How To: Set up radius authentication for Cisco equipment with Server 2016 – Whitbix Blog 04/08/20 12(20

Whitbix Blog

AUTHENTICATION - RADIUS / CISCO / HOWTO / INFRASTRUCTURE / NETWORKING /

WINDOWS SERVER 2016

How To: Set up radius authentication for Cisco

equipment with Server 2016
JULY 8, 2017JULY 8, 2017 THEWHITBIXKID LEAVE A COMMENT

Quick description:

This is a how to guide on how to set up Radius Authentication for Cisco equipment.

What we want to achieve:

SSH into Cisco switch/router/firewall using Active Directory account in a specified security
group.

Use Case:

Home Lab; Small Business

What we already need setup:

Windows Server 2016

Active Directory
Cisco Switch/Router/Firewall

https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 1 of 7
How To: Set up radius authentication for Cisco equipment with Server 2016 – Whitbix Blog 04/08/20 12(20

Note: I will be using a Cisco 3750 Switch for this how to guide. Cisco commands will be different
when using a firewall.

Configuration:

Windows Server 2016

Cisco 3750 Switch

Radius Server IP: 10.0.20.6

Text Values you can change gold

Default port settings aqua

username backup secret A-password

aaa group server radius RAD-SERVERS

server-private 10.0.20.6 auth-port 1812 acct-port 1813 key Radius-Key

aaa authentication login default group RAD-SERVERS local

aaa authorization console
aaa authorization exec default group RAD-SERVERS local

Command breakdown:

username backup secret A-password

https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 2 of 7
How To: Set up radius authentication for Cisco equipment with Server 2016 – Whitbix Blog 04/08/20 12(20

This sets up an account called backup with an encrypted password of A-password. This is in case
the Radius server is offline and you need to get into the switch!

aaa group server radius RAD-SERVERS

Configures an aaa group on switch called RAD-Servers (you can have multiple servers in this
group for failover)

server-private 10.0.20.6 auth-port 1812 acct-port 1813 key Radius-Key

Adds a server (IP: 10.0.20.6) to RAD-Servers AAA group. It is important to have a matching radius
key on the radius server as it is used to decrypt the request.

The default ports for radius authentication (1812) & accounting (1813) can be changed, but you
need to change this on the Radius server as well.

Note: you need to enter the above AAA group first before entering this command.

aaa authentication login default group RAD-SERVERS local

This tells the switch when there is a login attempt to first try to Authenticate to RAD-SERVERS
AAA group. If this fails then it will go to local

Local authentication means the switch will look at its own local user database. This is the backup
account we created earlier.

aaa authorization console

This adds an authorization check to the console port when attempting to login. By default IOS will
not do this bypassing authorization.

aaa authorization exec default group RAD-SERVERS local

This tells the switch when a logged in user requests to go into privileged mode (enable) to prompt
for a password & check it if they are authorized to do so by first asking RAD-SERVERS AAA
group. If this fails then it will go to local.

Note: in this How To we configured the Radius server to return privilege 15 level for Engineers
this will automatically enter you into privileged mode. Lower privileges will be prompted for their
password again.

How to troubleshoot this:

https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 3 of 7
How To: Set up radius authentication for Cisco equipment with Server 2016 – Whitbix Blog 04/08/20 12(20

Cisco 3750

Enable debuging

debug radius accounting

debug radius authentication

debug aaa authorization

debug aaa authentication

terminal monitor

Once you have entered these commands open another SSH session and attempt to login you will
see debug statements like below

Example of successful login:

https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 4 of 7
How To: Set up radius authentication for Cisco equipment with Server 2016 – Whitbix Blog 04/08/20 12(20

