How to configure AAA for RADIUS authentication

Learn how to configure AAA for radius authentication. A detailed example is provided along with a diagram that is easy to understand.

configure aaa for radius

In this example, the RADIUS server is 192.168.10.1 and we want to configure AAA on the router and switch so that remote access is authenticated through the RADIUS server with the local database being used if the RADIUS server becomes unavailable. Accounting is also included in the configuration to log all commands issued by the logged in user.

The configuration is as follows:

aaa new-model
!
aaa group server radius RADIUS
server 192.168.10.1
!
aaa authentication login default group RADIUS local
aaa authentication login VTY group RADIUS local
aaa authentication enable default group RADIUS enable
aaa authorization exec default group RADIUS local
aaa authorization exec VTY group RADIUS local
!
aaa accounting commands 0 default
action-type stop-only
group RADIUS
aaa accounting commands 1 default
action-type stop-only
group RADIUS
aaa accounting commands 2 default
action-type stop-only
group RADIUS
aaa accounting commands 3 default
action-type stop-only
group RADIUS
aaa accounting commands 4 default
action-type stop-only
group RADIUS
aaa accounting commands 5 default
action-type stop-only
group RADIUS
aaa accounting commands 6 default
action-type stop-only
group RADIUS
aaa accounting commands 7 default
action-type stop-only
group RADIUS
aaa accounting commands 8 default
action-type stop-only
group RADIUS
aaa accounting commands 9 default
action-type stop-only
group RADIUS
aaa accounting commands 10 default
action-type stop-only
group RADIUS
aaa accounting commands 11 default
action-type stop-only
group RADIUS
aaa accounting commands 12 default
action-type stop-only
group RADIUS
aaa accounting commands 13 default
action-type stop-only
group RADIUS
aaa accounting commands 14 default
action-type stop-only
group RADIUS
aaa accounting commands 15 default
action-type stop-only
group RADIUS
!
radius server RADIUS
address ipv4 192.168.10.1
key examplekey
!
ip radius source-interface Loopback0
!
line vty 0 15
authorization exec VTY
login authentication VTY

 

Afterwards, you will have to configure the RADIUS server with your devices IP addresses as AAA clients. Here we used Loopback0 as the source interface for RADIUS packets, so you would enter in the IP address of the Loopback0 IP address. You can use any routable interface instead of a loopback if you want, though loopbacks are preferable because they’re always up.

For any questions or further explanation, please feel free to leave a comment below or ask me in the forum.

Leave a Reply

Your email address will not be published. Required fields are marked *