02-24-2012 04:19 AM - edited 03-07-2019 05:09 AM
Hello,
Before I start on a long journey if possibly setting up all our routers and switches to use a Radius server for authentication to a device I have a couple of questions I hope someone would be kind enough to answer?
1.) I don't really what to spend money on Radius software, can I use a Windows IAS Radius server?
2.) If the above answer is yes can I create 2 Active Directory groups (LDAP) one for Priv 15 and one for read only access to routers or switches, is that Priv 5?
3.) If the routers and switches can't access the Radius server will it fall back to the local username and passwords?
4.) Is anyone aware of a step-by-step guide on setting this up? I know how to install the Windows IAS Radius server, but it is the settings on the router/switch and the attributes within IAS.
Thanks
02-24-2012 04:45 AM
Andy,
1.) I don't really what to spend money on Radius software, can I use a Windows IAS Radius server?
Yes you can...it's been many years since I set it up, but it's possible.
2.) If the above answer is yes can I create 2 Active Directory groups (LDAP) one for Priv 15 and one for read only access to routers or switches, is that Priv 5?
Yes. You send class attributes back to the router with what priv-level you want like: shell:priv-lvl=5 or shell:priv-lvl=15
3.) If the routers and switches can't access the Radius server will it fall back to the local username and passwords?
It will if you have it set up that way, but be careful by what you mean about 'access' the radius server. If the radius server responds at all, it won't roll over. The radius server really needs to be down (unreachable) for it to roll over. I've had to remove configurations from a radius server just to get a router to roll over to the next auth method. It will look like this in your router/switch though:
aaa authentication login default radius local
Radius first and then local if the radius server doesn't respond.
4.) Is anyone aware of a step-by-step guide on setting this up? I know how to install the Windows IAS Radius server, but it is the settings on the router/switch and the attributes within IAS.
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrdat1.html
HTH,
John
02-24-2012 04:57 AM
Only two nuggets in addition to John's excellent response:
1) You can also use FreeRADIUS...but if you have a Windows server already with IAS RADIUS then this may offer you no added benefit. Just another option.
3) Just to further echo what John said here, the terminology on "accessing" the RADIUS server is very strict. For example, if the router/switch and RADIUS server are accidentally misconfigured with pre-shared keys (if the keys do not match), the router/switch will deny access rather than fall-back to a local user.
In short: Test thoroughly before final deployment.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide