A RADIUS server is usually software that runs on a variety of platforms, including Microsoft Windows 2000 Server and various UNIX hosts. RADIUS can authenticate router users and even validate IP routes.
To configure RADIUS on your Cisco router or NAS, perform the following tasks:
Step 1 Enable AAA with the aaa new-model global configuration command. AAA must be configured if you plan to use RADIUS.
Step 2 Use the aaa authentication global configuration command to define method lists for RADIUS authentication.
Step 3 Use line and interface commands to enable the defined method lists to be used.
Step 4 Define the RADIUS server and secret key with the following IOS commands:
radius-server ip-address radius-server key secret-key
NOTE There are two optional RADIUS commands:
Use the aaa authorization global command to authorize specific user functions. Use the aaa accounting command to enable accounting for RADIUS connections.
Examples are the best method to show the enormous IOS command set that is available for use when configuring RADIUS support with AAA.
Example 4-3 configures a Cisco IOS router with AAA and RADIUS support.
Example 4-3 AAA and RADIUS IOS Configuration aaa new-model aaa authentication login use-radius group radius local aaa authentication ppp user-radius if-needed group radius aaa authorization exec default group radius aaa authorization network default group radius radius-server 220.127.116.11 radius-server key ccie2005
! Ensure you apply the named access list on the VTY line line vty 0 4
aaa authentication login
The command lines in this RADIUS authentication and authorization configuration are defined as follows:
■ The aaa authentication login use-radius group radius local command configures the router to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database. In this example, use-radius is the name of the method list, which specifies RADIUS and then local authentication. If the RADIUS server returns the ACCESS-REJECT response, the user is denied access and the router will not check its local database.
■ The aaa authentication ppp user-radius if-needed group radius command configures the Cisco IOS software to use RADIUS authentication for lines using PPP with CHAP or PAP, if the user is not already authorized. If the EXEC facility has authenticated the user, RADIUS authentication is not performed. In this example, user-radius is the name of the method list defining RADIUS as the if-needed authentication method.
■ The aaa authorization exec default group radius command sets the RADIUS information used for EXEC authorization, autocommands, and access lists.
■ The aaa authorization network default group radius command sets RADIUS for network authorization, address assignment, and access lists.
■ The radius-server commands define the NAS.
■ The radius-server key commands define the shared secret text string between the NAS and the RADIUS server host.
Example 4-4 displays an example in which AAA is enabled on a Cisco IOS router.
username simon password SimonisisAgreatdrummeR aaa new-model aaa authentication ppp dialins group radius local aaa authorization network default group radius local aaa accounting network default start-stop group radius aaa authentication login simon local aaa authorization exec default local radius-server host 18.104.22.168 radius-server key CCIEsrock line vty 0 4
login authentication radius-login
The Example 4-4 line configurations are defined as follows:
■ The radius-server host command defines the RADIUS server host's IP address.
■ The radius-server key command defines the shared secret text string between the NAS and the RADIUS server host.
■ The aaa authentication ppp dialins group radius local command defines the authentication method list, dialins, which specifies that RADIUS authentication and then (if the RADIUS server does not respond) local authentication will be used on serial lines using PPP.
■ The aaa authorization network default group radius local command sets RADIUS for network authorization, address assignment, and access lists.
■ The aaa accounting network default start-stop group radius command tracks PPP usage. This command is used for all network services. It can be PPP, but also SLIP or ARAP.
■ The aaa authentication login simon local command defines the method list, simon, for local authentication.
■ The aaa authentication login simon command applies the simon method list for login authentication.
NOTE A method list simply defines the authentication methods to be used, in sequence, to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, ensuring a backup system for authentication in case the initial method fails. Cisco IOS software uses the first method listed to authenticate users; if that method does not respond, the Cisco IOS software selects the next authentication method listed. This process continues until there is successful communication with a listed authentication method or the authentication method list is exhausted, in which case authentication fails.
TIP Cisco.com provides a long list of configuration examples. To view more detailed configurations, visit the following web address and follow the link to Security Management:
Was this article helpful?