«

Hello All,

We have a variety of Cisco kit in our lab which also hosts a Win2000 AD
domain.

Rather than using local enable passwords for the devices which we give out
to certain people, I would like to be able to tie in AD permissions to cisco
boxes using RADIUS.

We have an IAS server which support RADIUS. However I have come accross the
usual problems, is there any examples I can experiment with or documentation
on this. The majority of items I find relate to MAC or VPN. Can what I am
attempting be acheived?

Many Thanks

Fat

"Fatman Superstar" <> wrote in message
news:zEeLb.9842$...
> Hello All,
>
> We have a variety of Cisco kit in our lab which also hosts a Win2000 AD
> domain.
>
> Rather than using local enable passwords for the devices which we give out
> to certain people, I would like to be able to tie in AD permissions to
cisco
> boxes using RADIUS.
>
> We have an IAS server which support RADIUS. However I have come accross
the
> usual problems, is there any examples I can experiment with or
documentation
> on this. The majority of items I find relate to MAC or VPN. Can what I
am
> attempting be acheived?
>
> Many Thanks
>
> Fat
>
>

Yes, in deed. This is doable and works well. Here is a good doc to get you
started. Let me know if you run in to any problems with it.

http://www.giac.org/practical/GCWN/Damon_Martin.pdf

Just an extra hint... They list the local login second and only if the
radius is not available. That has its benefits, but I prefer the local
login not to have to wait on the timeout from radius. So, my aaa line looks
like this:

aaa authentication login default local group radius
aaa authorization exec default local group radius if-authenticated

Hope that helps,

Jim

Great stuff!!! Cheers


"Scooby" <> wrote in message
news:qznLb.82$...
> "Fatman Superstar" <> wrote in message
> news:zEeLb.9842$...
> > Hello All,
> >
> > We have a variety of Cisco kit in our lab which also hosts a Win2000 AD
> > domain.
> >
> > Rather than using local enable passwords for the devices which we give
out
> > to certain people, I would like to be able to tie in AD permissions to
> cisco
> > boxes using RADIUS.
> >
> > We have an IAS server which support RADIUS. However I have come accross
> the
> > usual problems, is there any examples I can experiment with or
> documentation
> > on this. The majority of items I find relate to MAC or VPN. Can what I
> am
> > attempting be acheived?
> >
> > Many Thanks
> >
> > Fat
> >
> >
>
> Yes, in deed. This is doable and works well. Here is a good doc to get
you
> started. Let me know if you run in to any problems with it.
>
> http://www.giac.org/practical/GCWN/Damon_Martin.pdf
>
> Just an extra hint... They list the local login second and only if the
> radius is not available. That has its benefits, but I prefer the local
> login not to have to wait on the timeout from radius. So, my aaa line
looks
> like this:
>
> aaa authentication login default local group radius
> aaa authorization exec default local group radius if-authenticated
>
> Hope that helps,
>
> Jim
>
>
>