Jump to content

Configure Cisco Hardware for RADIUS


wildweaselmi
 Share

Recommended Posts

Here is a config for RADIUS AAA authentication



!!! IOS !!!
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting network default start-stop group radius
aaa accounting exec default start-stop group radius
username netadm1n privilege 15 secret teleco0mm
radius-server host 10.43.208.11
radius-server key DPSWy1qpokXT





Router# debug radius






Link to comment
Share on other sites

Our goal is to figure out how to utilize the Cisco ACS 5.3 as our RADIUS server to point our devices to which will use Active Directory Group membership to assign a role (ACS-ReadOnly, ACS-ReadWrite)



Devices we will need to configure to point to the Cisco ACS/RADIUS/AD include :


•    Switch running IOS


•    Switch running NX-OS


•    Wireless Lan Controller (WLC)


•    Wireless Access Point (WAP)


•    Cisco CPT



If I could configure one of each to use RADIUS in the Cisco ACS 5.3 box with Active Directory then I would be set.  I just need that example and I am unable to find anything online to help me solve this.



Now Cisco ACS 5.3 – TACACS – Active Directory works great for the Cisco hardware running IOS.  That has been tested and verified but I heard that issues with running TACACS on NX-OS and CPT.



Any help is most appreciated.  My GNS lab on my Mac is limited and I can’t seem to virtualize nothing besides just IOS.


 



Link to comment
Share on other sites

Here are some configurations you can use





!! ----- NX-OS RADIUS Config



Feature TACACS

tacacs-server key 7 ""

tacacs-server host 10.43.208.11

tacacs-server host 10.47.208.11

aaa group server tacacs+ tacacs

    server 10.43.208.11

    server 10.47.208.11

    use-vrf core (change out with the value of the VRF that has IP reachability to ACS Server)

aaa accounting default group tacacs

AAA authentication login default group Radius

no aaa user default-role (this defines if we have a default role for TACACS users with non-defined roles in ACS)

tacacs-server directed-request


Below is the RADIUS configuration for IOS



 



 






 



Link to comment
Share on other sites

  • 2 years later...

PRODUCTION





logging buffered 20480 debugging

logging console informational

logging monitor informational

enable secret 5 $1$MBrN$ottZrqMPOB3jZEo0QFEQA0

!

aaa new-model

aaa authentication attempts login 6

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa accounting network default stop-only group tacacs+

!

aaa session-id common



tacacs-server host 10.59.245.27

tacacs-server host 10.59.245.28

tacacs-server attempts 6

tacacs-server directed-request

tacacs-server key 7 03075A1F120E2840



banner motd _

********************************************************************

Use of this system is restricted to authorized users. User activity

is monitored and recorded by system personnel. Anyone using this

system expressly consents to such monitoring and recording. BE

ADVISED: if possible criminal activity is detected, system records,

along with certain personal information, may be provided to law

enforcement officials.                            (Rev hosangit2.55)

********************************************************************

_

privilege exec level 1 traceroute

privilege exec level 1 ping

privilege exec level 1 show configuration

privilege exec level 1 terminal monitor

privilege exec level 1 terminal

privilege exec level 1 dir

!


LAB





!

aaa new-model

aaa authentication attempts login 6

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa accounting network default stop-only group tacacs+

!

aaa session-id common

tacacs-server host 10.6.56.244

tacacs-server key 0 bl@hbl@hwh@t3v3r

!

privilege exec level 1 traceroute

privilege exec level 1 ping

privilege exec level 1 show configuration

privilege exec level 1 terminal monitor

privilege exec level 1 terminal

privilege exec level 1 dir

!

tacacs-server notify enable

enable use-tacacs


GENERIC





aaa new-model

aaa authentication login default group tacacs+ local

tacacs-server host 10.6.56.244

tacacs-server key 0 bl@hbl@hwh@t3v3r



enable use-tacacs



reload in 20

reload cancel

show reload


LAB RADIUS





aaa new-model

aaa authentication login default group radius local

aaa authentication login localauth local

aaa authentication ppp default if-needed group radius local

aaa authorization exec default group radius local

aaa authorization network default group radius local

aaa accounting delay-start

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa processes 6

radius-server host 10.6.56.244 auth-port 1812 acct-port 1813 key Cis$ko



conf t

radius-server host 10.6.56.244

radius-server key Cis$ko

radius-server auth-port 1812

aaa authentication login default group radius





aaa new-model

radius-server host 10.6.56.244 auth-port 1812 acct-port 1813 key Cis$ko

aaa authentication login default group radius local

aaa authorization exec default group radius local

aaa accounting exec default start-stop group radius

aaa accounting system default start-stop group radius


Link to comment
Share on other sites

 Share

×
×
  • Create New...