cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
307
Views
10
Helpful
6
Replies
Contributor

authenticating a switch through radius?

customer have a radius server and he would like to use it to authenticate access to a switch , i did the below

aaa new-model

radius-server host 1.1.1.1 auth-port 1812 acct-port 1813
radius-server key cisco

aaa authentication login default group radius 

 

what would i need to write under the line vty 0 15? is it "login authentication radius?

do i need this command? ip radius source-interface VlanXX?

am i missing anymore commands?

6 REPLIES 6
Highlighted

Re: authenticating a switch through radius?

Hi,

 

Under the line vty 0 15, you have to add below:

 

Login authentication default

 

radius source-interface VlanXX is required only if you have reachability only from certain vlan SVI or interfaces. With this command, all the radius communication from this switch will be initiated from the selected interface.

 

Your config seems to be good enough to run aaa on the device using radius.

 

Also, you can test your radius server using ' test aaa group .... ' command from exec mode.

 

 

Highlighted
Contributor

Re: authenticating a switch through radius?

i believe i can add "login local" under "line con 0" to assign logging through console link to local users correct?
Highlighted
Enthusiast

Re: authenticating a switch through radius?

Under "aaa new-model" use command "aaa authentication login console local" for console as local login

 

Please rate for helpful post

Highlighted

Re: authenticating a switch through radius?

Hi,

 

Yes you are correct. It will override the default group radius.

 

Actually when you define aaa authentication login default group radius , it will make all the default authentication methods to all vty and console lines as pointed by @Pawan Raut  also.

 

If you want to override the default, you can goto the line and put different authentication method

 

So If you put login local under line con 0, it wi use local database. 

 

Highlighted

Re: authenticating a switch through radius?

Adding to @Pawan Raut there are multiple methods to achieve the same task. Both will work actually

 

Ref: https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html

Highlighted
Enthusiast

Re: authenticating a switch through radius?

Hi, No need to "login authentication radius"  under line vty as you have already defined it under aaa new-model. If your switch has two or more layer3 interface (SVI) then you should define the source interface for radius or it is always good practice to define the source interface.

 

aa new-model

radius-server host 1.1.1.1 auth-port 1812 acct-port 1813
radius-server key cisco

aaa authentication login default group radius 

radius source-interface VlanXX