AAA + RADIUS on Catalyst switches
The command "Switch (config) - radius... Server. 'doesn´t appear on my catalyst 3500. The catalyst IOS version is c3500xl-c3h2s - mz.120.5.WC5
How do I set the Ip address of the RADIUS server and port!
Concerning
I think I have the same version. As you can see below, the command is there.
#sh worm
Cisco Internetwork Operating System software
(Tm) C3500xl software IOS (C3500xl-C3H2S-M), Version 12.0 (5) WC5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Updated Wednesday 28 May 02 11:41 by devgoyal
Image text-base: 0 x 00003000, database: 0x0034A3C8
ROM: Bootstrap program is boot loader C3500xl
availability is 40 weeks, 15 hours, 35 minutes
System return to the ROM to reload
System restarted at 23:17:01 PUTS DST Monday, August 19, 2002
System image file is "flash: c3500xl-c3h2s - mz.120 - 5.WC5.bin.
processor of Cisco WS-C3524-XL (PowerPC403) (revision 0 x 01) with 8192K / 1024K bytes
memory.
Card processor ID FAB0513V068, with revision hardware 0 x 00
Last warm-reset Reset
Processor running Enterprise edition software
Control cluster capable switch
Switch to capable cluster member
24 FastEthernet/IEEE 802.3 interfaces
2 gigabit Ethernet/IEEE 802.3 interfaces
32K bytes memory simulated by flash not volatile configuration.
Basic Ethernet MAC address: 00:05: 9B: 93:13:80
Number of the motherboard: 73-3904-11
Power supply part number: 0851-34-02
Motherboard serial number: FAB051240RK
Power supply serial number: PHI050204Z8
Revision number of the model: A0
Model number: WS-C3524-XL-EN
System serial number: FAB0513V068
Configuration register is 0xF
#conf t
Enter configuration commands, one per line. End with CNTL/Z.
(config) #rad
(config) #radius-server?
attribute to customize certain attributes of RADIUS
challenge-noecho data the display echoing is disabled during the Access-Challenge
Configure nas try to download static routes and IP pools at startup
Deadtime time to stop using a server that is not responding
realized application allow the user to specify the radius server to use with [email protected]/ * /'
the host to specify a RADIUS server
encryption key by key shared with radius servers
The first application of RADIUS can be made without asking for a password optional-passwords
Specify the number of attempts the Active Server to retransmit
wait time wait time for a RADIUS server address
configuration of the provider attribute specific VSA
Hope this helps you
Leo
Tags: Cisco Security
Similar Questions
-
AAA/RADIUS of debugging for a special mac only address
I have a question - is there a way I can debug aaa, RADIUS, communication eap on a switch to a particular mac (endpoint) only address?
Thank you.
EAP authentication
In order to troubleshoot the interaction between the WLC and the authentication server (RADIUS external or internal to the EAP server), use the command debug AAA all turn on, which shows the required details. This command must be used after the client to debug
command and can be combined with other commands to debug as needed (for example, transfer). (Cisco Controller) >debug client 00:00:00:00:00:00 (Cisco Controller) >debug aaa all enable (Cisco Controller) >show debug MAC address ................................ 00:00:00:00:00:00 Debug Flags Enabled: aaa detail enabled. aaa events enabled. aaa packet enabled. aaa packet enabled. aaa ldap enabled. aaa local-auth db enabled. aaa local-auth eap framework errors enabled. aaa local-auth eap framework events enabled. aaa local-auth eap framework packets enabled. aaa local-auth eap framework state machine enabled. aaa local-auth eap method errors enabled. aaa local-auth eap method events enabled. aaa local-auth eap method packets enabled. aaa local-auth eap method state machine enabled. aaa local-auth shim enabled. aaa tacacs enabled. dhcp packet enabled. dot11 mobile enabled. dot11 state enabled dot1x events enabled dot1x states enabled. mobility handoff enabled. pem events enabled. pem state enabled.
-
Cisco CSA 4.2 + RADIUS + HP procurve switches
Hello!
We mixed network environment with cisco / HP hardware.
