Can 2600 Router ver. 12.3 use Radius Server to Authenticate Logon

I have 500 routers. Right now we are using local accounts set up on each router to let our admins log into the routers. Whenever an admin leaves, we have to go around to 500 routers and delete that username and add the new guy.

Is it possible to set up a router to use AAA authentication to a Radius server to authenticate telnet access?

That way I just take the ex-employee out of the radius group and he no longer can get into our routers.

If this is possible, would someone be so kind as to point me to a sample config. I am having a hell of a time finding anything on cisco.com.

Thank you

Reply to
JohnD
Loading thread data ...

Sure. RADIUS or TACACS+..

Shouldn't be too hard to find, its been part of IOS for quite some time.

Here's a link to the basics in 12.2 documentation.

formatting link

Reply to
Doug McIntyre

You could use Radius but I would use TACACS+. First RADIUS is clear text so you could have someone actually get your password if they are sniffing the datastream. I really do not like Cisco software, I REALLY like Cisco ACS. You can also set it up to use your windows domain to authenticate to. You can do SSOOO MUCH with Cisco ACS! Hear is a simple RADIUS config.

aaa new-model ! aaa authentication login default group radius local ! Always config a fallback in case you cant get to the AAA server radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key cisco ! Some IOSes want you to put the key on a seperate line

This will just get you logged in there are the two other A's (authorization, and accounting) that you may also configure.

Greg

Reply to
gcave

Huh? RADIUS encrypts passwords across the network. The difference between TACACS+ and RADIUS is that TACACS+ encrypts the whole packet. RADIUS encrypts just the password, leaving the rest of the packet plain.

Passwords are both encrypted as they go over the network for either protocol.

Reply to
Doug McIntyre

I did not know that, Thanks for the correction.

Reply to
gcave

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.