This document provides an example of configuring Radius Authentication on Cisco IOS switch by using a third party Radius server FreeRadius. By default, if you configure the authenticate through Radius, You will login to user mode (switch< ) and by using local enable password, you can login to the enable mode (switch#)
By adding authorization exec, we can bypass enable authentication and directly land the user to privilege 15 mode.
Ensure that you have your Cisco switch defined as a client in free radius with the ip address and same shared secret key defined on the free radius and switch
1. Free Radius
2. Cisco IOS 12.2 switch.
Configure Switch Device for Authentication and Authorization:
Create a local user on the switch with full privileges for fallback with the username command as shown here:
Note: The key must match the Shared Secret configured on the free radius for this switch
4.Test the RADIUS server availability with the test aaacommand as shown.
switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH
Test authentication will fail with a Reject from the server since it is not configured, However, it will confirms that server is reachable.
5.Configure login authentications as shown here:
command configures the switch to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database.
switch(config)#aaa authentication login default group radius local
Note: The Local keyword is used for fallback if the Radius server is unreachable
6. Configure authorization for privilege level 15:
command queries the RADIUS database for information that is used during EXEC authorization, such as autocommands and privilege levels, but only provides authorization if the user has successfully authenticated.
switch(config)#aaa authorization exec default group radius if-authenticated
Configuration on FreeRadius Server:
Defining Client on the Free Radius server:
Move to the config directory:
Edit the clients.conf file:
sudo nano clients.conf
Add each device (router or switch), which is identified by its hostname and requires secret key:
When ISE dACL is applied correctly and is visible in the authenticated session: SW1-2960#show authentication sessions int g2/0/2 det
MAC Address: 0050.5600.0141
IPv6 Address: Unknown
Hello Experts @balaji.bandi @Rob Ingram @Richard Burts @Marius Gunnerud @Leo Laohoo I updated Cisco ASA Fimware and VPN packages. The VPN Packages updated from 4.8 to 4.10. Is there anyway ...
Hi Guys, Just reading about ISE profiling I got a little bit confused , I can imagine a case where CWA is configured on ISE along with Profiling (whatever probes enabled). I know that CWA consist of two phases and phase 1 main goal is to r...
I have established OSPF neighbors with ASAv and routers Outside, dmz_b, inside_1 and inside2.Each router has its own loopback interface from 220.127.116.11 to 18.104.22.168 as below showed. But 22.214.171.124 cannot establish OSPF neighbor of ASAv. But I have adve...
Hi, I am getting a pop up from 'Cisco Anyconnect Secure Mobility Client' on my Mac which says "The VPN client agent was unable to create the client DNS plugin manager.". I have uninstalled Cisco Anyconnect Secure Mobility Client but I'm still g...