Cisco CLI Role Based Administration + Radius (Part I)

Hi, this time I’ll try to give you a comprehensive guide on how to configure Cisco CLI Role Based Administration together with Windows Radius Authentication using Windows 2008 NPS. This part will concern only configuring Radius Authentication without separating different Administration Roles. In next article I will show you how you can give some users only restricted access to a Cisco device, for example allowing them to execute only show commands.


Let’s start with a Cisco device, I’ll use for that a Cisco Catalyst Switch C3560E with an IOS (C3560E-UNIVERSALK9-M), Version 12.2(50)SE2. First what we need to activate on Cisco device is a aaa new-model. This enables us a range of commands we can use to configure AAA (Authentication, Authorization and Accounting). I’ll show you my configuration and try to explain some more difficult parts.

!–With aaa new-model we turn Radius support on Cisco device
!The first line allow us to use authentication for login and as default method will be used radius authentication following
!local database authentication. Important is that the local database will be used only if the Radius server
!is not available, but not if the user tries to login with the wrong password or the user doesn’t exist
!in radius database at all. The second line allows us to use authorization for exec also with radius
aaa authentication login default group radius local
aaa authorization exec default group radius

!We need also to specify Radius Servers. In this case I put 2 Servers,
!should one of them be not available, will the authentication
!still work.

radius-server host 192.168.x.x auth-port 1645 acct-port 1646
radius-server host 192.168.x.x auth-port 1645 acct-port 1646
radius-server timeout 3
!The key is for the communication of radius client (Cisco device) with radius Server.
!The password has to be the same on both of them.
!The key in the config is already encrypted, while configuring the key you can type in unencrypted form of it.

radius-server key 7 234555530B0454545645
!The last command configures the Network Access Server to use and recognize Vendor Specific Attributes
radius-server vsa send authentication

This was a Cisco part, now let’s configure the Windows NPS. I assume, you have already installed NPS and accomplished the basic configuration of it. First think we need is to add a Cisco device as a radius client.

Basically we have to configure just a few settings. The vendor should be Cisco and we need to use the same shared secret as we configured it on our cisco device.

Next we configure an easy Connection Request Policy to allow users authentication on the Radius Server

Next we go to network policies and create one. The important settings for the policy you’ll get from following screenshots.


That’s all. Now connecting to the Cisco device through ssh we can login with our user (that belongs to the Network Admins group in AD) and using a password from AD.

In the next part I’ll show you how to configure different AD Groups with different permissions on Cisco device.

This post is also available in: German, Polish

1 comment to Cisco CLI Role Based Administration + Radius (Part I)