Cisco IOS and Radius 0. INTRODUCTION Cisco NAS equipment has become quite popular of late, but being Cisco equipment running IOS, the configuration can be a bit non-obvious to the unfamiliar. This document aims to describe the most common configuration options to make your Ciscos interoperate with radius as you would expect a well-behaved NAS to do. 1. IOS 12.x For Cisco 12.x ( 12.0 and 12.1 ), the following AAA configuration directives are suggested: aaa new-model aaa authentication login default group radius local aaa authentication login localauth local aaa authentication ppp default if-needed group radius local aaa authorization exec default group radius local aaa authorization network default group radius local aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa processes 6 this configuration works very well with most radius servers. One of the more important configurations is: aaa accounting delay-start This directive will delay the sending of the Accounting Start packet until after an IP address has been assigned during the PPP negotiation process. This will supersede the need to enable the sending of "Alive" packets as described below for IOS versions 11.x *NOTE* with the above it will use the radius server to authenticate your inbound 'telnet' connections. You will need to create an entry in your users file similar to the following to allow access: !root User-Password == "somepass" Service-Type = NAS-Prompt-User This will let a user in for the first level of access to your Cisco. You will still need to 'enable' ( using the locally configured enable secret ) to perform any configuration changes or anything requiring a higher level of access. The username '!root' was used as an example here, you can make this any username you want, of course. 2. IOS 11.x For Cisco 11.1, you normally use aaa new-model aaa authentication ppp radppp if-needed radius aaa authorization network radius none aaa accounting network wait-start radius to get the Cisco to talk to a radius server. With IOS 11.3, you need to add: aaa accounting update newinfo If you want the IP address of the user to show up in the radutmp file (and thus, the output of "radwho"). This is because with IOS 11.3, the Cisco first sends a "Start" accounting packet without the IP address included. By setting "update newinfo" it will send an account "Alive" packet which updates the information. Also you might see a lot of "duplicates" in the logfile. That can be fixed by aaa accounting network wait radius radius-server timeout 3 To enable the Ascend style attributes (which we do NOT recommend!) radius-server host X.Y.Z.A auth-port 1645 acct-port 1646 non-standard To disable the Ascend style attributes (which is a VERY good idea!): radius-server host X.Y.Z.A auth-port 1645 acct-port 1646 4. CREDITS Original - Alan DeKok <aland@ox.org> 12.x Info - Chris Parker <cparker@starnetusa.net> 2000-10-12 5. MORE INFORMATION For more information, the following page on Cisco's web site may help: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_dev/vsaig3.htm