Cisco IOS Radius Authentication

From OISecWiki

This guide describes how to migrate from a authentication model of only password to full radius and enabling ssh:


Enabling SSH + user authentication 

username ADMIN password PASSWORD
ip domain-name DOMAIN_NAME
crypto key generate rsa modules 2048
ip ssh version 2
ip name-serverver IP_NAMESERVER

aaa new-model
aaa authentication login default local
aaa session-id common

line vty 0 4
 login authentication default
 transport input telnet ssh
 transport output telnet ssh
line vty 5 15
 transport output ssh

Enabling RADIUS Authentication differs a bit dependant on IOS version and if you are running VRFs. We will document only current IOS: 

ip radius source-interface Loopback0
radius server auth-radius
 address ipv4 RADIUS_IP auth-port 1812 acct-port 1813
 key RADIUS_KEY

aaa authentication login use-radius group radius local
aaa accounting exec use-radius start-stop group radius

line vty 0 4
 login authentication use-radius

The above will still require an enable password. If you pass Cisco-AV-Pair on radius to set privilege level for users then you need to add the following aaa statement

aaa authorization exec default group radius if-authenticated

The Cisco-AV-Pair syntax in radius: 

shell:priv-lvl=15
Retrieved from "https://wiki.oisec.net/mediawiki/index.php?title=Cisco_IOS_Radius_Authentication&oldid=390"