Cisco & Radius Authentication

Yay... If you have multiple devices from multiple vendors, Radius is a nice way to get them to talk together. This is how I got Radius working with my Cisco router.

1. Install IAS from add/remove programs
2. Launch IAS, create a new "Radius Client".
Friendly name can be whatever you want, I chose the name of my router.
IP is the device you want to connect to IP address.
Set the shared secret (something good, no less than 6 characters, 16 would be best, no spaces, dashes are ok)
3. Create a "Remote Access Policy".

I use the wizard one, seemed simple enough. For the policy name i just chose what i was connecting to. Ethernet; Group, added a new group in AD called "Network Admins". Chose MD5 (will change later); Finish.
4. Edit your new policy (properties), remove NAS-Port-Type and put in "NAS-IP-Address"; then put in the ip of your device.
5. Edit Profile; Authentication Tab, select PAP. Under EAP methods, remove MD5.
6. Advanced Tab; add Cisco-AV-Pair; Add "shell:priv-lvl=15" under Attribute value.

Now for the Cisco Part; what got me interested was tightening security on my router, so parts are from (Here)

aaa new-model
aaa authentication login default group radius local-case
aaa authentication enable default group radius enable
aaa authorization commands 15 default group radius local
aaa accounting exec default stop-only group radius
aaa accounting commands 15 default stop-only group radius
aaa accounting network default stop-only group radius
radius-server host <--change this to your Radius Server IP
radius-server key password <-- change this to the shared secret you set up on the Radius Server

No comments:

Post a Comment