Centralized Server-Based AAA Authentication (2 of 2)

PART 2:

Now that SRV is set up and running WinRadius we can configure DLS1 & DLS2 to use RADIUS on SRV for login authentication (telnet).

The configurations are straight forward and if you’d like to know more I’d suggest searching Cisco’s site.

Some of the key information we needed to take note of in Part 1 was the following:

Radius IP: 10.1.50.1
Radius Password (a.k.a NAS Secret): WinRadius
Radius auth-port: 2812
Radius acct-port: 2813
Our User: User1
& Password: CCnP

Let’s get started! For each device (DLS1 & DLS2) I’m going to first create an enable secret password so when we telnet in we can actually do something.

DLS1:

DLS1(config)# enable secret cisco
DLS1(config)# aaa new-model
DLS1(config)# aaa authentication login default group radius
NOTE: for this lab you may want to end this with “none” so you don’t accidentally lock yourself out – don’t do this in production!

Now we need to point the way to the RADIUS server (SRV)…

DLS1(config)# radius-server host 10.1.50.1 ?
  acct-port        UDP port for RADIUS accounting server (default is 1646)
  alias               1-8 aliases for this server (max. 8)
  auth-port        UDP port for RADIUS authentication server (default is 1645)
  backoff            Retry backoff pattern (Default is retransmits with constant delay)
  key                 per-server encryption key (overrides default)
  non-standard   Parse attributes that violate the RADIUS standard
  retransmit       Specify the number of retries to active server (overrides default)
  test                Configure server automated testing.
  timeout           Time to wait for this RADIUS server to reply (overrides default)
  <cr>

You can see here that the Default auth-port number is 1645 and the default acct-port is 1646; we will need to change these to reflect the ports WinRadius is using…

DLS1(config)#radius-server host 10.1.50.1 auth-port 2812 acct-port 2813 key WinRadius

The key “WinRadius” is the NAS Secret (or the password to access the RADIUS server WinRadius).

Now we need to configure the vty lines to allow login but authenticate via radius:

DLS1(config)#aaa authentication login TELNET_ACCESS group radius
DLS1(config)#line vty 0 4
DLS1(config-line)#login authentication TELNET_ACCESS
DLS1(config-line)#exit
DLS1(config)#

And that’s it for DLS1. We’ll do the same for DLS2 then try to connect via telnet from PCB…

DLS2:

DLS2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
DLS2(config)#enable secret cisco
DLS2(config)#aaa new-model
DLS2(config)#aaa authentication login default group radius
DLS2(config)#radius-server host 10.1.50.1 auth-port 2812 acct-port 2813 key WinRadius
DLS2(config)#aaa authentication login TELNET_ACCESS group radius
DLS2(config)#line vty 0 4
DLS2(config-line)#login authentication TELNET_ACCESS
DLS2(config-line)#end
DLS2#

Now, on PCB, lets test it out using a command prompt:

DLS1: VLAN 5 MGT 10.1.5.252

And it works!

DLS2: VLAN 5 MGT 10.1.5.253

You can see that I tried to login as “user1” and the authentication failed. I made the correction and it works!

And on DLS2:

And to verify PCB’s IP address:

Now, looking at the WinRadius log you’ll see:

ID 1: PCB to DLS1 – authentication OK
ID 2 & 3: PCB to DLS2 – authentication failed, reason was I used lower case “user1”.
I then corrected that and tried again…
ID 4: PCB to DLS2 – authentication OK

It works, and that’s all I have to say about that…

-Prost!