0

I want to set up Radius on one of my Win2k3 Server servers to test authenticating a Cisco router against it.

  • Does the IAS server have to be a domain controller, is it better or worse if it is?
  • Will installing IAS via Add/Remove Components knock out or require the restart of other services? (If it has to be a DC, then its going to have to be a production one).
  • This guide or maybe this one looks okay, but can anyone how has done it tell me if they seems okay, and/or recommend another guide?
  • Other advice is of course (almost) always welcome :-)
Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444

2 Answers2

2

This is the exact way I have my cisco gear currently setup. To answer your questions

  1. No it does not have to be a domain controller, I can't really think of anything compelling for/against. I have mine on the DC's local to the equipment because a) they are already doing authentication and for network gear auth you won't be adding that much load and b) didn't really have anywhere else to put it at the time.

  2. Nope won't cause a reboot or start/stop of services

  3. The first guide looks pretty much spot on for the windows side. See below for example code from my configs to get the cisco side running.

  4. One thing you want to do is make sure you have local accounts that you can fail back to when your radius server is unavailable. and make sure you have an active console session that is set to not timeout when setting this up. You can easily lock your self out of the router while doing the setup.

This is for authenticating console access not VPN access, i'm going to leave it here in case someone finds it useful. 
aaa new-model
aaa authentication login default group radius local
radius-server host <server_ip/name> auth-port 1812 acct-port 1813 key <encrypted_shared_key>
Zypher
  • 36,995
  • 5
  • 52
  • 95
  • Should have been clear, going to use it for authenticating VPN users, the router will be the VPN endpoint. – Kyle Brandt Nov 05 '09 at 18:44
  • 1
    Ah gotcha. The theories should still hold true, although I endpoint on an ASA so i'm not sure on the exact proccess for endpointing on a router, you should be able to set your vpn authentication group to the radius server. I would still setup failback local users for admins to be able to get in and fix problems if the RADIUS server goes down. – Zypher Nov 05 '09 at 18:52
1
  1. no IAS does not need to be on a DC although performance can improve if it is.
  2. depends on the rest of the system, but in my experience no it does not require a reboot
  3. both guides look complete.

Pay close attention to wild cards matching for your policies since that's how you can have multiple policies on the same group for different hosts. if you don't limit them down any 'allow' match will grant access to the resource.