Practical 3
Practical 3
RADIUS –
Remote Access Dial In User Service (RADIUS) is an open standard protocol used for the communication
between any vendor AAA client and ACS server. If one of the client or server is from any other vendor
(other than Cisco) then we have to use RADIUS. It uses port number 1812 for authentication and
authorization and 1813 for accounting.
TACACS+ RADIUS
It provides more granular control i.e can specify No external authorization of commands
the particular command for authorization. supported.
ISMAIL H P Page 1
SIC JOURNAL TYIT
Similarities –
The process is start by Network Access Device (NAD – client of TACACS+ or RADIUS). NAD contact the
TACACS+ or RADIUS server and transmit the request for authentication (username and password) to the
server. First, NAD obtain username prompt and transmit the username to the server and then again the
server is contact by NAD to obtain password prompt and then the password is send to the server.
The server replies with access-accept message if the credentials are valid otherwise send an access-
reject message to the client. Further authorisation and accounting is different in both protocols as
authentication and authorisation is combined in RADIUS
ISMAIL H P Page 2
SIC JOURNAL TYIT
Configuring PC0
Configuring PC1
ISMAIL H P Page 3
SIC JOURNAL TYIT
Configuring Router0
ISMAIL H P Page 4
SIC JOURNAL TYIT
While configuring the TACACS/RADIUS server the Client IP address must be the Router IP
ISMAIL H P Page 5
SIC JOURNAL TYIT
ISMAIL H P Page 6
SIC JOURNAL TYIT
Router>enable
Router#configure terminal
Router(config)#aaa new-model
Router(config)#tacacs-server host 192.168.2.3 key cisco
Router(config)#radius-server host 192.168.2.2 key cisco
Router(config)#aaa authentication login ismail group tacacs+ group radius local
Router(config)#line vty 0 4
Router(config-line)#login authentication ismail
Router(config-line)#exit
Router(config)#
The Authentication can be done by typing the command telnet 192.168.2.1 (the Router IP) in any of the
PCs
We get a prompt to type the username and password, the username and password set in TACACS are
entered
Username: smile
Password: smile
We get the following
ISMAIL H P Page 7
SIC JOURNAL TYIT
In order to authenticate the RADIUS server we need to turn OFF the TACACS service
ISMAIL H P Page 8
SIC JOURNAL TYIT
We again enter the command telnet 192.168.2.1 (the Router IP) and enter the username and password
of the RADIUS server (Username: smile , Password: cisco)
We get the following
The local login can also be verified by turning OFF both TACACS and RADIUS service. The username and
Password are both cisco (by default)
Hence the authentication through both TACACS and RADIUS
ISMAIL H P Page 9