Configure a Cisco Router to use RADIUS for Authentication
- select the contributor at the end of the page -
With that comes the added administrative burden of having to manage all the different accounts on each device. Remote Authentication Dial In User Service (RADIUS), is one means of countering this issue by providing a centralized infrastructure for authentication and accounting.
Now there are a lot of technical papers on configuring devices for RADIUS but I'm going to be doing things a little different in this article; I'm going to be giving you a brief overview of RADIUS, how it operates and how to incorporate it into any Cisco routers that you may have in your network.
What is RADIUS?
RADIUS is a widely implemented networking protocol sometimes referred to as a client/server protocol, which provides a centralized mechanism of administering user account information. These can be usernames, passwords and privilege levels for each account.
AAA which stands for Authentication, Authorization and Accounting, are the core foundations upon which RADIUS is built.
Authentication is the process by which the RADIUS server verifies the user requesting access before it is granted, whereas Authorization deals more with the level of access granted to a particular account. The Accounting aspect logs user's session, thereby allowing an administrator to establish the length of time a specific account may be using the resource for and also to perform other administrative tasks.
Before a device can become a RADIUS client it first must be configured with the same pre-shared key as is configured on the RADIUS server thus allowing it to be able to pass user credentials onto the RADIUS server for verification.
When a user needs to access resources, they are required to provide credentials so as to verify that they have the required privileges to get that level of access to the given resource; this may be access to a Router, Switch, Access Point, Firewall or just data on a File Server.
These credentials are passed to a RADIUS client who then forwards it to the RADIUS server. The RADIUS server queries the credentials against its database before a result of access-accept or access-reject is sent back to the RADIUS client.
Note: for our example the RADIUS client will be a Cisco800 series router, specifically a Cisco 871; the database will be Active Directory configured and running on a Windows Server 2008 box. Today we will focus on the configuration of the Cisco router.
Showing the Authentication process when the user tries to access the router
How to Configure the Cisco 871
As a Cisco administrator you should already know the very basics of setting up your device, but for those of you who have never configured one before, I'm going to go through these basic steps so that even if you're a novice you will be able to get any Cisco router configured to use RADIUS.
To connect to your Cisco Device you will need a terminal program such as HyperTerminal that comes with Windows XP or if you're using Windows Vista like me then you'll need a third party software. I like PUTTY so I'll be using this throughout the lab.
1. First we need to configure the terminal software with the correct Serial settings as listed below after which we would begin the session by clicking open.
- Bits per sec : 9600
- Data bits : 8
- Parity : none
- Stop bits : 1
- Flow control : none
2. After you click open, you will be prompted to enter the credentials to gain access to the device. These credentials are what you have configured before on the router or if it's a brand new router you will have to use Cisco's default credentials for that particular model.
As was stated before the model of router I'm using is a Cisco 871 series and the default credentials for that are cisco for the username and password.
3. Next we configure a host name with the following commands:
Enter configuration commands, one per line. End with CNTL/Z.
4. Depending on the role your router is going to play in your network your interfaces will be configured accordingly. For this example I already have a fully operational network therefore I only need to configure the WAN interface to receive an IP address and enable the telnet interface so that I can access the router from any pc or laptop as opposed to using the direct serial connection.
Cisco871(config)# interface fastethernet 4
Cisco871(config-if)#ip address dhcp
5. Then we enable the AAA new-model, specify the RADIUS server and a group to be used.
Cisco871(config)#aaa authentication login CISCO group radius local
6. Specify which interface RADIUS will be accepting connections on.
Cisco871(config)#ip radius source-interface FastEthernet 4
7. Continuing along, we're going to add the RADIUS server and the key; note that the key used is the same key that was configured on the RADIUS server.
Cisco871(config)#radius-server host xxx.xxx.xxx.xxx
Cisco871(config)#radius-server key xxxx
8. Our last step is to configure the same RADIUS group (CISCO) we defined earlier under the vty lines as the authentication method to be used.
Cisco871(config)#line vty 0 4
Cisco871(config)# login authentication CISCO
Cisco871(config)#transport input telnet
At this stage you should be able to use telnet to connect to the router and provide the credentials of a user in your Active Directory database with the required "dial in" access.
If you're interested in learning more about RADIUS check out article RFC 2865 on the Internet Engineering Task Force (IETF) website.