Tuesday, December 7, 2010

How-to Setup AAA Authentication for Cisco Switches using Microsoft IAS (RADIUS)

This can certainly be overcomplicated by many posts on the web. This can be configured very, very granularly, but below is the simplest configuration that I have been able to come up with.
  1. Install IAS on the Windows Server
  2. Right-click Remote Access Policies (in the IAS MMC) and choose "New Remote Access Policy"
  3. Select "Setup a custom policy"
  4. For the policy name, we'll call it Cisco Switches
  5. Click Next
  6. Click Add
  7. Select Windows-Groups
  8. Click Add
  9. Click Add and select the groups for this policy
  10. Click OK
  11. Click OK
  12. Click Next
  13. Select "Grant remote access permission"
  14. Click Edit Profile
  15. Click the Authentication Tab
  16. Leave the defaults and select the following: Unencrypted authentication, Allow clients to connect without negotiating an authentication method
  17. Click the Advanced tab
  18. Change "Service-Type" to Login
  19. Remove Frame-Protocol
  20. Click Add
  21. Select "Vendor-Specific"
  22. Click Add
  23. Select Cisco from the list
  24. Select "Yes. It conforms"
  25. Click Configure Attribute
  26. Change "Vendor-assigned attribute number" from 0 to 1
  27. Enter "shell:priv-lvl=15" (without the quotes) in the Attribute Value field
  28. Click OK
  29. Click OK
  30. Click OK
  31. Click Close
  32. Click OK
  33. Respond "No" to a message about a Help topic
  34. Click Next
  35. Click Finish
  36. In the IAS MMC, right-click RADIUS Clients and select New RADIUS Client
  37. Enter the friendly name and the IP address
  38. Click Next
  39. Enter a preshared key to be used in the switch configuration
  40. Click Finish
On the Cisco Switch (IOS) enter the following (changed to fit you situation):

Couple of assumptions:
  • RADIUS-GROUP-NAME is an arbitrary name that you choose
  • PRESHARED-KEY is the key used above when adding the RADIUS client to IAS
  • 10.1.1.10 and 10.1.1.11 are servers in your environment running IAS

aaa authentication login default local group RADIUS-GROUP-NAME
aaa authorization exec default local group RADIUS-GROUP-NAME
!
radius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key PRESHARED-KEY
radius-server host 10.1.1.11 auth-port 1645 acct-port 1646 key PRESHARED-KEY
!
aaa group server radius RADIUS-GROUP-NAME
 server 10.1.1.10 auth-port 1645 acct-port 1646
 server 10.1.1.11 auth-port 1645 acct-port 1646

No comments: