Professional Documents
Culture Documents
Whitbix Blog
Quick description:
This is a how to guide on how to set up Radius Authentication for Cisco equipment.
SSH into Cisco switch/router/firewall using Active Directory account in a specified security
group.
Use Case:
https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 1 of 7
How To: Set up radius authentication for Cisco equipment with Server 2016 – Whitbix Blog 04/08/20 12(20
Note: I will be using a Cisco 3750 Switch for this how to guide. Cisco commands will be different
when using a firewall.
Configuration:
Command breakdown:
https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 2 of 7
How To: Set up radius authentication for Cisco equipment with Server 2016 – Whitbix Blog 04/08/20 12(20
This sets up an account called backup with an encrypted password of A-password. This is in case
the Radius server is offline and you need to get into the switch!
Configures an aaa group on switch called RAD-Servers (you can have multiple servers in this
group for failover)
Adds a server (IP: 10.0.20.6) to RAD-Servers AAA group. It is important to have a matching radius
key on the radius server as it is used to decrypt the request.
The default ports for radius authentication (1812) & accounting (1813) can be changed, but you
need to change this on the Radius server as well.
Note: you need to enter the above AAA group first before entering this command.
This tells the switch when there is a login attempt to first try to Authenticate to RAD-SERVERS
AAA group. If this fails then it will go to local
Local authentication means the switch will look at its own local user database. This is the backup
account we created earlier.
This adds an authorization check to the console port when attempting to login. By default IOS will
not do this bypassing authorization.
This tells the switch when a logged in user requests to go into privileged mode (enable) to prompt
for a password & check it if they are authorized to do so by first asking RAD-SERVERS AAA
group. If this fails then it will go to local.
Note: in this How To we configured the Radius server to return privilege 15 level for Engineers
this will automatically enter you into privileged mode. Lower privileges will be prompted for their
password again.
https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 3 of 7
How To: Set up radius authentication for Cisco equipment with Server 2016 – Whitbix Blog 04/08/20 12(20
Cisco 3750
Enable debuging
terminal monitor
Once you have entered these commands open another SSH session and attempt to login you will
see debug statements like below
https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 4 of 7
How To: Set up radius authentication for Cisco equipment with Server 2016 – Whitbix Blog 04/08/20 12(20
Example of failed login attempt – (account noob was removed from security group)
https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 5 of 7
How To: Set up radius authentication for Cisco equipment with Server 2016 – Whitbix Blog 04/08/20 12(20
https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 6 of 7
How To: Set up radius authentication for Cisco equipment with Server 2016 – Whitbix Blog 04/08/20 12(20
Advertisements Advertisements
https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 7 of 7