with pap) Our security people is not pleased because of that pap protocol. I could not found how is that password encrypted.
Juha
09-18-2007 04:04 AM
Juha,
The password is encrypted using an MD5 hash when passed between the router and Radius and they use the shared secret as part of that hash. The RFCs can explain it a lot better than I can.
http://www.ietf.org/rfc/rfc2865.txt
Hope that helps
Regards,
~JG
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide