NEW Cisco IOS method for configuring Radius Server


Setting up Radius using the old IOS cli

If you entered the following for setting up radius server,

radius-server host 192.168.1.1

you will get the following warning message informing you that you there is a new way of configuring radius authentication.

This cli will be deprecated soon. Use new server cli

The new way to setup Radius on IOS cli

The new way to setup radius authentication is to use the “aaa group server radius” command.

aaa group server radius RADIUSSERVERS
  server name SERVER1
  server name SERVER2

You can now define more than one server in a group, so that if one is unreachable it automatically visits the next one that’s defined. You will need to define each server using the “radius server” command.

radius server SERVER1
  address ipv4 192.168.1.1 auth-port 1812 acct-port 1813
  timeout 10
  retransmit 3
  key 7 81349081902384091
!
radius server SERVER2
  address ipv4 192.168.1.2 auth-port 1812 acct-port 1813
  timeout 10
  retransmit 3
  key 7 81349081902384091

Each server can be setup with it’s own attributes.

Once you have setup the radius servers and server groups you can apply this server group in the authentication command.

aaa new-model
aaa authentication login default group RADIUSSERVERS local

The above command will set the ‘default’ for login to use RADIUSSERVERS and fallback to local if connectivity fails.

How do you bypass Radius authentication for console login?

One common setup is to use radius for remote authentication but when you are on local console you may want to use an alternate type or local authentication.

If you have set login to use ‘default’ for radius you must make sure your console does not use default. First define a new method of authentication. I’m calling it NO_RADIUS.

aaa authentication login NO_RADIUS local

Then under line con 0, point your authentication to use NO_RADIUS

line con 0 
  login authentication NO_RADIUS
Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT.Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV