I'll try to keep this short and sweet. It took me a bit to find the exact commands I used. The configuration below has been validated to work on Cisco routers, switches, and voice gateways.
Part 1. RADIUS Server ConfigurationAssuming you already have a Network Policy Server installed on a DC somewhere...
RADIUS Clients and Servers > RADIUS Clients > Right Click > New RADIUS Client
- Add Friendly Name
- Vendor = Cisco
- Shared Secret
- Enter a key (same as used on the cisco device)
- Policy Name (I just called this the same as the client friendly name)
- Windows Groups: AD Group with network administrator accounts
- Client Friendly Name: same as friendly from "RADIUS Clients" (prevents policies from inadvertently being applied to the wrong devices. Optional precaution)
- Authentication Methods > Check "Unencrypted authentication"
- "Configure Settings"
- RADIUS Attributes
- Standard > Remove Framed-Protocol PPP
- Vendor Specific > Add (allows user to launch in to enable mode by default)
- Vendor = Cisco
- Attribute Name = Cisco-AV-Pair
- Value = shell:priv-lvl=15
Part 2: SSH to Cisco Switch/RouterYou'll need...
- VLAN/IP that authentication will originate from
- IP of your RADIUS Server
- RADIUS Secret used in part 1.
aaa authentication login default group radius local
aaa authorization exec default group radius local
ip radius source-interface <<VLAN/IP>> Interface (e.g. Vlan1 or GigabitEthernet0/0)
radius-server host <<IP of RADIUS Server>> auth-port 1645 acct-port 1646
radius-server key <<RADIUS SECRET>>
Part 3: Testing
- Ensure your admin account can log in
- Ensure that other accounts cannot log in. Especially if you have other RADIUS auth policies like we did.
- Validate that your local account no longer works by default.
- "Disable" your RADIUS client. Validate that your local account works as a fail safe.