5 Cisco NAS equipment has become quite popular of late, but being Cisco
6 equipment running IOS, the configuration can be a bit non-obvious to the
7 unfamiliar. This document aims to describe the most common configuration
8 options to make your Ciscos interoperate with radius as you would expect a
9 well-behaved NAS to do.
13 For Cisco 12.x ( 12.0 and 12.1 ), the following AAA configuration directives
17 aaa authentication login default group radius local
18 aaa authentication login localauth local
19 aaa authentication ppp default if-needed group radius local
20 aaa authorization exec default group radius local
21 aaa authorization network default group radius local
22 aaa accounting delay-start
23 aaa accounting exec default start-stop group radius
24 aaa accounting network default start-stop group radius
27 this configuration works very well with most radius servers. One of the more
28 important configurations is:
30 aaa accounting delay-start
32 This directive will delay the sending of the Accounting Start packet until
33 after an IP address has been assigned during the PPP negotiation process.
34 This will supersede the need to enable the sending of "Alive" packets as
35 described below for IOS versions 11.x
37 *NOTE* with the above it will use the radius server to authenticate
38 your inbound 'telnet' connections. You will need to create an entry
39 in your users file similar to the following to allow access:
41 !root Password == "somepass"
42 Service-Type = NAS-Prompt-User
44 This will let a user in for the first level of access to your Cisco. You
45 will still need to 'enable' ( using the locally configured enable secret )
46 to perform any configuration changes or anything requiring a higher level
47 of access. The username '!root' was used as an example here, you can make
48 this any username you want, of course.
52 For Cisco 11.1, you normally use
55 aaa authentication ppp radppp if-needed radius
56 aaa authorization network radius none
57 aaa accounting network wait-start radius
59 to get the Cisco to talk to a radius server.
61 With IOS 11.3, you need to add:
63 aaa accounting update newinfo
65 If you want the IP address of the user to show up in the radutmp file
66 (and thus, the output of "radwho").
68 This is because with IOS 11.3, the Cisco first sends a "Start" accounting
69 packet without the IP address included. By setting "update newinfo" it
70 will send an account "Alive" packet which updates the information. Cistron
71 Radius understands the "Alive" packet since 1.5.4.3-beta7.
74 Also you might see a lot of "duplicates" in the logfile. That can be
77 aaa accounting network wait radius
78 radius-server timeout 3
83 Original - Alan DeKok <aland@ox.org>
84 12.x Info - Chris Parker <cparker@starnetusa.net> 2000-10-12
88 For more information, the following page on Cisco's web site may help:
90 http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_dev/vsaig3.htm