https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423454#M88149 <HTML><HEAD></HEAD><BODY><P>@<SPAN style="font-size: 10pt;">Gurpreet Puri</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">That's true, but I think Simon does not have an ISE neither. </SPAN></P><P></P><P><SPAN style="font-size: 10pt;"><STRONG>Simon, </STRONG>are you using NPS, IAS or any other vendor?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">If so, we would need to check the vendor's documentation to see how to send the privilege level 15 to the SW.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">You can check this one: </SPAN></P><H2 style="background-color: #fcfcfc; vertical-align: baseline; clear: both; color: #3366bb; font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 1.3em; font-size: 16px;"><SPAN style="font-size: 10pt; font-family: arial, helvetica, sans-serif;"><A href="http://technologyordie.com/cisco-privilege-level-access-with-radius-and-nps-server" rel="nofollow">Cisco Privilege Level Access with Radius and NPS Server</A></SPAN></H2><P></P><P>Also:</P><P></P><P><A href="http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/"><STRONG>How-to : Integrating Cisco devices CLI access with Microsoft NPS/RADIUS</STRONG><BR /></A></P><P></P><P></P><P>HTH.</P></BODY></HTML> Wed, 12 Feb 2014 15:50:35 GMT Javier Portuguez 2014-02-12T15:50:35Z https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423450#M88145 <P>Hi all,</P><P></P><P>I need some advice on the authentication of my switches.</P><P></P><P>I have a network set up where every switch uses telnet only for the transport input method. I need this to change to SSHv2 only.</P><P>I also have a RADIUS server backing off to Active Directory that I can use for AAA authentication against users of the switches.</P><P>Once I use SSH to login, I am in User EXEC mode. I would like to use RADIUS authentication to authenticate users to enter Privileged EXEC mode.</P><P>Is this possible to do?</P><P></P><P>I have been working on this for a while, now I have got to the point where I have to give in and ask for help.</P><P></P><P>Thank you.</P> Mon, 11 Mar 2019 04:23:00 GMT https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423450#M88145 SHEXER-401 2019-03-11T04:23:00Z https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423451#M88146 <HTML><HEAD></HEAD><BODY><P>Hi Simon,</P><P></P><P>Are you using AAA authentication with ACS?</P></BODY></HTML> Tue, 11 Feb 2014 20:34:20 GMT https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423451#M88146 Javier Portuguez 2014-02-11T20:34:20Z https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423452#M88147 <HTML><HEAD></HEAD><BODY><P>Hi Javier!</P><P></P><P>No unfortunately I don't have ACS at my disposal; I have only a RADUIS server. I currently have some Wireless LAN Controllers authenticating clients on RADIUS and I was told that it can authenticate users going into Privileged EXEC (Enable) on a switch too. I have tired configuring this many times however I can't seem to get it to work.</P></BODY></HTML> Wed, 12 Feb 2014 10:14:54 GMT https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423452#M88147 SHEXER-401 2014-02-12T10:14:54Z https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423453#M88148 <HTML><HEAD></HEAD><BODY><P>Hi Simon,</P><P></P><P>ACS use TACACS+ for authentication but we have ISE now, which doesn't support TACACS+ instead it use RADIUS to authenticate switches/users.</P><P></P><P>You can integrate your AD with ISE and then with the proper configuration on switches and ISE, we can restrict user to go to Enable mode.</P><P></P><P></P><P></P><P></P><P>Regards, <BR />Gurpreet S Puri <BR /> <BR />**************************** <BR />Keep Smiling, Peace <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> <BR />**************************** <BR /> <BR />(Please Rate Helpful Post)</P></BODY></HTML> Wed, 12 Feb 2014 11:02:53 GMT https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423453#M88148 Gurpreet Puri 2014-02-12T11:02:53Z https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423454#M88149 <HTML><HEAD></HEAD><BODY><P>@<SPAN style="font-size: 10pt;">Gurpreet Puri</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">That's true, but I think Simon does not have an ISE neither. </SPAN></P><P></P><P><SPAN style="font-size: 10pt;"><STRONG>Simon, </STRONG>are you using NPS, IAS or any other vendor?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">If so, we would need to check the vendor's documentation to see how to send the privilege level 15 to the SW.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">You can check this one: </SPAN></P><H2 style="background-color: #fcfcfc; vertical-align: baseline; clear: both; color: #3366bb; font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 1.3em; font-size: 16px;"><SPAN style="font-size: 10pt; font-family: arial, helvetica, sans-serif;"><A href="http://technologyordie.com/cisco-privilege-level-access-with-radius-and-nps-server" rel="nofollow">Cisco Privilege Level Access with Radius and NPS Server</A></SPAN></H2><P></P><P>Also:</P><P></P><P><A href="http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/"><STRONG>How-to : Integrating Cisco devices CLI access with Microsoft NPS/RADIUS</STRONG><BR /></A></P><P></P><P></P><P>HTH.</P></BODY></HTML> Wed, 12 Feb 2014 15:50:35 GMT https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423454#M88149 Javier Portuguez 2014-02-12T15:50:35Z https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423455#M88150 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>Thanks for your feedback. I have Cisco ISE being deployed within the next couple of months so hopefully that will help to solve this problem. I'll wait until then to start configuring it.</P><P></P><P>Thank you for your replies, this has been very helpful.</P><P>Simon</P></BODY></HTML> Fri, 14 Feb 2014 13:22:58 GMT https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423455#M88150 SHEXER-401 2014-02-14T13:22:58Z https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423456#M88151 <HTML><HEAD></HEAD><BODY><P>You welcome. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please rate any helpful posts. </P></BODY></HTML> Fri, 14 Feb 2014 15:24:57 GMT https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423456#M88151 Javier Portuguez 2014-02-14T15:24:57Z https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423457#M88152 <HTML><HEAD></HEAD><BODY><P>From security perspective, I would still recommend applying an ACL to the VTY lines to prevent DoS on the network device. You can go beyond that and apply control plane policing.</P><P></P><P>1. The VTY access-list needs to add to all VTY lines (e.g. 0 ~ 15 on a Cisco 3K) to be effective.</P><P></P><P>2. On a 3560X running IOS 15.0(1)SE3, I added the following line before the SSH client IP address showing up as calling-station-id in RADIUS access requests:</P><P></P><P>radius-server attribute 31 send nas-port-detail</P></BODY></HTML> Thu, 20 Feb 2014 12:07:28 GMT https://community.cisco.com/t5/network-access-control/ssh-radius-authentication/m-p/2423457#M88152 blenka 2014-02-20T12:07:28Z