Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Cisco and IAS
- Thread starter brea
- Start date
Yeah, I think I did this awhile back. I don't remember the IAS config, but if you can get that working, I can definitely get the IOS config working. I guess, let's start off with what type of connection you want to authenticate/authorize via IAS?
Something basic that -should- work, just to authenticate telnet sessions:
(first off, I'm like, super-rusty with this, so forgive for any initial errors)
conf t
aaa new-model
(must 'turn on' aaa to use radius, or tacacs if you wanted)
aaa authentication login default local enable
(defines the default method to authenticate for an exec session as the enable password, basically, it's a way to bail you out if you screw up)
aaa authentication login iastest group radius
(creates an authentication method called 'iastest'[arbitrary name] and says use all configured radius servers)
[then, you need to define the radius server, and the key used to communicate with it]
radius-server host X.X.X.X
(ip address of IAS box)
radius-server key XXXXX
(the private key used to communicate with radius)
[ok, now we have to apply the 'iastest' method to something, let's use the vtys on the router, so we can use IAS to authenticate anybody trying to telnet/ssh/whatever in]
line vty 0 4
login authentication iastest
-------
That should be enough to play with initially. You can test this without actually having to telnet in by performing this command at the enable prompt:
test aaa group radius foo bar legacy
(IOS will try using the defined radius server and bounce an authentication attempt off of it using the username:foo password:bar and passing it through the 'legacy' IOS code. You don't have to use legacy, though, you can use 'new-code' if you want, but, I've never noticed a difference. Probably just an easter egg leftover from some devs that forgot to take it out or something.)
I don't know what kind of output you'll get from the command other than 'pass' or 'fail,' so, it's probably worth your while to enable a 'debug radius' and 'debug aaa authentication,' THEN do the test 'aaa group command.' Some things might look a -tiny- verbose, but it should give you the hints you need.
Let me know if you have any add'l questions, or if my config totally sucks
Something basic that -should- work, just to authenticate telnet sessions:
(first off, I'm like, super-rusty with this, so forgive for any initial errors)
conf t
aaa new-model
(must 'turn on' aaa to use radius, or tacacs if you wanted)
aaa authentication login default local enable
(defines the default method to authenticate for an exec session as the enable password, basically, it's a way to bail you out if you screw up)
aaa authentication login iastest group radius
(creates an authentication method called 'iastest'[arbitrary name] and says use all configured radius servers)
[then, you need to define the radius server, and the key used to communicate with it]
radius-server host X.X.X.X
(ip address of IAS box)
radius-server key XXXXX
(the private key used to communicate with radius)
[ok, now we have to apply the 'iastest' method to something, let's use the vtys on the router, so we can use IAS to authenticate anybody trying to telnet/ssh/whatever in]
line vty 0 4
login authentication iastest
-------
That should be enough to play with initially. You can test this without actually having to telnet in by performing this command at the enable prompt:
test aaa group radius foo bar legacy
(IOS will try using the defined radius server and bounce an authentication attempt off of it using the username:foo password:bar and passing it through the 'legacy' IOS code. You don't have to use legacy, though, you can use 'new-code' if you want, but, I've never noticed a difference. Probably just an easter egg leftover from some devs that forgot to take it out or something.)
I don't know what kind of output you'll get from the command other than 'pass' or 'fail,' so, it's probably worth your while to enable a 'debug radius' and 'debug aaa authentication,' THEN do the test 'aaa group command.' Some things might look a -tiny- verbose, but it should give you the hints you need.
Let me know if you have any add'l questions, or if my config totally sucks
- Status
