๐งฉ Topology
- Cisco Router / Switch โ RADIUS Server (Windows NPS / FreeRADIUS / ISE)
- Management subnet:
192.168.10.0/24 - RADIUS Server IP:
192.168.10.50 - Shared secret:
Radius@123
1๏ธโฃ Basic Device & SSH Setup (Mandatory)
hostname R1
ip domain-name lab.local
crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
2๏ธโฃ Create Local Fallback User (IMPORTANT)
Used when RADIUS server is unreachable.
username localadmin privilege 15 secret L0cal@123
3๏ธโฃ Enable AAA
aaa new-model
4๏ธโฃ Configure RADIUS Server
๐น IOS / IOS-XE (Classic Method)
radius server RAD1
address ipv4 192.168.10.50 auth-port 1812 acct-port 1813
key Radius@123
(Older IOS alternative)
radius-server host 192.168.10.50 key Radius@123
5๏ธโฃ Create AAA Method Lists (Best Practice)
aaa authentication login SSH_AUTH group radius local
aaa authorization exec SSH_AUTH group radius local
aaa accounting exec default start-stop group radius
Explanation:
- Authenticate via RADIUS
- Fallback to local
- Authorize privilege level
- Log sessions
6๏ธโฃ Apply AAA to VTY Lines (SSH Only)
line vty 0 4
transport input ssh
login authentication SSH_AUTH
authorization exec SSH_AUTH
exec-timeout 10 0
โ SSH only
โ No Telnet
โ Timeout protection
7๏ธโฃ Restrict SSH Access with ACL (Highly Recommended)
ip access-list standard MGMT-ACL
permit 192.168.10.0 0.0.0.255
deny any log
line vty 0 4
access-class MGMT-ACL in
8๏ธโฃ Privilege Level from RADIUS (Critical for Admin Access)
On RADIUS Server
Return attribute:
Cisco-AVPair = shell:priv-lvl=15
โ Gives full admin access
โ Without this, user gets privilege 1
9๏ธโฃ Verification & Troubleshooting
๐ Check AAA & RADIUS
show aaa servers
show radius statistics
show run | section aaa
๐ Check SSH
show ip ssh
show users
๐งช Debug (Use Carefully)
debug aaa authentication
debug radius authentication
Disable after testing:
undebug all
๐ Authentication Flow (Important Concept)
SSH Login
โ
AAA Method List
โ
RADIUS Server
โ
Privilege from RADIUS
โ
Fallback to Local (if RADIUS fails)
โ ๏ธ Common Mistakes
โ Forgot local fallback user
โ RADIUS secret mismatch
โ No privilege attribute โ user stuck at level 1
โ Telnet still enabled
โ ACL blocking RADIUS traffic
๐ง CCNA / CCNP / Interview Tips
- Why AAA > local authentication
- Difference between Authentication vs Authorization
- Why fallback local user is mandatory
- SSH + RADIUS vs TACACS+
- What happens if RADIUS server is down?
โ Minimal Working Config (Quick Paste)
aaa new-model
username localadmin privilege 15 secret L0cal@123
radius server RAD1
address ipv4 192.168.10.50 auth-port 1812 acct-port 1813
key Radius@123
aaa authentication login SSH_AUTH group radius local
aaa authorization exec SSH_AUTH group radius local
ip domain-name lab.local
crypto key generate rsa modulus 2048
ip ssh version 2
line vty 0 4
transport input ssh
login authentication SSH_AUTH
authorization exec SSH_AUTH
The Lazy Networker 
Leave a comment