In a real-world network, securing access to network devices is of paramount importance. This measure helps safeguard the devices from vulnerabilities by permitting only authenticated users to connect and configure network devices, whether through remote connections like Telnet or SSH, or through on-site connections like console connections.
One approach to enhancing access security is by configuring security on the Device’s local database, where usernames and passwords are authenticated internally within the device. Alternatively, utilizing an AAA server offers a more robust solution. AAA, which stands for Authentication, Authorization, and Accounting, can employ either the Radius or TACACS+ authentication protocols. With these protocols, a dedicated server manages the storage of authorized users and passwords for network device access. When a PC requests access to a network device (either a router or switch), it must provide a username and password, which are then authenticated on the server using the Radius authentication protocol.
The process of securing access to a network is divided into three components: Authentication, Authorization, and Accounting. Authentication involves verifying the identity of the PC attempting to connect by requesting a username and password. Authorization dictates the actions permitted for authenticated users on the network devices. Accounting encompasses the tracking and logging of user activities for auditing and billing purposes.
In this blog post, I will guide you through the process of configuring a Radius Server using a sample network topology.
Network Topology
The network topology depicted in the image below comprises a router, a Radius server, a switch, and two PCs. Our objective in this demonstration is to enable Radius AAA services on the Radius Server, configure access authentication between the router and the Radius server, and create users for both PC1 and PC2 on the Radius server. PC1 will utilize a console connection to access Router1, while PC2 will use Telnet.
How to Configure Radius Server in Cisco Packet Tracer
Here are the steps to configure Radius Server using the sample network topology above:
Step 1: Enable Radius AAA Services on the Radius Server
Access the configuration interface of the Radius server by going to Services>AAA and then enabling AAA services and specifying Radius as the authentication protocol. Then Set up the necessary parameters, such as the radius port and secret key.
The IP address assigned above is that of the router, access to which is being secured. The secret key serves as a passphrase used to authenticate communication between the router and the server. Additionally, the Radius port is specified to determine the port number where the RADIUS authentication requests and responses are exchanged.
Step 2: Create Users on the Radius Server
Now is the time to create users who will be able to connect to the router using the login credentials. Because in the network topology we have two users (PC1 and PC2) that will be connecting to the router, we will be creating two users. PC1 will be connecting to the routers using a console connection, while PC2 will be connecting using telnet.
Step 3: Configure the interfaces of the router
Assign IP address to the interface of the router and labelled in the network topology;
R1(config)#interface gigabitEthernet0/1
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
Step 4: Configure Local Authentication on the Router
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#username admin privilege 15 password cisco
R1(config)#enable secret cisco
The configuration above is for local authentication on the router. Here’s a breakdown of each command ;
aaa new-model
: This command enables AAA (Authentication, Authorization, and Accounting) services on the router.aaa authentication login default local
: This command specifies that for login authentication, the router should use the local username database.username admin privilege 15 password cisco
: This command creates a local username called “admin” with privilege level 15 (highest privilege level, equivalent to “enable” mode) and assigns the password “cisco” to this username. This username/password pair will be used for authentication if theaaa authentication login default
command is configured to use local authentication.enable secret cisco
: This command sets the enable secret password to “cisco”. This password is used to protect privileged mode access (enable mode). When users try to enter enable mode, they will be prompted to enter this password.
Step 5: Enable RADIUS-based authentication on the router
R1(config)#aaa authentication login RADIUS group radius
R1(config)#radius-server host 192.168.12.254 auth-port 1645 key 123456
aaa authentication login RADIUS group radius
: This command specifies that for login authentication, the router should use a RADIUS server for authentication. This command instructs the router to forward authentication requests to the RADIUS server specified in the next command.radius-server host 192.168.12.254 auth-port 1645 key 123456
: This command configures the RADIUS server parameters. It specifies the IP address of the RADIUS server (192.168.12.254), the authentication port used by the RADIUS server (1645), and the shared secret key used for communication between the router and the RADIUS server (123456)
Together, these commands configure the router to authenticate users against a RADIUS server for login authentication. When a user attempts to log in, the router will forward the authentication request to the specified RADIUS server, and the RADIUS server will authenticate the user based on the credentials provided
Step 6: Apply authentication settings to console & VTY lines
R1(config)#line console 0
R1(config-line)#login authentication default
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#login authentication RADIUS
R1(config-line)#exit
Here is a brief explanation of each of the above commands;
line console 0
: This command enters configuration mode for the console line.login authentication default
: This command specifies that authentication for the console line should use the default method configured earlier which is the local authentication.line vty 0 4
: This command enters configuration mode for the VTY lines (telnet or SSH connections).login authentication RADIUS
: This command specifies that authentication for the VTY lines should use the RADIUS method configured earlier.
Step 3: Testing the Configuration
Now, let’s test the configuration by attempting to access the router (R1) from two different PCs.
On PC1:
Console connects to R1. You will be asked for a password and username before you can access the router.
Console to R1
User Access Verification
Username: admin
Password: cisco
R1>enable
Password: cisco
R1#
User Access Verification
Username: user1
Password: cisco
% Login invalid
Username: user2
Password: cisco
% Login invalid
On PC2
When you connect to the router, you will be asked for a password and username before you can access the router configuration terminal.
C:\>telnet 192.168.12.1
Trying 192.168.12.1 ...Open
User Access Verification
Username: admin
Password: cisco
% Login invalid
Username: user1
Password: cisco
R1>enable
Password: cisco
R1#
Username: user2
Password: cisco
R1>enable
Password: cisco
R1#
I am a passionate Networking Associate specializing in Telecommunications.
With a degree in Electronic engineering, I possess a strong understanding of electronic systems and the intricacies of telecommunications networks. I gained practical experience and valuable insights working for a prominent telecommunications company.
Additionally, I hold certifications in networking, which have solidified my expertise in network architecture, protocols, and optimization.
Through my writing skills, I aim to provide accurate and valuable knowledge in the networking field.
Connect with me on social media using the links below for more insights.
You can contact me using [email protected] or connect with me using any of the social media account linked below