Configuring Cisco RADIUS Authentication
For more information on Cisco, visit cisco.com
Description:
This document has been constructed to configure Cisco Routers, Switches, and Aironet devices to allow user authentication via Microsoft RADIUS. This configuration will allow for users to log into the devices using Active Directory credentials and will set their access (Priv 1-15) based on their credentials via Active Directory group membership.
Pre-Requisites:
1. RADIUS Server:
Configure your RADIUS server to work with Cisco devices (Article coming soon...)
2. Set Secret Enable:
Prior to configuring your devices for RADIUS, ensure you have a secret enable configured on your device so that in the event that RADIUS authentication is down, you will still have access to the device.
enable secret <PASSWORD>
username admin privilege 15 password <PASSWORD>
Warning:
The username configuration will not work while RADIUS authentication is configured, as it is a local username.
Configure RADIUS:
1. Login:
Log into the router via Telnet or SSH
telnet 192.168.0.15
or ssh 192.168.0.15
2. Enter Global Config:
Enter the devices global config mode from the privileged exec prompt AP#
config t
3. AAA Methods:
Configure and enable the following aaa methods
NOTICE:
The following syntax will be input from the Global Config prompt: Cisco(config)#
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
4. RADIUS PSKs:
Configure the RADIUS server Pre-Shared Keys (This key is the key used when configuring the IAS or NPS RADIUS clients in step 1)
NOTICE:
The following syntax will be input from the Global Config prompt: Cisco(config)#
radius-server host 192.168.79.64 auth-port 1645 acct_port 1646 key ReplaceThisWithKey
radius-server host 192.168.79.69 auth-port 1645 acct_port 1646 key ReplaceThisWithKey
Removing RADIUS:
The ''no'' form of each command will remove the configuration from the running memory
NOTICE:
This snippit assumes you are in Privileged Exec mode: Cisco#
config t
no aaa authentication login default group radius local
no aaa authorization exec default group radius local
aaa authentication login default local
aaa authorization exec default local
!
no radius-server host 192.168.79.64 auth-port 1645 acct_port 1646 key ReplaceThisWithKey
no radius-server host 192.168.79.69 auth-port 1645 acct_port 1646 key ReplaceThisWithKey
exit
Sample Running-Config
APCF01P#show run
Building configuration...
Current configuration : 6408 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname APCF01P
!
enable secret 5 $1$6NLA$ZzXylh4pR/GJCDGIifWoC0
!
ip subnet-zero
ip domain name clusterfrak.com
ip name-server 192.168.79.64
ip name-server 192.168.79.32
ip name-server 192.168.79.254
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.79.69 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default group radius local
aaa authentication login mac_methods group rad_mac
aaa authentication login eap_methods group rad_eap
aaa authorization exec default group radius local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 association mac-list 700
dot11 vlan-name Clusterfrak vlan 79
dot11 vlan-name Public vlan 100
!
dot11 ssid CFGuest
vlan 100
authentication open
authentication key-management wpa
guest-mode
mbssid guest-mode
wpa-psk ascii 7 12100918040E0A082B3B343139342118145742
!
dot11 ssid Clusterfrak
vlan 79
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
infrastructure-ssid optional
!
!
crypto pki trustpoint TP-self-signed-1195232396
subject-name cn=IOS-Self-Signed-Certificate-1195232396
revocation-check none
rsakeypair TP-self-signed-1195232396
!
!
crypto ca certificate chain TP-self-signed-1195232396
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313935 32333233 3936301E 170D3032 30333031 30313331
35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31393532
33323339 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C12A 863463FE 57045A2A 7F19FB29 26D9F7F5 4BB06A4F 625FCB70 8933A92D
9A0FA852 FE391C05 DBC7300B 3E87CEEC 54124EE8 EEE2D885 1E2F6F07 6BBA5894
26737685 C4B48764 59A1AFBF 7A22F15A 01415672 A88987B5 E3CBE53D 0EB95903
197C44C6 F6C39042 E8B2C07D EF06898F 70F9512E 28E87D84 C82121D6 B877B877
3E490203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14119CE8 6948D67F 7F5C23F9 0A5A2413 7C80B3B8 99301D06
03551D0E 04160414 119CE869 48D67F7F 5C23F90A 5A24137C 80B3B899 300D0609
2A864886 F70D0101 04050003 81810036 4F6002CD 03A1836F FE2ACCFD 829F7796
B7C34E20 002B5F6C 74BE5EBB BF7E9348 96B42C45 9B8C1E99 42487D60 2263D006
41D41274 6CB73CAA 3092482C 1C9B5A92 35562340 7B325051 F4A094A0 8DF7AEFA
C9CD5A08 C0FC5D9B 6BE30228 387D8DC7 A21C0569 8127955E 7E670749 EC4DA51C
9EA47756 84D71D6F B5860683 EE7EC4
quit
username rnason privilege 15 secret 5 $1$WKnq$iGrwQh/8RFkXkxIsHEroL.
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 79 mode ciphers tkip
!
encryption vlan 100 mode ciphers tkip
!
ssid CFGuest
!
ssid Clusterfrak
!
mbssid
speed basic-11.0 basic-54.0
channel 2442
station-role root
l2-filter bridge-group-acl
!
interface Dot11Radio0.79
encapsulation dot1Q 79 native
ip helper-address 192.168.79.64
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 input-address-list 700
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.100
encapsulation dot1Q 100
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
bridge-group 100 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.79
encapsulation dot1Q 79 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
no bridge-group 100 source-learning
bridge-group 100 spanning-disabled
!
interface BVI1
ip address 192.168.79.253 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.79.254
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
access-list 700 permit 0023.6c80.2cf5 0000.0000.0000
access-list 700 permit 0026.4acd.6ad3 0000.0000.0000
access-list 700 permit 041e.64c8.645d 0000.0000.0000
access-list 700 permit 0026.08ae.d1d6 0000.0000.0000
access-list 700 permit 0026.4acc.dfc0 0000.0000.0000
access-list 700 permit 001f.a749.be9f 0000.0000.0000
access-list 700 permit 0021.29b0.1755 0000.0000.0000
access-list 700 permit 001f.a736.ff30 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
snmp-server community Clusterfrak RO 1
snmp-server host 192.168.79.69 version 2c Clusterfrak
radius-server host 192.168.79.69 auth-port 1645 acct-port 1646 key 7 04782D5156115E471F4850121C1F3E543A3265
radius-server deadtime 60
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
banner motd ^CC
****************************************************************
* WARNING --- WARNING --- WARNING --- WARNING *
* *
* UNAUTHORIZED ACCESS IS STRICTLY FORBIDDEN *
* *
* Unauthorized access to this network, its systems, *
* hosts, or any other resources is strictly forbidden. *
* Violators will be prosecuted to the fullest extent *
* of the law. *
* *
****************************************************************
^C
!
line con 0
password 7 06041E731B4B021E0616
logging synchronous
transport preferred all
transport output all
line vty 0 3
transport preferred all
transport input all
transport output all
line vty 4
transport preferred all
transport input ssh
transport output ssh
line vty 5 15
transport preferred all
transport input ssh
transport output ssh
!
end
APCF01P#
Post Requisites:
None
Interesting thoughts