Radius central authentication

From Tech-Wiki
Jump to: navigation, search


Not suitable for IOS XE

aaa new-model
!
!
aaa group server radius RADIUS_SERVERS
 server 172.20.1.11 auth-port 1812 acct-port 1813
 server 172.20.0.88 auth-port 1812 acct-port 1813
!
radius-server host 172.20.1.11 auth-port 1812 acct-port 1813 key 7 0703205E5C101F0C041A
radius-server host 172.20.0.88 auth-port 1812 acct-port 1813 key 7 011F0716491200063244
!
aaa authentication login CONSOLE_PROTECTION local
aaa authentication login VTY_PROTECTION group RADIUS_SERVERS local
aaa authorization exec default group RADIUS_SERVERS local if-authenticated
!
aaa session-id common
login block-for 300 attempts 3 within 60
login quiet-mode access-class 150
login on-failure log
login on-success log
!
ip ssh time-out 60
ip ssh version 2
!
ip access-list extended VTY_PROTECTION
 permit ip 172.20.100.0 0.0.0.255 any
 deny   ip any any log
ip radius source-interface Vlan14
logging origin-id hostname
logging source-interface Vlan14
logging host 172.20.1.247
!
access-list 150 remark Device Management Access Control
access-list 150 deny   tcp any any eq 4786 log
access-list 150 permit ip 172.20.100.0 0.0.0.255 any
access-list 150 permit ip host 172.20.0.88 any
access-list 150 deny   ip any any log
!
banner login ^CC
You are now connected to $(hostname).

##############################################################################
             You require authorisation to connect to this device.
  If you are not authorised to connect to this device please disconnect now.
  If you fail to disconnect you may be prosecuted under the Crimes Amendment
                Act 2003 section 252 under New Zealand law.

                 All connections are logged and monitored
##############################################################################

^C
!
line con 0
 logging synchronous
 login authentication CONSOLE_PROTECTION
line vty 0 4
 access-class 150 in
 logging synchronous
 login authentication VTY_PROTECTION
 transport input telnet ssh
line vty 5 15
 access-class 150 in
 logging synchronous
 login authentication VTY_PROTECTION
 transport input telnet ssh
!

For IOS XE use this instead:

aaa group server radius RADIUS_SERVERS
 server name RADIUS-A
 server name RADIUS-B
!
radius server RADIUS-A
 address ipv4 172.20.1.11 auth-port 1812 acct-port 1813
 key 7 0703205E5C101F0C041A
!
radius server RADIUS-B
 address ipv4 172.20.0.88 auth-port 1812 acct-port 1813
 key 7 020A0549191F09285F46
!