index_156
Router Security Configuration Guide
UNCLASSIFIED
156
UNCLASSIFIED
Version 1.0g
If a TACACS+ server was used in this example instead of the RADIUS server then
system accounting would have also been specified. Command level accounting
could have been applied as well but would probably not be needed here.
This section only provides one example for a possible network access server
configuration. Dealing with Dial-In Users is far to complex a subject to be dealt with
in depth in this document. Please see Cisco's "Dial Solutions Configuration Guide"
for more details.
4.6.4. Security Server Protocols
In Cisco routers and network access servers, AAA is the mechanism used to establish
communications with security servers. Cisco supported security servers are
RADIUS, TACACS+, and Kerberos. Security servers are important to Cisco
network gear when centralized administration is required or when authorization and
accounting services are needed.
RADIUS
Remote Authentication Dial In User Service (RADIUS) is an IETF proposed
standard (RFC2865) for securing network components against unauthorized access.
RADIUS is a distributed client/server based architecture used to pass security
information between access points and a centralized server. RADIUS protects the
communications using a shared secret. RADIUS can be used to provide
authentication, authorization, and accounting services. RADIUS was designed with
Dial In access control in mind and the accounting features are very flexible along
these lines. However Cisco's RADIUS client does not support auditing of command
or system events on the router or network access server.
As a minimum when setting up a RADIUS server on a Cisco device the host address
and shared secret must be configured as well as turning on and configuring AAA on
the device. This is accomplished using the commands listed:
§ radius-server host {hostname | ip-address} [auth-port
port-number] [acct-port port-number] command specifies the
radius server's hostname or IP address and the ports to use for
authentication (authorization) and accounting.
§ radius-server key string sets the RADIUS server shared
encryption key. The shared secret key should be at least 16 characters
long and follow the other rules for a good password as described in
Section 4.1.4.
For a complete list of RADIUS router configuration commands see the "RADIUS
Commands" section in the "Security Command Reference". Simple example for
Central:
Central(config)# radius-server host 14.2.6.18