We are currently assessing the Cisco ACS 4.2 to manage network access network equipment.
Cisco equipment works very well, but we have problems the RADIUS and procurve switches (Ganymede works very well)
I googled around and it seems that you need to create a new '(VSA, Vendor) vendor-specific attributes' for procurve switches and the IETF radius settings according to the variables on the right which must match the HP equipment.
Problem is that I can't find this information online.
Anyone who manages to solve this problem?
Would really appreciate help!
Thank you
BR
Generally, you should download VSA for acs. You must get the HP ini file. Once you have you need create a vsa and transfer it to acs.
Because we need to add a specific seller attribute in the TAS, then we must first
Create a file 'accountActions.csv' using the format specified in "RDBMS synchronization."
Import definition', once we are ready with the file, then we must do an RDBMS
Synchorization folder of ACS (SE) and then go on:
Reports and activity > RDBMS synchronization and make sure that the synchronization has been
done it without error. Once this is done, you must re - start the ACS SE, then
We can create a new AAA client and use the new RADIUS (xxxx), and the attributes that we
added can be made visible for:
The interface configuration > and select the newly added Radius VSA attribute.
: RDBMS synchronization:
http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacsapp/CSA
PP40/ugse40/sad.htm#wp756877
: Import a definition RDBMS synchronization:
http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacsapp/CSA
PP40/ugse40/AG.htm
Kind regards
~ JG
-
How to restrict Internet access by using the RADIUS server via switch Catalyst 3560
Dear all,
I need a configuration using any. I have a small network of 15 users a 3560, which is in turn connected to a router ISR 2811. Interface fastethernet 0/24 switch 3560 I intend to connect to a unix based server RADIUS. ISP is connected on the opposite side of the 2811 to the fa0/0 interface.
I want to make is that if someone among the 15 users tries to access the internet, they must be validated in the RADIUS server by their pre-configured user credentials. (I'm going to store 15 user credentials here). If someone else tries to connect (except those 15) he or she should be denied internet access.
The RADIUS server will be having a login page to type the name of user and password.
Please guide based on what commands I should inject into the 3560 or what specifically, I need to have to run this task.
Thanks in advance!
Samrat.
I only did this in a very long time, but you probably want to do is activate the web authentication.
-
In a laboratory, when I set the following there is no recording of the show in the switch using telnet/ssh:
AAA new-model
Group AAA authentication login default RADIUS
RADIUS group AAA authorization exec default authenticated if
start-stop radius group AAA accounting exec by default
I have configured the following Cisco on the AAA server AV-pair:
Shell: priv-lvl = 15
When I login via telnet/ssh, there is no problem at all. However, when I connect via the console, I get no priv level? It authenticates me to user exec but not more details.
If anyone has seen this, I would appreciate greatly any help.
Thank you
HII christ
Try this aaa authorization console command
where u set the value of shell or RADIUS ietf att av pair.
Try a brand something the exec button and then set in previll level 15
Concerning
Manish
-
privilege level of the AAA RADIUS server control
I had the radius authentication on my switch, but I'm trying to allow two types of connection of users using Windows Active Directory. NetworkUsers that can display the configuration and NetworkAdmins who can do what either. I would like to NetworkAdmins when they log on, go directly to the privilege level 15 but could not get that part to work. Here is my configuration:
Domain controller for Windows 2008 R2 with NPS installed.
RADIUS client: I have the IP address of the switch as well as the key. I selected under the name of the Vendor tab in advance of cisco
Network policies:
NetworkAdmins which has the Group networkadmin in conditions and under settings I have nothing the standard and for the individual seller I have:
Cisco Cisco-AV-pair shell: priv-lvl = 15
My config switch:
AAA new-model
!
!
RADIUS AAA server group MTFAAA
Server name dc-01
Server name dc-02
!
Group AAA authentication login NetworkAdmins local MTFAAA
Group AAA authorization exec NetworkAdmins local MTFAAAdc-01 RADIUS server
address ipv4 10.0.1.10 auth-1645 acct-port of 1646
7 button *.
!
dc-02 RADIUS server
ipv4 10.0.1.11 address auth-1645 acct-port of 1646
7 button *.
