RADIUS Authentication for Cisco Router Logins

RADIUS or Remote Authentication Dial In User Service is a protocol that allows us to centralize the authentication and authorization of systems to connect to network resources.  In this example I will configure a Cisco router to use RADIUS to authenticate users for logins to the Cisco command console.  This will ease the administrative burden from needing to set up multiple local user databases on each of our routers.

First let’s make sure that the new AAA command set is active:

R1# conf t
R1(config)# aaa new-model

If you don’t already have a user configured in the local user database on the router it is a good idea to create one.  This is important so that you can access you router remotely in the event the RADIUS server becomes unavailable to the router.  We also need to make sure that we have an enable password set for privileged EXEC mode.  I will use the secret modifier on both so that the passwords are encrypted with the stronger type 5 MD5 hash table:

R1(config)# username john secret JohnsPassword
R1(config)# enable secret EnablePassword

Now we’ll specify the IP address of the system that will be our RADIUS server.  We can include an encryption key unique to each RADIUS server or we can specify a key globally.  I’ll use a global key.  Also optionally we can specify the ports used for RADIUS authentication and accounting, these default to 1645 and 1646 but I’ll specify them in the command anyway.

R1(config)# radius-server host 192.168.2.5 auth-port 1645 acct-port 1646
R1(config)# radius-server key MyRadiusKey

To encrypt the RADIUS key we’ve entered enable the password encryption service.  This enables relatively insecure type 7 encryption on the key, but it’s better than leaving it there in plain text!

R1(config)# service password-encryption

We’ll activate authentication for logins to the router and specify that RADIUS is the preferred method but we’ll include the local user database as a fall back if RADIUS becomes unavailable.  Note that users in the local database cannot be used if the user doesn’t exist in RADIUS, it will only fall back if the RADIUS server is offline.

R1(config)# aaa authentication login default group radius local

This command is optional but will automatically take RADIUS authenticated users to privileged Exec (15) mode without requiring them to type “enable”.

R1(config)# aaa authorization exec default group radius if-authenticated

Specify the interface with the source address supplied in RADIUS traffic.  In my case I have a router with a VLAN interface configured, otherwise you can use a physical interface.

R1(config)# ip radius source-interface Vlan 10

Now it is time to set up our RADIUS server to allow the Cisco router to use it’s authentication services.  In my example I will make use of a Windows RADIUS server in an Active Directory domain.  Below you can find an article on configuring RADIUS services on a Windows Server 2003 domain controller.

Set Up Windows 2003 IAS Server with RADIUS Authentication for Cisco Router Logins

Once you’ve completed the set up of your RADIUS server attempt to login to your Cisco router via telnet/SSH with a Windows user account.  It’s also a good idea to test the fall back option using the local user database by disconnecting the RADIUS server from the router and attempting to login with that user.  Hopefully all your login attempts will run smoothly and success will be at hand!

References

http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/