Configuring Juniper Steel Belted Radius to grant exec and or enable access to Cisco IOS device

Scenario

Quite often it is helpful to use a radius server to grant administrative access on a Cisco IOS device to network administrators. For example if you have several switches or routers and several network administrators it is easier and more secure if administrators manage their own logins rather than having to all use and remember the enable password. You can also configure your radius server to grant administrative acccess to the Cisco IOS devices using your Windows / ADS account if you like. And of course you can give certain logins read only exec access and others full level 15 enable access.

For the purposes of this document we will set up two administrative accounts one called roadmin and a second called wradmin. roadmin will be granted exec read only permission for our junior network guy and the wradmin will be granted enable level 15 permission for the experienced network administrator. Both accounts will be native radius accounts and not domain accounts.

Setup the Juniper Radius Accounts

First off lets create our users. Might as well start with the read only account "roadmin"

From your Juniper administrator Choose Users
Choose the Native Tab

In the right hand pane right click and choose "Add"

Fill in the screen as below with the user name and password. And click OK

Next create the wradmin account using the steps above. However, this time don't press OK we need to add an Return List Attribute to tell the cisco IOS device this user has enhanced privileges (level 15 enable).

Under the Add a Return List Attribute tab click Add.

Then from the list of available attributes select Cisco-AVPAIR and in the string field enter the following:

Once you have clicked OK this user is saved. You now have two accounts to authenticate admin access to your cisco boxes with.

Setup the Cisco IOS device as a radius client of the Juniper radius server

From the main screen of your administrator console choose Radius Clients

Choose Add

Now fill in the details of your cisco router or switch. Enter the IP address of the cisco box - if it is a router make sure it is the ip address of the network interface that will communicate with the radius box. The shared secret is a password that is known to the juniper radius box and the cisco box so make a note of whatever you enter as you will be entering it later when you configure your cisco device. Select Cisco IOS from the Make / Model drop down.

Setup the Cisco to query the Juniper Steel belted radius for authentication requests

NOTE: Do this on a test device that you can reboot easily first if possible, as you can lock yourself out if you make a mistake.

Connect to your cisco device

Create a local user as a fall back incase the radius server is unavailable with this command (substitute localadmin and c1sc0 for user and password of your own)

username localadmin priv 15 password c1sc0

Then this command to tell the router we are going to use radius (or tacacs but radius in our case)for authentication.

aaa new-model

Set up a connection to the Juniper Radius server. Replace the ip address and port setting with your own Juniper radius server and the replace key with the secret you set earlier when you created a radius client

radius-server host 192.168.1.10 auth-port 1645 acct-port 1646
radius-server key mysharedsecret

Now add the lines which tell the cisco to use the juniper radius for authentication and it will also authorise your logon and assign the correct privilege level.

aaa group server radius MYRADIUS
server 192.168.1.10 auth-port 1645 acct-port 1646
!
aaa authentication login default group MYRADIUS enable
aaa authentication login loginauth local
aaa authorization exec default group MYRADIUS if-authenticated
!

Now all that remains is to test:

telnet you your router

login as roadmin - we should only get exec read only access

User Access Verification

Username: roadmin
Password:

mycisco>

logoff and telnet again
this time login as wradmin - we should get enable level 15 access

User Access Verification

Username: wradmin
Password:

mycisco#

That's it. Please don't hesitate to e-mail me or comment if you think this needs improving or if you have any other comments or questions.