Comments on: Authenticating to Cisco IOS via Active Directory

By: Eric

Eric — Wed, 30 Dec 2009 15:41:19 +0000

If you are using the Enterprise or Data Center versions of IAS, you can use network masks when setting up the Client configs. Way better than adding thousands of individual entries!

More info here: http://www.pskl.us/wp/?p=312

By: skribbla

skribbla — Wed, 21 Oct 2009 10:18:53 +0000

umm arent u supposed to then apply the authentication list to a line (console/tty/vty). like go into line config mode and apply the auth list to a line or set of lnes?? because it seems we created the auth method but ddnt apply it anywhere…… or i could be wrong

By: Russell

Russell — Wed, 16 Jul 2008 20:10:40 +0000

Thanks Scott and Keith,

With the help you guys gave here I was able to get all of our equipment using AD for primary authentication.

This really helped when an employee found out he was being fired and tried to kill all the Cisco devices. We had lowered his privilege via AD while he was in with HR and saved ourselves who know how much. I couldn’t have ever connected to all the switches and routers fast enough to guarantee their security without this little gem.

THANKS A TON!!

–Russell

By: Keith

Keith — Tue, 13 May 2008 01:52:05 +0000

Yes it is possible to authenticate directly to a privileged level via IAS (or NAP if using Windows 2k8).

In your IAS/NAP Network Policy you need to add the vendor specific RADIUS attribute Cisco-AV-Pair. The syntax should be “shell:priv-lvl=15″. You can also change 15 to any other level from 1 - 15.

Second you need to add the following command to the swithch/router.

aaa authorization exec default group radius local

By: slowe

slowe — Fri, 02 Nov 2007 00:35:14 +0000

Will,

It probably can be done, but I don’t know how. Sorry!

By: will

will — Tue, 30 Oct 2007 14:15:41 +0000

Scott,

I was readin about your authorizing to a switch using a RADIUS server. my question is this: is there a way to authenticate to the switch directly to exec privilege using the radius server without being challenged by the switch for a local password?

thanks,
Will

By: slowe

slowe — Wed, 04 Jul 2007 11:15:16 +0000

Good question! This approach provides only plain jane authentication–no command tracking or auditing.

By: Charles

Charles — Wed, 04 Jul 2007 03:31:17 +0000

Would this method also give the command tracking and auditing that TACACS would give you? Or just plain Jane authentication.