Home » Security » [solved] configuring authenticating RADIUS settings for Cicso routers

[solved] configuring authenticating RADIUS settings for Cicso routers

Remote Authentication Dial In User Service, or RADIUS, is a protocol set up for user service that allows for the centralization of the authentication of systems that connect to the network resources. One of the many uses of RADIUS can include the configuration of a Cisco router to authenticate users for logins into the command console. Having this centralized approach allows the removal of local databases on routers.

To begin, set an active AAA command:

conf t
(config)# aaa new-model

It is ideal to have a user configured in the local user database in case the RADIUS server becomes inaccessible to the router. it is also recomended to enable the password set for privileged EXEC mode,
encrypting these said passwords with the strongest type MD5 hash table:
(config)# username test secret securepassword
(config)# enable secret EnablePassword

Moving onwards, it is time to specify the IP address that will be inside the RADIUS server. There are two ways to go about this, including either making a global key or a key unique to each RADIUS server. A global key is ideal. Also, it is possible to specify RADIUS ports, although they default to 1645 and 1646.

(config)# radius-server host auth-port 1645 acct-port 1646
(config)# radius-server key ############

Now its time to encrypt the RADIUS key by enabling the password encryption service. This puts the type 7 encryption on the key, which is relatively weak, but it is better than leaving it as is.

(config)# service password-encryption

Next, activate the authentication for logins to the router. Do this by specifying that RADIUS is the preferred method, but don’t hesitate to add the user database as a backup in the event that the RADIUS becomes offline or unavailable. It is worth nothing that the user must exist in Radius to be used in the local database.

(config)# aaa authentication login default group radius local

The following command is optional to add, but it excludes having to type ‘enable’ and take RADIUS users to privileged Exec mode.

R1(config)# aaa authorization exec default group radius if-authenticated

With the source address that is supplied in the RADIUS traffic, specify the source address

(config)# ip radius source-interface Vlan 200

Finally, it is time to allow the Cisco router to use its authentication services by setting up the RADIUS server.

Upon completion of the RADIUS server, to test the effectiveness of the server, login to your Cisco router through the use of SSH/telnet by utilizing a windows user account. Furthermore, to test the backup plan, disconnect your RADIUS server from the router and login with the user from the local database.

Leave a Reply

Your email address will not be published. Required fields are marked *