Basic AAA with RADIUS on IOS 15.2

This is a basic configuration for RADIUS server authentication with Authorization and accounting for the cisco IOS 15.2.

It assumes user and device have been defined on the RADIUS/ISE server.

Anything inside <> is user defined text (ie. WORD or Port number)

  • Enable AAA
    • (config)# aaa new-model
  • Create Log in Options.
    • Enable
      • (config)# enable password <password>
    • RADIUS
      • (config)# radius server <server name>
      • (config-radius-server)# address ipv4 <radius-server-address> auth-port <port-number> acct-port <port-number>
      • (config-radius-server)# key <radius key defined on RADIUS server>
    • Define RADIUS login server group
      • (config)# aaa group server radius <group name>
      • (config-sg-radius)# server name <defined RADIUS server>
    • Define login options and order
      • Enable, RADIUS
        • (config)# aaa authentication login default enable group radius
      • For accounting and authentication allow vender specific attributes to be sent along with IP device identification
        • (config)# radius-server vsa send authentication
        • (config)# radius-server vsa send accounting
        • (config)# ip device tracking
      • Assess authentication
        • Enable debug and review output
          • # debug radius
          • # test aaa group <radius server group name> <user defined on radius server> <users matching password> new-code

 

 

From Debug verify “request, authenticator, and RADIUS server response:

Image Ref:

Authentication status

User successfully authenticated

USER ATTRIBUTES

username             0   “xxx”

Sent Request sample:

*Jul  4 14:11:00.180: RADIUS/ENCODE: Best Local IP-Address 192.168.59.135 for Radius-Server 192.168.59.5

*Jul  4 14:11:00.180: RADIUS(00000000): Send Access-Request to 192.168.59.5:1812 id 1645/2, len 56

*Jul  4 14:11:00.180: RADIUS:  authenticator 5D 44 8D C1 EB 20 DC E8 – 7B 78 5E DC 90 50 DC 4E

*Jul  4 14:11:00.180: RADIUS:  User-Password       [2]   18  *

*Jul  4 14:11:00.180: RADIUS:  User-Name           [1]   6   “xxxx”

*Jul  4 14:11:00.180: RADIUS:  Service-Type        [6]   6   Login                     [1]

*Jul  4 14:11:00.180: RADIUS:  NAS-IP-Address      [4]   6   192.168.59.135

*Jul  4 14:11:00.180: RADIUS(00000000): Sending a IPv4 Radius Packet

 

Verify access acceptance

*Jul  4 14:11:00.953: RADIUS: Received from id 1645/2 192.168.59.5:1812, Access-Accept, len 168

*Jul  4 14:11:00.953: RADIUS:  authenticator 2B BB 32 7D EC 0D 9B BB – 5D 63 C7 EC 30 6F 46 42

*Jul  4 14:11:00.953: RADIUS:  User-Name           [1]   6   “xxxx”

*Jul  4 14:11:00.953: RADIUS:  State               [24]  67