!No matter what I do, it is not the default privilege level 15 when I login. All thoughts
You have specified the permission under line vty group? I think it is the authorization exec command. Something like that.
-
AAA RADIUS authentication for the only user group
Hello
I use ACS3.1 and tries to use authentication radius for all network switches in my company.
Meet the im problem now is how to restrict only a user group to access the connection/exec switches? It seems that all user IDS in my acs able to telnet (user access) to the switch (using their login credentials).
I would like to limit still from telnet by using their ID except administrator group.
Counsel on how this is possible.
TKS!
The GBA, you need admin users in their own ACS group separated, leaving other users in their own group also.
Change the group that contains the users you don't want to give access to and under the heading of restricted access network (OAN), in "Group defined Network Access Restrictions", check the "Define based on IP access restrictions", choose "Rejected the call point" and enter switches in the table below (put a * in the port and address).
This prevents standard users authentication to switches. You can add all your switches in a group of network devices (NDG) to this, then you have to add that, in the section NAR rather than adding each switch individually.
-
Several ports to listen for SSH on Catalyst switches
Hello community,
On Cisco routers, you can set up multiple SSH ports (instead of the default tcp 22) in combination with rotary groups. Then attach these rotating groups of specific VTY lines. It works very well.
But it seems on Cisco switches, you cannot set different ports of SSH. The order Router(config) #ip ssh port portnum Rotary group is not available. You can use the rotating on the VTY lines, but it does for Telnet connections.
Did someone knows if it is possible to use rotating groups on switches with SSH? What I'm trying to achieve is, I want to use multiple lists of AAA method and define these specific VTY lines slot. In this way, I am able to designate specific users, connecting from specific IP on a dedicated VTY line addresses, with a personalized list of AAA method.
Any help is very appreciated!
Kind regards
Dion Dohmen
Hello
I am currently using 12.2 (58) SE2 on the 3560.
Software Cisco IOS, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2 (58) SE2, RELEASE SOFTWARE (fc1)
I lowered my IOS to check if she is still supported for the 3560 on 12.2 (55) SE1 and is not.
XXX availability is 1 minute
System to regain the power ROM
System restarted at 14:38:50 GMT Tuesday, July 29, 2014
System image file is "flash:/c3560-ipservicesk9-mz.122-55.SE1.bin".XXX (config) #ip ssh?
new authentication attempts to specify number of authentication retries
DSCP DSCP IP value for SSH traffic
Configure logging for SSH logging
priority of the value of IP precedence for SSH traffic
source-interface interface to specify to address SSH source
connections
timeout specify SSH timeout
Protocol version to specify supported versionXXX (config) #ip ssh
I then upgraded to 12.2 (55) SE9 and there is still not supported.
XXX availability is 1 minute
System to regain the power ROM
System restarted at 14:47:49 GMT Tuesday, July 29, 2014
System image file is "flash:/c3560-ipservicesk9-mz.122-55.SE9.bin".XXX (config) #ip ssh?
new authentication attempts to specify number of authentication retries
DSCP DSCP IP value for SSH traffic
Configure logging for SSH logging
priority of the value of IP precedence for SSH traffic
source-interface interface to specify to address SSH source
connections
timeout specify SSH timeout
Protocol version to specify supported versionXXX (config) #ip ssh
I would recommend that you upgrade, but I unfortunately don't see any point.
Thank you
Nehmaan
-
Hello!
I'm troubleshooting an installation of battery new 3750 x - everything is wonderful save two issues, being the RADIUS. I have reflected the config a another pile of identical work but I am having no love with my DEPARTMENT. Debug RADIUS auth showed this - any ideas?
I tried a few things including specifying my management interface VLAN as source for RADIUS, but it had no effect.
I am running 15.0 (2) SE-IPBASEK9-m
10:22:43: RADIUS: AAA Attr not supported: interface [221] 4
10:22:43: RADIUS: 74 74 [tt]
Thanks for your help
HI John,.
Take a look at this.
