Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Can 2600 Router ver. 12.3 use Radius Server to Authenticate Logon

Reply
Thread Tools

Can 2600 Router ver. 12.3 use Radius Server to Authenticate Logon

 
 
JohnD
Guest
Posts: n/a
 
      07-13-2007
I have 500 routers. Right now we are using local accounts set up on each
router to let our admins log into the routers. Whenever an admin leaves, we
have to go around to 500 routers and delete that username and add the new
guy.

Is it possible to set up a router to use AAA authentication to a Radius
server to authenticate telnet access?

That way I just take the ex-employee out of the radius group and he no
longer can get into our routers.

If this is possible, would someone be so kind as to point me to a sample
config. I am having a hell of a time finding anything on cisco.com.

Thank you


 
Reply With Quote
 
 
 
 
Doug McIntyre
Guest
Posts: n/a
 
      07-13-2007
"JohnD" <(E-Mail Removed)> writes:
>I have 500 routers. Right now we are using local accounts set up on each
>router to let our admins log into the routers. Whenever an admin leaves, we
>have to go around to 500 routers and delete that username and add the new
>guy.


>Is it possible to set up a router to use AAA authentication to a Radius
>server to authenticate telnet access?


Sure. RADIUS or TACACS+..

>That way I just take the ex-employee out of the radius group and he no
>longer can get into our routers.


>If this is possible, would someone be so kind as to point me to a sample
>config. I am having a hell of a time finding anything on cisco.com.


Shouldn't be too hard to find, its been part of IOS for quite some time.

Here's a link to the basics in 12.2 documentation.

http://www.cisco.com/univercd/cc/td/....htm#wp1001032



 
Reply With Quote
 
 
 
 
gcave@routergod.com
Guest
Posts: n/a
 
      07-14-2007
On Jul 13, 3:46 pm, Doug McIntyre <(E-Mail Removed)> wrote:
> "JohnD" <(E-Mail Removed)> writes:
> >I have 500 routers. Right now we are using local accounts set up on each
> >router to let our admins log into the routers. Whenever an admin leaves, we
> >have to go around to 500 routers and delete that username and add the new
> >guy.
> >Is it possible to set up a router to use AAA authentication to a Radius

You could use Radius but I would use TACACS+. First RADIUS is clear
text so you could have someone actually get your password if they are
sniffing the datastream. I really do not like Cisco software, I
REALLY like Cisco ACS. You can also set it up to use your windows
domain to authenticate to. You can do SSOOO MUCH with Cisco ACS!
Hear is a simple RADIUS config.

aaa new-model
!
aaa authentication login default group radius local
! Always config a fallback in case you cant get to the AAA server
radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key
cisco
! Some IOSes want you to put the key on a seperate line

This will just get you logged in there are the two other A's
(authorization, and accounting) that you may also configure.

Greg

> >server to authenticate telnet access?

>
> Sure. RADIUS or TACACS+..
>
> >That way I just take the ex-employee out of the radius group and he no
> >longer can get into our routers.
> >If this is possible, would someone be so kind as to point me to a sample
> >config. I am having a hell of a time finding anything on cisco.com.

>
> Shouldn't be too hard to find, its been part of IOS for quite some time.
>
> Here's a link to the basics in 12.2 documentation.
>
> http://www.cisco.com/univercd/cc/td/...e/ios122/122cg...



 
Reply With Quote
 
Doug McIntyre
Guest
Posts: n/a
 
      07-14-2007
http://www.velocityreviews.com/forums/(E-Mail Removed) writes:
>On Jul 13, 3:46 pm, Doug McIntyre <(E-Mail Removed)> wrote:
>> "JohnD" <(E-Mail Removed)> writes:
>> >I have 500 routers. Right now we are using local accounts set up on each
>> >router to let our admins log into the routers. Whenever an admin leaves, we
>> >have to go around to 500 routers and delete that username and add the new
>> >guy.
>> >Is it possible to set up a router to use AAA authentication to a Radius

>You could use Radius but I would use TACACS+. First RADIUS is clear
>text so you could have someone actually get your password if they are
>sniffing the datastream.



Huh? RADIUS encrypts passwords across the network. The difference
between TACACS+ and RADIUS is that TACACS+ encrypts the whole
packet. RADIUS encrypts just the password, leaving the rest of the
packet plain.

Passwords are both encrypted as they go over the network for either protocol.


 
Reply With Quote
 
gcave@routergod.com
Guest
Posts: n/a
 
      07-14-2007
On Jul 14, 1:53 am, Doug McIntyre <(E-Mail Removed)> wrote:
> (E-Mail Removed) writes:
> >On Jul 13, 3:46 pm, Doug McIntyre <(E-Mail Removed)> wrote:
> >> "JohnD" <(E-Mail Removed)> writes:
> >> >I have 500 routers. Right now we are using local accounts set up on each
> >> >router to let our admins log into the routers. Whenever an admin leaves, we
> >> >have to go around to 500 routers and delete that username and add the new
> >> >guy.
> >> >Is it possible to set up a router to use AAA authentication to a Radius

> >You could use Radius but I would use TACACS+. First RADIUS is clear
> >text so you could have someone actually get your password if they are
> >sniffing the datastream.

>
> Huh? RADIUS encrypts passwords across the network. The difference
> between TACACS+ and RADIUS is that TACACS+ encrypts the whole
> packet. RADIUS encrypts just the password, leaving the rest of the
> packet plain.
>
> Passwords are both encrypted as they go over the network for either protocol.


I did not know that, Thanks for the correction.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PWR-2600-AC 2600 power supply to switch over a DC router? dehusk@gmail.com Cisco 2 08-09-2008 10:47 PM
Radius server in a DMZ, how to authenticate AD users ? Pascal Wireless Networking 0 06-12-2007 08:35 AM
Question Help: Logon vs Account Logon, Local Logon vs Authentication CJH Microsoft Certification 0 01-04-2006 04:03 PM
NuB: Authenticate everything on Eth thru Radius??? Targa Cisco 0 10-28-2004 08:51 PM
Cisco radius attributes with Funk Steel-Belted Radius Server David Cisco 0 11-06-2003 09:54 PM



Advertisments