The Lazy Networker

πŸ” SSH Configuration with RADIUS Authentication (Cisco)

Written by

renjithbs

in

🧩 Topology

  • Cisco Router / Switch β†’ RADIUS Server (Windows NPS / FreeRADIUS / ISE)
  • Management subnet: 192.168.10.0/24
  • RADIUS Server IP: 192.168.10.50
  • Shared secret: Radius@123

1️⃣ Basic Device & SSH Setup (Mandatory)

hostname R1
ip domain-name lab.local

crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3

2️⃣ Create Local Fallback User (IMPORTANT)

Used when RADIUS server is unreachable.

username localadmin privilege 15 secret L0cal@123

3️⃣ Enable AAA

aaa new-model

4️⃣ Configure RADIUS Server

πŸ”Ή IOS / IOS-XE (Classic Method)

radius server RAD1
 address ipv4 192.168.10.50 auth-port 1812 acct-port 1813
 key Radius@123

(Older IOS alternative)

radius-server host 192.168.10.50 key Radius@123

5️⃣ Create AAA Method Lists (Best Practice)

aaa authentication login SSH_AUTH group radius local
aaa authorization exec SSH_AUTH group radius local
aaa accounting exec default start-stop group radius

Explanation:

  • Authenticate via RADIUS
  • Fallback to local
  • Authorize privilege level
  • Log sessions

6️⃣ Apply AAA to VTY Lines (SSH Only)

line vty 0 4
 transport input ssh
 login authentication SSH_AUTH
 authorization exec SSH_AUTH
 exec-timeout 10 0

βœ” SSH only
βœ” No Telnet
βœ” Timeout protection

7️⃣ Restrict SSH Access with ACL (Highly Recommended)

ip access-list standard MGMT-ACL
 permit 192.168.10.0 0.0.0.255
 deny any log

line vty 0 4
 access-class MGMT-ACL in

8️⃣ Privilege Level from RADIUS (Critical for Admin Access)

On RADIUS Server

Return attribute:

Cisco-AVPair = shell:priv-lvl=15

βœ” Gives full admin access
βœ” Without this, user gets privilege 1

9️⃣ Verification & Troubleshooting

πŸ” Check AAA & RADIUS

show aaa servers
show radius statistics
show run | section aaa

πŸ” Check SSH

show ip ssh
show users

πŸ§ͺ Debug (Use Carefully)

debug aaa authentication
debug radius authentication

Disable after testing:

undebug all

πŸ” Authentication Flow (Important Concept)

SSH Login
   ↓
AAA Method List
   ↓
RADIUS Server
   ↓
Privilege from RADIUS
   ↓
Fallback to Local (if RADIUS fails)

⚠️ Common Mistakes

❌ Forgot local fallback user
❌ RADIUS secret mismatch
❌ No privilege attribute β†’ user stuck at level 1
❌ Telnet still enabled
❌ ACL blocking RADIUS traffic

🧠 CCNA / CCNP / Interview Tips

  • Why AAA > local authentication
  • Difference between Authentication vs Authorization
  • Why fallback local user is mandatory
  • SSH + RADIUS vs TACACS+
  • What happens if RADIUS server is down?

βœ… Minimal Working Config (Quick Paste)

aaa new-model
username localadmin privilege 15 secret L0cal@123

radius server RAD1
 address ipv4 192.168.10.50 auth-port 1812 acct-port 1813
 key Radius@123

aaa authentication login SSH_AUTH group radius local
aaa authorization exec SSH_AUTH group radius local

ip domain-name lab.local
crypto key generate rsa modulus 2048
ip ssh version 2

line vty 0 4
 transport input ssh
 login authentication SSH_AUTH
 authorization exec SSH_AUTH

Comments

Leave a comment

More posts