Can 2600 Router ver. 12.3 use Radius Server to Authenticate Logon

Discussion in 'Cisco' started by JohnD, Jul 13, 2007.

  1. JohnD

    JohnD Guest

    I have 500 routers. Right now we are using local accounts set up on each
    router to let our admins log into the routers. Whenever an admin leaves, we
    have to go around to 500 routers and delete that username and add the new
    guy.

    Is it possible to set up a router to use AAA authentication to a Radius
    server to authenticate telnet access?

    That way I just take the ex-employee out of the radius group and he no
    longer can get into our routers.

    If this is possible, would someone be so kind as to point me to a sample
    config. I am having a hell of a time finding anything on cisco.com.

    Thank you
    JohnD, Jul 13, 2007
    #1
    1. Advertising

  2. Re: Can 2600 Router ver. 12.3 use Radius Server to Authenticate Logon

    "JohnD" <> writes:
    >I have 500 routers. Right now we are using local accounts set up on each
    >router to let our admins log into the routers. Whenever an admin leaves, we
    >have to go around to 500 routers and delete that username and add the new
    >guy.


    >Is it possible to set up a router to use AAA authentication to a Radius
    >server to authenticate telnet access?


    Sure. RADIUS or TACACS+..

    >That way I just take the ex-employee out of the radius group and he no
    >longer can get into our routers.


    >If this is possible, would someone be so kind as to point me to a sample
    >config. I am having a hell of a time finding anything on cisco.com.


    Shouldn't be too hard to find, its been part of IOS for quite some time.

    Here's a link to the basics in 12.2 documentation.

    http://www.cisco.com/univercd/cc/td...122cgcr/fsecur_c/fsaaa/scfathen.htm#wp1001032
    Doug McIntyre, Jul 13, 2007
    #2
    1. Advertising

  3. JohnD

    Guest

    Re: Can 2600 Router ver. 12.3 use Radius Server to Authenticate Logon

    On Jul 13, 3:46 pm, Doug McIntyre <> wrote:
    > "JohnD" <> writes:
    > >I have 500 routers. Right now we are using local accounts set up on each
    > >router to let our admins log into the routers. Whenever an admin leaves, we
    > >have to go around to 500 routers and delete that username and add the new
    > >guy.
    > >Is it possible to set up a router to use AAA authentication to a Radius

    You could use Radius but I would use TACACS+. First RADIUS is clear
    text so you could have someone actually get your password if they are
    sniffing the datastream. I really do not like Cisco software, I
    REALLY like Cisco ACS. You can also set it up to use your windows
    domain to authenticate to. You can do SSOOO MUCH with Cisco ACS!
    Hear is a simple RADIUS config.

    aaa new-model
    !
    aaa authentication login default group radius local
    ! Always config a fallback in case you cant get to the AAA server
    radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key
    cisco
    ! Some IOSes want you to put the key on a seperate line

    This will just get you logged in there are the two other A's
    (authorization, and accounting) that you may also configure.

    Greg

    > >server to authenticate telnet access?

    >
    > Sure. RADIUS or TACACS+..
    >
    > >That way I just take the ex-employee out of the radius group and he no
    > >longer can get into our routers.
    > >If this is possible, would someone be so kind as to point me to a sample
    > >config. I am having a hell of a time finding anything on cisco.com.

    >
    > Shouldn't be too hard to find, its been part of IOS for quite some time.
    >
    > Here's a link to the basics in 12.2 documentation.
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cg...
    , Jul 14, 2007
    #3
  4. Re: Can 2600 Router ver. 12.3 use Radius Server to Authenticate Logon

    writes:
    >On Jul 13, 3:46 pm, Doug McIntyre <> wrote:
    >> "JohnD" <> writes:
    >> >I have 500 routers. Right now we are using local accounts set up on each
    >> >router to let our admins log into the routers. Whenever an admin leaves, we
    >> >have to go around to 500 routers and delete that username and add the new
    >> >guy.
    >> >Is it possible to set up a router to use AAA authentication to a Radius

    >You could use Radius but I would use TACACS+. First RADIUS is clear
    >text so you could have someone actually get your password if they are
    >sniffing the datastream.



    Huh? RADIUS encrypts passwords across the network. The difference
    between TACACS+ and RADIUS is that TACACS+ encrypts the whole
    packet. RADIUS encrypts just the password, leaving the rest of the
    packet plain.

    Passwords are both encrypted as they go over the network for either protocol.
    Doug McIntyre, Jul 14, 2007
    #4
  5. JohnD

    Guest

    Re: Can 2600 Router ver. 12.3 use Radius Server to Authenticate Logon

    On Jul 14, 1:53 am, Doug McIntyre <> wrote:
    > writes:
    > >On Jul 13, 3:46 pm, Doug McIntyre <> wrote:
    > >> "JohnD" <> writes:
    > >> >I have 500 routers. Right now we are using local accounts set up on each
    > >> >router to let our admins log into the routers. Whenever an admin leaves, we
    > >> >have to go around to 500 routers and delete that username and add the new
    > >> >guy.
    > >> >Is it possible to set up a router to use AAA authentication to a Radius

    > >You could use Radius but I would use TACACS+. First RADIUS is clear
    > >text so you could have someone actually get your password if they are
    > >sniffing the datastream.

    >
    > Huh? RADIUS encrypts passwords across the network. The difference
    > between TACACS+ and RADIUS is that TACACS+ encrypts the whole
    > packet. RADIUS encrypts just the password, leaving the rest of the
    > packet plain.
    >
    > Passwords are both encrypted as they go over the network for either protocol.


    I did not know that, Thanks for the correction.
    , Jul 14, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CJH
    Replies:
    0
    Views:
    1,910
  2. Targa
    Replies:
    0
    Views:
    394
    Targa
    Oct 28, 2004
  3. moyung

    USB ver 1.1 -> ver 2.0

    moyung, Aug 18, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    619
    moyung
    Aug 18, 2006
  4. Steve King

    Photoshop Elements ver. 2 versus ver. 4

    Steve King, Jun 11, 2006, in forum: Digital Photography
    Replies:
    11
    Views:
    697
    Stephen Henning
    Jun 12, 2006
  5. Pascal
    Replies:
    0
    Views:
    439
    Pascal
    Jun 12, 2007
Loading...

Share This Page