Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
745
Views
0
Helpful
1
Replies

Configure AAA via RADIUS server on Cisco ISR4331 in PT

DrByte
Level 1
Level 1

‎09-08-2023 02:55 AM

In Packet Tracer I want to configure Cisco ISR4331 router to use RADIUS authentication for vty lines and console..

Maybe it is limitations of Packet Tracer or limitations of my understanding AAA topic, but can it be configured completely without any local credentials.., I mean no local users, no local or enable secrets/passwords?

And additionally I would want to configure it the way that, You don't have to type username and password twice - I mean on login, and on `enable` command.

So far I tried:

 

 

Building configuration...

Current configuration : 1661 bytes
!
version 16.6.4
service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R4
!
no logging console
!
!
!
!
!
!
aaa new-model
!
aaa authentication login default group radius 
aaa authentication enable default group radius 
!
!
aaa authorization exec default group radius
aaa authorization network default group radius
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
ip domain-name network.co.il
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 no ip address
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 ciscoOSPF
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/1/0
 ip address 10.100.4.1 255.255.255.0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 ciscoOSPF
!
interface Serial0/1/1
 ip address 10.100.1.2 255.255.255.0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 ciscoOSPF
!
interface Vlan1
 no ip address
 shutdown
!
router ospf 1
 log-adjacency-changes
 passive-interface GigabitEthernet0/0/0
 network 10.100.1.0 0.0.0.255 area 0
 network 10.100.4.0 0.0.0.255 area 0
!
ip classless
!
ip flow-export version 9
!
!
!
!
radius server RADIUS-SRV
 address ipv4 172.18.1.1 auth-port 1645
 key radsecret
radius server 172.18.1.1
 address ipv4 172.18.1.1 auth-port 1645
 key radsecret
!
!
!
logging 172.18.1.1
line con 0
!
line aux 0
!
line vty 0 4
 login authentication default
 transport input ssh
!
!
!
end

 

 

It works fine:

- I can connect via ssh with username:password

- It requires username:password on console line

- No local usernames and password configured

[!] However it does require to type twice username and password - once for login

and second time for entering privileged EXEC mode.

How can I disable this double typing? Thanks in advance!

Labels:
0 Helpful
1 Reply 1

pieterh
VIP
VIP

‎09-08-2023 05:34 AM

radius server login1
 address ipv4 <ip-addr> auth-port 1812 acct-port 1813
 key <n> <radius-pre-shared-key>

aaa group server radius login-servers
 server name login1
 ! or multiple servers
!
aaa authentication login SSH group login-servers local enable
     ! if you omit the "local" keyword, there is no fallback to local authentication

line vty 0 4
 authorization exec SSH 
 login authentication SSH 

in a real environment, you way want to keep some fallback option for when the radius-server is unreachable
you can reserve local authentication for only physical console access 

aaa authentication login CONSOLE local enable
line con 0
    exec-timeout 30 0
   authorization exec CONSOLE
   login authentication CONSOLE


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card