Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1273
Views
10
Helpful
6
Replies

authenticating a switch through radius?

baselzind
Level 6
Level 6

‎01-29-2020 12:22 AM

customer have a radius server and he would like to use it to authenticate access to a switch , i did the below

aaa new-model

radius-server host 1.1.1.1 auth-port 1812 acct-port 1813
radius-server key cisco

aaa authentication login default group radius 

 

what would i need to write under the line vty 0 15? is it "login authentication radius?

do i need this command? ip radius source-interface VlanXX?

am i missing anymore commands?

Labels:
0 Helpful
6 Replies 6

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-29-2020 01:19 AM - edited ‎01-29-2020 01:23 AM

Hi,

 

Under the line vty 0 15, you have to add below:

 

Login authentication default

 

radius source-interface VlanXX is required only if you have reachability only from certain vlan SVI or interfaces. With this command, all the radius communication from this switch will be initiated from the selected interface.

 

Your config seems to be good enough to run aaa on the device using radius.

 

Also, you can test your radius server using ' test aaa group .... ' command from exec mode.

 

 

baselzind
Level 6
Level 6
In response to Muhammad Awais Khan

‎01-29-2020 11:29 PM

i believe i can add "login local" under "line con 0" to assign logging through console link to local users correct?
0 Helpful

Pawan Raut
Level 4
Level 4
In response to baselzind

‎01-30-2020 01:15 AM

Under "aaa new-model" use command "aaa authentication login console local" for console as local login

 

Please rate for helpful post

0 Helpful

Muhammad Awais Khan
Cisco Employee
Cisco Employee
In response to baselzind

‎01-30-2020 01:22 AM - edited ‎01-30-2020 01:23 AM

Hi,

 

Yes you are correct. It will override the default group radius.

 

Actually when you define aaa authentication login default group radius , it will make all the default authentication methods to all vty and console lines as pointed by @Pawan Raut  also.

 

If you want to override the default, you can goto the line and put different authentication method

 

So If you put login local under line con 0, it wi use local database. 

 

0 Helpful

Muhammad Awais Khan
Cisco Employee
Cisco Employee
In response to Muhammad Awais Khan

‎01-30-2020 02:06 AM

Adding to @Pawan Raut there are multiple methods to achieve the same task. Both will work actually

 

Ref: https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html

0 Helpful

Pawan Raut
Level 4
Level 4

‎01-29-2020 01:20 AM

Hi, No need to "login authentication radius"  under line vty as you have already defined it under aaa new-model. If your switch has two or more layer3 interface (SVI) then you should define the source interface for radius or it is always good practice to define the source interface.

 

aa new-model

radius-server host 1.1.1.1 auth-port 1812 acct-port 1813
radius-server key cisco

aaa authentication login default group radius 

radius source-interface VlanXX

Customers Also Viewed These Support Documents