Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
610
Views
0
Helpful
3
Replies

Cisco switch administration through radius using ISE

Go to solution
donnie
Level 1
Level 1

‎11-01-2019 03:02 AM

Hi all,

 

To facilitate switch administration using ISE as radius server, I have configured my ISE (v2.4) with the policy set as below.

1) Condition - Radius: Service-Type Equals NAS Prompt

2) Allowed protocols: PAP

3)also configured the necessary authentication and authorization policy.

 

The above works in terms of administration for my cisco WLC but could not work for my cisco switches.

When i check my ISE logs to verify my admin access for switches via ssh, i notice my attempts to access the switches does not hit the ISE policy set i created, instead it goes to the last default policy set. The endpoint indicated in ise log also reflect the ip address of my client pc attempting ssh to the switch.

 

I have also added the following for my cisco switches but it fail to work. 

1)aaa authentication login default group ISEGRP local

2)aaa authorization exec default group ISEGRP local if-authenticated

 

"ISEGRP" is defined correctly as my 802.1x config on the switch works for 802.1x for user pc connection against ISE.

Please advise. TIA!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎11-02-2019 05:47 PM

Hi @donnie 

 

AirOS and IOS send different RADIUS Attributes during a device authentication - see below what I have configured in ISE:

 

comm03.PNG

 

For IOS you then return the Cisco AV Pair to assign level 0-15 - cisco-avpair= "shell:priv-lvl=15" etc.

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-01-2019 05:50 AM

IMO I would recommend looking into using either Radius or Tacacs+ for device access. Note that Radius encrypts only the password in the request packet, and T+ encrypts the entire body in the packet. PAP is clear text so obviously less secure.
0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎11-02-2019 05:47 PM

Hi @donnie 

 

AirOS and IOS send different RADIUS Attributes during a device authentication - see below what I have configured in ISE:

 

comm03.PNG

 

For IOS you then return the Cisco AV Pair to assign level 0-15 - cisco-avpair= "shell:priv-lvl=15" etc.

 

0 Helpful

Go to solution
donnie
Level 1
Level 1
In response to Arne Bier

‎11-05-2019 06:57 PM

Hi Arne,

 

Thank you very much. Your suggestion works.

I will fine tune my authorization policy to segregate between user and full priviledge. 

0 Helpful
Customers Also Viewed These Support Documents