Showing results for 
Search instead for 
Did you mean: 

Restrict users who can telnet/console via radius

Level 1
Level 1


I am in the process of setting up radius authentication on all our routers and switches. I have configured an account on the radius server but I want to restrict access to the router to this one account only. At present any user on the radius server can log on as long as he has the correct credentials. How can I make sure that only this one users credentials allows access to the router ?

Can I do this within the IOS or is there something within AD/IAS (radius) on the authentication server ?

Any suggestions appreciated....

4 Replies 4

Level 5
Level 5

Hello Rick

I believe you are asking for a using Radius authentication on your line access to your routers.

Could you try AAA:

radius-server host IP-of-the-radius-server

radius-server key myRaDiUSpassWoRd

aaa new-model

aaa authentication default line group radius

line vty 0 4

login authentication default

check a good link:


if it does, please rate my post,



Thanks fot the reply,

I do not have a problem with getting radius up and running, it is already working ok. What i want to do is limit the users who can log on (telnet on to the cisco etc )via radius. by this i mean there may be 250 valid dialin users but i only want to let a small number have the ability to log on to the cisco devices. the remainder should just be able to authenticate on to the domain as normal but they cant use their usernames and password to authenticate in to the cisco device itself,




So, maybe what you need is to set the correct authorization?

I believe you can restric user exec shell using this authorizatin.

I never configured the RADIUS server itself, but is there a way to change authorization per user?


Level 3
Level 3

I would say it is a configuration on your AD/IAS radius server because the radius server should be setting the exec level allowing or disallowing acess, etc..

Might have to assign a reserved IP address to the one account and then configure your routers/switches with access-list allowing that IP address

Also, here is a link that might help