SBR Radius Config

Thanks to Dave and Doug for replying to my earlier post. I now have my

2600s authenticating to a Radius server.

However, I have run into another issue I hope someone can help me with.

On my Juniper SBR radius server, I have set up two active directory groups for domain authentication against the radius server. I have a Cisco VPN Client group, and a Cisco Router Admin group.

Practically everyone in the company is in the Cisco VPN Client group. Conversely, only 5 of us are in the Cisco Router Admins group.

When I remove Joe from the Cisco Router Admins group, he is still able to log on to our Cisco routers. I have confirmed that this is because he is still a member of the Cisco VPN Client group.

More alarming, it appear that everyone in the Cisco VPN Client group is authorized to login to our routers.

Is there a way to configure the radius server so that it knows which resources a group should have access to? I suppose my main concern is that anyone who is a member of any group on the radius server will have access to any of our devices that are authenticating against that server, regardless of type of device, job function, etc.

Reply to
Loading thread data ...

Hi John,

I've just come across the same issue, and have successfully fixed it.

Originally I had this configuration to specify authentication:

*** aaa authentication login default group LANAUTH local

And of course, because of the "login", my device was authenticating con0 connection against the RADIUS server, as well as ppp connections (as well as using the "local" username(s) as a backup if the RADIUS server is unreachable.)

This is why console logins were being authenticated to the RADIUS server. Removing this line and using the below should rectify it.

Reply to


you have 3 choices:

  1. use diff. radius servers/instances for vpn users and for admins
  2. use single radius with configured Filter-Id, configure ACLs on the
  1. continue to use radius for vpn users and use tacacs for admins

regards Roman Nakhmanson

Reply to
nakhmanson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.