ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
DieselJeeper
Ultimate Member
Posts:
509
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

AAA Auth to RADIUS (securing Cisco login)

Mon May 21, 2012 1:37 pm

Folks-

I have a requirement to have Cisco logins authenticate against a RADIUS server, as per this site:
http://aaronwalrath.wordpress.com/2010/ ... r2-nps-for
-radius-authentication-for-cisco-router-logins/


My server lady did that side of the house, and then I carried on with the Cisco side, as per directions from a friend:

<necessarily anonymized for security>
ip radius source-interface <an IP interface name here>
aaa new-model
aaa group server radius <name of the group the server lady made>
server <IP of the RADIUS server> auth-port <port #> acct-port <port #>
radius-server key <PSK the server lady made during server build>
aaa authentication login default group <same name as in line 3, above> local

I do a "test aaa group <groupname> <username> <password> new-code" from the switch and it returns "rejected username". The account I am using is precisely the one that was configured on the RADIUS server.

Ideas?

User avatar
srg
Post Whore
Posts:
1708
Joined:
Thu Dec 30, 2010 2:05 pm
Certs:
CCIE SP, CCNP SP, CCNP, CCDA, CCNA DC/W, HP MASE

Re: AAA Auth to RADIUS (securing Cisco login)

Mon May 21, 2012 2:10 pm

look at the NPS logs, they are actually pretty good.
som om sinnet hade svartnat för evigt.

User avatar
texanmutt
Post Whore
Posts:
1971
Joined:
Sat Oct 20, 2007 11:05 am
Certs:
CCNA

Re: AAA Auth to RADIUS (securing Cisco login)

Tue May 22, 2012 10:58 pm

Wow. Funny your doing this because I actually just did this over the weekend. NPS logs are defiantly helpful for this.

DieselJeeper
Ultimate Member
Posts:
509
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Re: AAA Auth to RADIUS (securing Cisco login)

Wed May 23, 2012 8:30 am

Thanks Texan, I may have to pick your brain on this. Don't suppose you work in Beaumont, do you? It would be ironic to see one of our teams here. :)

EDIT: nope, that's 5.5 hours down the road.. don't imagine you'd commute that far ;)

User avatar
texanmutt
Post Whore
Posts:
1971
Joined:
Sat Oct 20, 2007 11:05 am
Certs:
CCNA

Re: AAA Auth to RADIUS (securing Cisco login)

Fri May 25, 2012 7:35 am

If this is server 2008 you can find the logs very easy by going to "Event Viewer -> Custom Views -> Server Roles -> Network Policy and Access Services" and it will filter all of the NPS logs which makes it easy to find authentication attempts. Post the sanitized results.

DieselJeeper
Ultimate Member
Posts:
509
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Re: AAA Auth to RADIUS (securing Cisco login)

Fri May 25, 2012 8:50 am

We just cleared our DIACAP, so this is MUCH less pressing- but I will be getting back on it shortly.

User avatar
burnyd
Post Whore
Posts:
3153
Joined:
Fri Nov 13, 2009 5:15 pm
Certs:
CCIE R&S/SP,CCNP-SP,JNCIA,VCP510,VCA-DCV

Re: AAA Auth to RADIUS (securing Cisco login)

Fri May 25, 2012 3:48 pm

I must say that is way better than the old IAS method in server 2003.
http://danielhertzberg.wordpress.com - I blog about networks!

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 32 guests