Radius central authentication
From Tech-Wiki
Not suitable for IOS XE
aaa new-model ! ! aaa group server radius RADIUS_SERVERS server 172.20.1.11 auth-port 1812 acct-port 1813 server 172.20.0.88 auth-port 1812 acct-port 1813 ! radius-server host 172.20.1.11 auth-port 1812 acct-port 1813 key 7 0703205E5C101F0C041A radius-server host 172.20.0.88 auth-port 1812 acct-port 1813 key 7 011F0716491200063244 ! aaa authentication login CONSOLE_PROTECTION local aaa authentication login VTY_PROTECTION group RADIUS_SERVERS local aaa authorization exec default group RADIUS_SERVERS local if-authenticated ! aaa session-id common login block-for 300 attempts 3 within 60 login quiet-mode access-class 150 login on-failure log login on-success log ! ip ssh time-out 60 ip ssh version 2 ! ip access-list extended VTY_PROTECTION permit ip 172.20.100.0 0.0.0.255 any deny ip any any log ip radius source-interface Vlan14 logging origin-id hostname logging source-interface Vlan14 logging host 172.20.1.247 ! access-list 150 remark Device Management Access Control access-list 150 deny tcp any any eq 4786 log access-list 150 permit ip 172.20.100.0 0.0.0.255 any access-list 150 permit ip host 172.20.0.88 any access-list 150 deny ip any any log ! banner login ^CC You are now connected to $(hostname). ############################################################################## You require authorisation to connect to this device. If you are not authorised to connect to this device please disconnect now. If you fail to disconnect you may be prosecuted under the Crimes Amendment Act 2003 section 252 under New Zealand law. All connections are logged and monitored ############################################################################## ^C ! line con 0 logging synchronous login authentication CONSOLE_PROTECTION line vty 0 4 access-class 150 in logging synchronous login authentication VTY_PROTECTION transport input telnet ssh line vty 5 15 access-class 150 in logging synchronous login authentication VTY_PROTECTION transport input telnet ssh !
For IOS XE use this instead:
aaa group server radius RADIUS_SERVERS server name RADIUS-A server name RADIUS-B ! radius server RADIUS-A address ipv4 172.20.1.11 auth-port 1812 acct-port 1813 key 7 0703205E5C101F0C041A ! radius server RADIUS-B address ipv4 172.20.0.88 auth-port 1812 acct-port 1813 key 7 020A0549191F09285F46 !