RADIUS or Remote Authentication Dial In User Service is a protocol
that allows us to centralize the authentication and authorization of
systems to connect to network resources. In this example I will
configure a Cisco router to use RADIUS to authenticate users for logins
to the Cisco command console. This will ease the administrative burden
from needing to set up multiple local user databases on each of our
routers.
First let’s make sure that the new AAA command set is active:
First let’s make sure that the new AAA command set is active:
R1# conf t R1(config)# aaa new-model
If you don’t already have a user configured in the local user database
on the router it is a good idea to create one. This is important so
that you can access you router remotely in the event the RADIUS server
becomes unavailable to the router. We also need to make sure that we
have an enable password set for privileged EXEC mode. I will use the
secret modifier on both so that the passwords are encrypted with the
stronger type 5 MD5 hash table:
R1(config)# username john secret JohnsPassword R1(config)# enable secret EnablePassword
Now we’ll specify the IP address of the system that will be our RADIUS
server. We can include an encryption key unique to each RADIUS server
or we can specify a key globally. I’ll use a global key. Also
optionally we can specify the ports used for RADIUS authentication and
accounting, these default to 1645 and 1646 but I’ll specify them in the
command anyway.
R1(config)# radius-server host 192.168.2.5 auth-port 1645 acct-port 1646 R1(config)# radius-server key MyRadiusKey
To encrypt the RADIUS key we’ve entered enable the password encryption
service. This enables relatively insecure type 7 encryption on the key,
but it’s better than leaving it there in plain text!
R1(config)# service password-encryption
We’ll activate authentication for logins to the router and specify that
RADIUS is the preferred method but we’ll include the local user database
as a fall back if RADIUS becomes unavailable. Note that users in the
local database cannot be used if the user doesn’t exist in RADIUS, it
will only fall back if the RADIUS server is offline.
R1(config)# aaa authentication login default group radius local
This command is optional but will automatically take RADIUS
authenticated users to privileged Exec (15) mode without requiring them
to type “enable”.
R1(config)# aaa authorization exec default group radius if-authenticated
Specify the interface with the source address supplied in RADIUS
traffic. In my case I have a router with a VLAN interface configured,
otherwise you can use a physical interface.
R1(config)# ip radius source-interface Vlan 10
Now it is time to set up our RADIUS server to allow the Cisco router to
use it’s authentication services. In my example I will make use of a
Windows RADIUS server in an Active Directory domain. Below you can find
an article on configuring RADIUS services on a Windows Server 2003
domain controller.
References
http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/
References
http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/
No comments:
Post a Comment