Thursday, September 3, 2009

Enabling Radius authentication with Cisco IOS switches (3750/3560/3550/3500XL) using IAS on Microsoft 2003 server.

This documentation assumes that Internet Authentication Service or IAS on Microsoft Server 2003 is working properly. It's best practice to do this on a test environment and not in your live network. The configuration below is the actual configuration we use in our network switches


In Windows Server under administration tools click on Internet Authentication Service.

Right click on RADIUS Clients and click on “new RADIUS client” enter a friendly name and Client address. Click Next.

Type the shared secret password. You will need this later when you configure the Cisco switch. I used cisco as the shared secret for this example. Click finish and you should have this client added to your radius clients.


Login to 1.1.1.1 which is the IP address you added in IAS

from the Cisco switch configuration terminal enter the command below

aaa new-model

aaa authentication login RADIUS group radius line

radius-server host 192.168.1.200 auth-port 1645 acct-port 1646 key cisco

(Note: host is the ip address of your radius server and key is the shared secret key we entered from the Radius server when we created the client) If you have multiple radius servers you can add another one as a back up. Make sure that all the Radius servers are configured to accept request from all the radius clients.

line vty 0 4

login authentication RADIUS

line vty 5 15

password cisco

(Note: if for some reason the switch cannot get to the radius server you will be ask for the telnet password)

Log out and telnet to the switch you should get prompted for a username and password.


Next time I will show you how to add privilege commands to allow power users certain commands without the use of Cisco ACS.

No comments:

Post a Comment