AAA group Group1 radius server
Server 10.10.220.130 auth-port 182 acct-port 1813
The RADIUS authehtication listen on port 1812. Try this reconfiguration as below.
AAA group Group1 radius server
ACCT-port of the server 10.10.220.130 auth-port 1812 1813
Concerning
Najaf
Please rate when there is place or useful!
-
Lifecycle for Catalyst switches
Hello
I have a client who wants to know what is the life expectancy for switching series of following products:
- C3750
- C3750-E
- C4500-E
- C6500-E
I gave, they want to know if there are plans for the foregoing to be gradually in the near future. If yes - what is the time frame for each? If no - more how many years can they expect the viable product? Similarly, are there offender to expand the range of products for the series C3750 and C3750-E, given the model 'limited' available today?
I couldn't find an other another void / community to post this question. I hope that you can transfer this appropriate to address the BU investigation.
Thanks in advance for your help.
Keith
Keith,
Thank you for your question. This community is for Cisco Small Business products, and your question is referring to a product Cisco Elite/Classic. Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main this forum is subject to the subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
Community support space Support SB---> NetPro Forum
-Voice and conference---> UC and video Forum http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748. SJ3A? page = Unified_Communications_and_Video_discussion
-Security and monitoring---> Security Forum http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748. SJ3A? page = Security_discussion
-Wireless---> Wireless - mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748. SJ3A? page = Wireless_-_Mobility_discussion
-Storage---> Data Center Forum to the http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748 network. SJ3A? page = Data_Center_discussion
-Routers---> Network Infrastructure Forum http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748. SJ3A? page = Network_Infrastructure_discussion
-Switches---> Network Infrastructure Forum http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748. SJ3A? page = Network_Infrastructure_discussion
-
Setup
Cisco Catalyst 2960-S running 15.0.2 - SE8
Under Centos freeRadius 6.4 RADIUS server
Client (supplicant) running Windows 7
When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
Here is my config running. Any advice would be greatly appreciated.
#show running mySwitch-
mySwitch #show running-config
Building configuration...Current configuration: 2094 bytes
!
version 12.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname myswitch
!
boot-start-marker
boot-end-marker
!
activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
!
!
AAA new-model
!
!
AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
!
!
AAA - the id of the joint session
1 supply ws-c2960s-24ts-l switch
!
!
!
!
!
control-dot1x system-auth
pvst spanning-tree mode
spanning tree extend id-system
!
!
!
!
internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
GigabitEthernet1/0/1 interface
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport mode access
Auto control of the port of authentication
dot1x EAP authenticator
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
IP 10.1.2.12 255.255.255.0
!
IP http server
IP http secure server
activate the IP sla response alerts
recording of debug trap
10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
Line con 0
line vty 0 4
password password
line vty 5 15
password password
!
endinterface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.
Regarding the configuration, it seems a bit out of the AAA. Try to remove the:
line "aaa dot1x group service radius authentication" and this by using instead:
"aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.
-
No remote access after you activate the Radius AAA
Hello
I can't access our catalyst 4006 after activating the AAA for RADIUS. I have install IAS on our domain controller configuration / a catalyst as a Radius client and configured a remote access policy that points to an ad group to allow access to the switch. When I try to connect to catalyst by my user information in AD, it seems to crash after I type my password, asks for the password again, then says access denied. This happens both on the console and through a telnet session. I have included below the configuration of my AAA.
What Miss me?
Tim
(Cisco IOS 12.2 v software (25) EWA14)
AAA new-model
!
RADIUS-server host 10.100.x.x auth-port 1812 acct-port 1813 key xxxxxxxxxx
Server RADIUS ports source-1645-1646
!
AAA Radius Server Group server RADIUS
Server 10.100.x.x auth-port 1812 acct-port 1813
!
