Radius Authentication on Cisco Switches

Discussion in 'Cisco' started by thejayman, Aug 15, 2007.

  1. thejayman

    thejayman Guest

    Hi All,
    Sorry if this is a posted in the wrong group. I am trying to setup
    RADIUS authentication to my cisco switches via a Windows IAS 2003
    server.

    After reading the Cisco docs I have come up with this config for the
    switches.

    aaa new-model
    aaa authentication login default group radius local none
    aaa authentication enable default group radius none
    aaa authorization exec default group radius local if-authenticated
    aaa authorization commands 0 default group radius none
    aaa authorization commands 1 default group radius none
    aaa authorization commands 15 default group radius none
    aaa accounting exec default start-stop group radius
    aaa accounting commands 15 default stop-only group radius
    aaa accounting network default stop-only group radius
    aaa accounting connection default stop-only group radius
    aaa accounting system default stop-only group radius
    !
    tacacs-server host x.x.x.x
    tacacs-server directed-request
    tacacs-server key XXXXXXXXXX

    What I do not userstand is how do I get user to log onto only get
    level 0, 1 and 15. I assume I have to create new groups on the windows
    AD side but how does this match the config above?
    Sorry if I apear a bit dumd
    J
    thejayman, Aug 15, 2007
    #1
    1. Advertising

  2. thejayman

    Scooby Guest

    Your radius server needs to set the privlege level. You can do this by
    groups. Here is a great document for using IAS as a radius server with
    Cisco equipment:

    http://www.giac.org/certified_professionals/practicals/gcwn/0224.php

    Hope that helps,

    Jim


    "thejayman" <> wrote in message
    news:...
    > Hi All,
    > Sorry if this is a posted in the wrong group. I am trying to setup
    > RADIUS authentication to my cisco switches via a Windows IAS 2003
    > server.
    >
    > After reading the Cisco docs I have come up with this config for the
    > switches.
    >
    > aaa new-model
    > aaa authentication login default group radius local none
    > aaa authentication enable default group radius none
    > aaa authorization exec default group radius local if-authenticated
    > aaa authorization commands 0 default group radius none
    > aaa authorization commands 1 default group radius none
    > aaa authorization commands 15 default group radius none
    > aaa accounting exec default start-stop group radius
    > aaa accounting commands 15 default stop-only group radius
    > aaa accounting network default stop-only group radius
    > aaa accounting connection default stop-only group radius
    > aaa accounting system default stop-only group radius
    > !
    > tacacs-server host x.x.x.x
    > tacacs-server directed-request
    > tacacs-server key XXXXXXXXXX
    >
    > What I do not userstand is how do I get user to log onto only get
    > level 0, 1 and 15. I assume I have to create new groups on the windows
    > AD side but how does this match the config above?
    > Sorry if I apear a bit dumd
    > J
    >
    Scooby, Aug 15, 2007
    #2
    1. Advertising

  3. thejayman

    thejayman Guest

    Great doc.
    Thanks for your help.
    J
    thejayman, Aug 17, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David
    Replies:
    0
    Views:
    2,660
    David
    Nov 6, 2003
  2. Eric Headley

    Cisco 2600 radius authentication

    Eric Headley, Nov 18, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,373
    Eric Headley
    Nov 18, 2003
  3. tejlor
    Replies:
    2
    Views:
    2,278
    tejlor
    Nov 25, 2003
  4. Spoettel Otmar
    Replies:
    0
    Views:
    560
    Spoettel Otmar
    May 12, 2004
  5. Greg
    Replies:
    5
    Views:
    8,763
    Sarcasmus
    Jul 1, 2013
Loading...

Share This Page