Description: The following article mainly has the topic about aaa login, which shows you how to configure a router with AAA using a Radius server, specifically WinRadius. Radius is now used in a wide range of authentication scenarios. The Radius server checks that the information is correct using authentication schemes.
We’re going to look at configuring triple-a authentication on a Cisco router, that will authenticate against a radius server, in this particular instance we’re going to use radius, previously we looked at local or used the local database for Triple A, now we’re going to use the server, it’s a little bit different.
In order to do this we’ve created this small network, this is very basic sense how our network looks like, in real life you would be telnettting SSH in from your home into the device, there’s some distance, although you could certainly use it within your internal line but that’s the simplistic view of it.
My user’s IP address is 192.168.1.100, the radius server’s IP address is 192 168 1.11, my user is going to try to telnet into r1, we’ve got to configure it, when user goes in to r1, my user is going to go in, it’s going to go all the way through the switch.
R1 says wait a minute, I’m going to be configured to use radius, before I can respond to you, I’m going to give you the username prompt, you enter your username, then I’m going to check the radius server, between r1 and the radius server in this instance we’re going to use radius as the protocol.
That’s why we refer to it as a radius server, I send the username to the radius server, that user responds, then I can prompt that user for a password, the user sends back the password between r1 and the radius server, this doesn’t happen.
In this instance R1sends the password to the radius server, you have this username and password combination, we authenticate them through, we allow these access, my user has access to do whatever I’m allowing him to do on r1, that’s what we’re going to configure.
We’re going to configure to apply authentication to authenticate against a radius server and will demonstrate configuring the radius server, we’re into our router r1, we’re going to configure it to strip or use the radius server with triple-a.
When we talked about method lists earlier in the theory portion, we said that we could have up to four methods, we’re going to configure two methods, the first being the radius server group and the second being the local database or local username and password.
That way if for some reason the router can’t contact the radius server or the radius server itself is totally down, it’ll allow me to use the local user name and password that’s configured, let’s do that, first enable a global config mode, our user name will be test user, our password will be test pass.
Let’s enable triple a with the triple a new model command, let’s configure our authentication method list Triple A authentication, we’re going to give it a name, we’ll login, we can give it its own name or we can use the default list, we’re going to give it a name, we’re going to use this Triple A authentication method to authenticate users trying to telnet into the router.
They’re remotely accessing the router, we’re going to apply this one to the vty lines, since we’re going to do that, we’re going to name this list vty lines, then the group first method is radius, then we’re going to use local, with Triple a authentication login, the name is vty lines group radius local.
We have to remember what we talked about earlier with some of the theory, we said that radius had legacy ports that had been used for authentication, authorization and accounting, we want to ensure that we’re using the new airport numbers because our radius server is going to be using the new airport numbers.
Along with defining or letting Triple A or letting the router know where our radius server is and how it can be contacted with his IP headers, we’re also going to include our authorization, authentication port and our accounting port, then we’re going to give it a key or a password, that password is used between the router and the radius server to ensure that their communication is a little more secure.
If their passwords don’t match, the router and the radius server won’t communicate with each other, the command is radius server host, from our picture our IP address was 192 168 1.11, this is the IP address of the radius server, auth-port is 1812 and the accounting port is 1813.
Our key is going to be test radius, key is the password that’s going to be used between the radius server and the router or the client in this case, I press Enter, we said that we wanted to use this on the VTY line, we’ve got to apply this to the vty line.
We’ll put in line vty 0 4, then we put in login authentication vty lines and press enter, let’s exit back out, we’ve got to configure our radius server, I have a machine that’s running Windows XP on it that I’ve installed win radius on, we’re going to double click the win radius folder.
Then we’re going to start win radius by double clicking this icon, we’re going to clear our logs, we’re going to go through the steps from the beginning, the first thing I want to do is that I want to go to Settings, database, this is the name of the database, I’m going to have it configured automatically, then click OK.
It tells me that I have to restart, but first let’s add users, we’re going to go to operation, add user, we’re going to add our test user, our password is test pass, we’re not worried about the rest of this stuff ,we’re going to click OK, now we’ve added our user, we’re going to close it and restart it because it wants us to restart since we made a major change.
We’ll close it, we’ll restart it, it’s telling us that everything is OK, my users hasn’t loaded those, I might want to double check that, let’s add our user again, this we add the user successfully, when I showed you the picture in the beginning, we had a router connected to a switch, then we had a host computer that we named user.
We had another computer that was the radius server, here is the radius server, we’re going to go into our host computer, let’s bring him over, we’re going to open a command prompt, let’s tenet to our router 192 168 1.1, it asks me for the username, the username should be test user, the password should be test pass.
I’m in, we configured it for some reasons, the reason the radius server was down is that it would use the local database, let’s double check and make sure that it uses the radius server, I’ve opened up the radius server window so that we can see this information.
You can see test user authenticate OK, once you see that, you know you use the radius server to authenticate, my users coming from outside router 1 or r1 are authenticating or this particular user is authenticating using the radius server.
I could do many more users in here, I could do some accounting in here, I look at some of the logs, there are all kinds of things we could do with this, this instance is to show you how to configure Triple A authentication using a win radius server.
We have successfully done it, we can minimize our radius server in case we want to use it later, it’s minimized down there, some of you will run into a thing where you think you closed it and you minimized it.
If you think nothing is coming up in your radius server window, double check that you don’t have a bunch of these little win radius symbols to test things and play with things. If you have a bunch of them, it could be communicated to radio server, it’s in one of the other windows.