AAA authentication login default group local line Radius servers
the AAA authentication enable default group, select Radius servers
Authentication servers-Radius AAA dot1x default group
Group AAA authorization exec default for authenticated if Radius servers
Group AAA authorization network default Radius servers
AAA dot1x default arrhythmic accounting Radius Servers group
AAA accounting by default start-stop group Radius servers directly
!
line vty 0 4
by default the authentication of connection
Tim
I think that the immediate problem is that the source address of your switch ussed is not address who is pregnant with Ray. The Radius Server is 10.100.182.250 and it is in the subnet of the interface vlan 182. If the address of the interface vlan 182 will be the source address of the Radius request. Difficulty which is to use the command of source ip range address and specify the address at which you want the switch to be used. Of course, in the short term, it would be easier to change the Radius Server to wait 10.100.182.2 as the address of the customer.
HTH
Rick
-
No AAA authentication for switch
I'm intrigued by my question. I have a switch on 9 that cannot authenticate with our server GANYMEDE. The configurations are the same as any other switch, but when I try to open a session using the account GANYMEDE + access is denied. This is the configuration for the AAA/GANYMEDE on the switch.
AAA new-model
AAA authentication login default group Ganymede + local
authorization AAA console
AAA authorization exec default group Ganymede + localradius-server X.X.33.XX host
radius-server key 7?I deleted the aaa configuration and then reconfigured it as well as the information from the server RADIUS and no authentication Ganymede. I gave the Ganymede interface should use, but same result. Any ideas?
Thank you
Robert
Robert,
Please make sure following
-Radius server is accessible from the switch and port 49 is not blocked.
S ' it is layer 3 switch, then make sure to configure the interface source ip Ganymede XXXX (Interface IP set in radius server)
-Check the secret key
If the problem is still there then please get
Debug aaa authentication
debugging Ganymede
Kind regards
~ JG
-
RADIUS authorization does not not for Nortel by ACS 5.3 switches
Hello
RADIUS authorization does not work on the Nortel switches, I configured the access policies relevant for the attributes RADIUS (attached screenshot)
Order get not executed due to the failure of authorization:
config cli password rwa
I do not see RADIUS authorization reports option, just to check if someone has understood how to set up these reports?
I made a capture of packages for packages of AAA of the nortel switch and found that the accounting request contains the cli command sent for authorization. (pcap file attached)
Kind regards
Akhtar
Akhtar,
This isn't how the authorization of RADIUS. Accept access and the av-pairs that are sent in the response is the permission for the session of the user. This isn't like Ganymede where each command is permitted with an authentication request separate with the command that the client is running.
When it comes to radius account management isn't too late in the process.
Thank you
Tarik admani
-
RADIUS authentication for the switch using ISE
Hi guys,.
Someone did he do Radius Authentication for switch cli connection using ISE?
We did it in our environment with ISE, but it is a challenge to give read-only access / Priv-1.
If some users know the enable password, they can use and earn full privilege.
Anyway to get around this other than to change the enable password?
We have thousands of switches and won't change on each of them.
If you have another method please advice.
Thank you in advance.
Well, you can set the "enable" function also be controlled via the AAA server with the following command:
AAA authentication enable... This way server AAA will be checked for authentication for the secret to activate and use the local database as a last resort
I hope this helps!
Thank you for evaluating useful messages!
Maybe you are looking for
-
Safari hangs and lags while watching the video on youtube
While watching therapy Unbox videos, the video hangs and lags. What's weird, is that only Unbox GAL of video therapy and I have not had this problem with any other channel. Confused! Help!?
-
Heard speak adds the new on Fire Fox. Where and how to get the new Firefox add - one of who is spying on us. Please mail to maheshubhayakar at rediffmail.com edited by email address - moderator
-
Problem WiFi on Satellite Pro C660-2TQ - lose the internet connection
Hey people, hope you could help me. I did a new clean install of Win7 (32 bit) on my Toshiba Sat, C660-2TQ. His job very well, except one thing:the adapter Realtek RTL8188CE-in my laptop is just terrible... I installed the latest driver for this Home
-
Can not update with the Bulletin Board
The Toshiba bulletin board say that I've updated to do, I'm going in and actually there are updates, but when I press the transfer button, it says it cannot detect any network. I am connected to the internet when you do.
-
A new Member here. I bought I bought an e260 several years ago and almost never used. He had been sitting in stock for at least 6 years and maybe more. I came across it yesterday while searching for something else and decided to see if it still worke