Jul 8 02:50:30.259: AAA/BIND(00000022): Bind i/f

Jul 8 02:50:30.259: AAA/AUTHEN/LOGIN (00000022): Pick method list ‘default’
Jul 8 02:50:30.259: RADIUS/ENCODE(00000022): ask “Password: ”
Jul 8 02:50:30.259: RADIUS/ENCODE(00000022):Orig. component type = EXEC
Jul 8 02:50:30.259: RADIUS: AAA Unsupported Attr: interface [170] 4
Jul 8 02:50:30.259: RADIUS: 74 74 [ tt]
Jul 8 02:50:30.259: RADIUS/ENCODE(00000022): dropping service type, “radius-server attribute 6
on-for-login-auth” is off
Jul 8 02:50:30.259: RADIUS(00000022): Config NAS IP: 0.0.0.0
Jul 8 02:50:30.259: RADIUS/ENCODE(00000022): acct_session_id: 34
Jul 8 02:50:30.259: RADIUS(00000022): sending
Jul 8 02:50:30.259: RADIUS/ENCODE: Best Local IP-Address 10.0.20.1 for Radius-Server
10.0.20.6
Jul 8 02:50:30.259: RADIUS(00000022): Send Access-Request to 10.0.20.6:1812 id 1645/37, len 91
Jul 8 02:50:30.259: RADIUS: authenticator 41 D0 92 B5 1B 06 69 C9 – E9 E6 C5 51 C9 AF 1D 02
Jul 8 02:50:30.259: RADIUS: User-Name [1] 6 “noob“
Jul 8 02:50:30.259: RADIUS: Reply-Message [18] 12
Jul 8 02:50:30.259: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
Jul 8 02:50:30.259: RADIUS: User-Password [2] 18 *
Jul 8 02:50:30.259: RADIUS: NAS-Port [5] 6 2
Jul 8 02:50:30.259: RADIUS: NAS-Port-Id [87] 6 “tty2”
Jul 8 02:50:30.259: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jul 8 02:50:30.259: RADIUS: Calling-Station-Id [31] 11 “10.0.10.5”
Jul 8 02:50:30.259: RADIUS: NAS-IP-Address [4] 6 10.0.20.1
Jul 8 02:50:30.268: RADIUS: Received from id 1645/37 10.0.20.6:1812, Access-Accept, len 96
Jul 8 02:50:30.268: RADIUS: authenticator A3 19 0E 6A E5 13 53 6C – B8 C9 03 B6 68 60 6F 79
Jul 8 02:50:30.268: RADIUS: Service-Type [6] 6 Login [1]
Jul 8 02:50:30.268: RADIUS: Class [25] 46
Jul 8 02:50:30.268: RADIUS: 8F AF 08 DB 00 00 01 37 00 01 02 00 0A 00 14 06 00 00 00 00 08 88 97
83 43 80 AC 47 01 D2 F6 F8 74 9C B5 8A 00 00 00 00 00 00 00 0B [ 7CGt]
Jul 8 02:50:30.268: RADIUS: Vendor, Cisco [26] 24
Jul 8 02:50:30.268: RADIUS: Cisco AVpair [1] 18 “shell:priv–lvl=1″
Jul 8 02:50:30.268: RADIUS(00000022): Received from id 1645/37
Jul 8 02:50:30.268: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: 10.0.10.5]
[localport: 22] at 12:50:30 ADEST Sat Jul 8 2017
Jul 8 02:50:30.276: AAA/AUTHOR/EXEC(00000022): processing AV priv–lvl=1
Jul 8 02:50:30.276: AAA/AUTHOR/EXEC(00000022): Authorization successful

Example of failed login attempt – (account noob was removed from security group)

https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 5 of 7
How To: Set up radius authentication for Cisco equipment with Server 2016 – Whitbix Blog 04/08/20 12(20

Jul 8 02:55:47.802: AAA/BIND(00000023): Bind i/f

Jul 8 02:55:47.802: AAA/AUTHEN/LOGIN (00000023): Pick method list ‘default’
Jul 8 02:55:47.802: RADIUS/ENCODE(00000023): ask “Password: ”
Jul 8 02:55:47.810: RADIUS/ENCODE(00000023):Orig. component type = EXEC
Jul 8 02:55:47.810: RADIUS: AAA Unsupported Attr: interface [170] 4
Jul 8 02:55:47.810: RADIUS: 74 74 [ tt]
Jul 8 02:55:47.810: RADIUS/ENCODE(00000023): dropping service type, “radius-server attribute 6
on-for-login-auth” is off
Jul 8 02:55:47.810: RADIUS(00000023): Config NAS IP: 0.0.0.0
Jul 8 02:55:47.810: RADIUS/ENCODE(00000023): acct_session_id: 35
Jul 8 02:55:47.810: RADIUS(00000023): sending
Jul 8 02:55:47.810: RADIUS/ENCODE: Best Local IP-Address 10.0.20.1 for Radius-Server
10.0.20.6
Jul 8 02:55:47.810: RADIUS(00000023): Send Access-Request to 10.0.20.6:1812 id 1645/38, len 91
Jul 8 02:55:47.810: RADIUS: authenticator 0E 71 7E FE 2D 73 F9 93 – C9 FD A9 6C 10 01 9B 01
Jul 8 02:55:47.810: RADIUS: User-Name [1] 6 “noob“
Jul 8 02:55:47.810: RADIUS: Reply-Message [18] 12
Jul 8 02:55:47.810: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
Jul 8 02:55:47.810: RADIUS: User-Password [2] 18 *
Jul 8 02:55:47.810: RADIUS: NAS-Port [5] 6 2
Jul 8 02:55:47.810: RADIUS: NAS-Port-Id [87] 6 “tty2”
Jul 8 02:55:47.810: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jul 8 02:55:47.810: RADIUS: Calling-Station-Id [31] 11 “10.0.10.5”
Jul 8 02:55:47.810: RADIUS: NAS-IP-Address [4] 6 10.0.20.1
Jul 8 02:55:47.819: RADIUS: Received from id 1645/38 10.0.20.6:1812, Access-Reject, len 20
Jul 8 02:55:47.819: RADIUS: authenticator 7E 70 BB EB 0C EE 22 DD – FB D0 CF 6D 5A 79 2B 9D
Jul 8 02:55:47.819: RADIUS(00000023): Received from id 1645/38
Jul 8 02:55:49.824: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 10.0.10.5]
[localport: 22] [Reason: Login Authentication Failed] at 12:55:49 ADEST Sat Jul 8 2017

https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 6 of 7
How To: Set up radius authentication for Cisco equipment with Server 2016 – Whitbix Blog 04/08/20 12(20

Advertisements Advertisements

REPORT THIS AD REPORT THIS AD

https://whitbixlab.wordpress.com/2017/07/08/how-to-set-up-radius-authentication-for-cisco-switch-with-server-2016/ Page 7 of 7