cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
733
Views
6
Helpful
12
Replies

EAP authetification to login to switches

guti_spain
Level 1
Level 1

Hello everyone:

Until now we have been using RADIUS PAP to authenticate users connecting to our switches. The RADIUS servers is a Windows Server machine using Microsoft RADIUS Server. Due to Blast RADIUS we would like to use EAP instead of PAP with the same server, but I haven't found any document describing how to use EAP in the switches not related to PPP connections. We are connecting locally to switches, so no PPP link is involved.

Do you know any documenation where I can find how to configure RADIUS to use EAP for user authentication to the switches? We are using C9200 and C9300 switches and the server is a Windows Server 2019 machine.

Thanks and regards,

Jordi 

1 Accepted Solution

Accepted Solutions

Yes as I know tacacs use encrypt traffic or you can use radius server over secure ipsec vpn tunnel.

MHM

View solution in original post

12 Replies 12

balaji.bandi
Hall of Fame
Hall of Fame
Until now we have been using RADIUS PAP to authenticate users connecting to our switches

Can you give some clarity on this, Hope this is users Authentication using 802.1X ? (not the device Admin right ?)

until we get some clarity, check below guide is this can help ?

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/configuring_radius.html#con_1091098

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello BB:

Actually, we use this for device administration exclusively. The rest of the network is not using 802.1x.

I had checked the link you attached, but it doesn't explain anything about EAP. The configuration explained there is what I have implemented at the moment.

Thanks for your help.

 

So you looking Device admin, "we use this for device administration exclusively"  (so only suported features for device admin)

There are several guides available over internet (or you using already)

example guide as below :

https://www.ciscozine.com/manage-cisco-with-nps-radius/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you BB. The configuration used in that link is the one I'm using now. The problem is the Windows Server RADIUS server only supports unsecure authentification (now Blast-RADIUS is here): PAP. SPAP, MS-CHAP... That's why I was looking for a way to secure the connection usit EAP. 

It's OK. I'll switch to TACACS.

Thanks for your answers.

EAP use only for endpoint access not for admin.

MHM

Thank yo MHM. That's possibly the reason why I haven't found anything about anywhere. Should I change to TACACS in order to secure admin then? Is there any other secure way?

Yes as I know tacacs use encrypt traffic or you can use radius server over secure ipsec vpn tunnel.

MHM

I'm going to look for a TACACS or TACACS+ server software. I think the solution is simpler thant the ipsec vpn tunnel in a local network.

Thanks MHM.

Arne Bier
VIP
VIP

I am surprised that folks think TACACS+ passwords are more secure than RADIUS passwords.  The ISE GUI even reminds us of this fact when you enable Device Admin Service

ArneBier_0-1722294661244.png

 

If your goal is to secure the admin access to your network devices, then you should not be using any password-based authentication at all. The alternatives are SSH keys, or certificates. In either case, you can (and should) still involve AAA to authorize the user. And I would use TACACS+ - but - if using ISE, it requires a Device Admin license per ISE PSN node. Remember that AAA is:

Authentication - With SSH key auth, the network devices perform local SSH key validation - no passwords are used!

Authorization - perform AAA authorization to a TACACS+ server (e.g. to assign the user's priv level and perform optional per-command authorization etc.)

Accounting - send accounting to the TACACS+ server   

 

How would SSH key authentication look?  Every user must generate their own keypair using their favourite terminal app (putty/SecureCRT etc.) - and the put those public keys on every network device. Yeah. Sounds like a lot of work, right?  But it doesn't have to be. You could devise a system in your organisation that allows admins to deposit their pubic keys in one place (drop off zone) and then a script can be run to put those public keys on all devices. That would make this scalable and easy.

And by the way, I mentioned using AAA for the authorization. That is just a recommendation. You can do authorization on the network devices too. But it involves another small step. In Cisco IOS, you must add each username to ever network device - but when you create the user, you don't give the user a password - it's there only for the authorization part. Then, define your "aaa authorization" commands to use the local device data. The end result is that each admin will use SSH keys to authenticate, and you can even eliminate AAA entirely, if you don't want to perform Authorization and Accounting (but I would not recommend eliminating AAA).

Certificate-based auth is the next level - in that case you must install the CA cert chain on all network devices for local cert based auth. More hassle, because clients need client certs, and these certs have a limited lifespan. the usual maintenance issues we have with certs apply here.  SSH keys don't have expiration. Users must ensure they keep their private keys private/secured. 

 

Hello Arne:

It's a very interesting point and what you propose is a totally different approach from what I had considered. In my scenario though, I consider TACACS+ to be more secure than certificates or SSH keys, and also simpler to manage.

The reason is that all devices are accessed from the local network, and the place is secured (you need to have an ID to pass the security control in several places before you can access any station), but it must be possible to access the switches from several stations. That means that users should go around with their certificates or SSH keys in a USB, and they would remain installed in several stations, or even lost or forgotten sometimes.

The problem we have with RADIUS is not that the password is not secure (it is encrypted), but that a MITM attack like Blast-RADIUS can modify the rest of the packet, which is not encrypted, giving access to attackers to resources without the need to find out the password.

With TACACS+ we may have a weaker encryption, but we can make the Authentication and Authorization phases stronger with MFA, giving us the security we need in this case. Furthermore, the encryption applies to the whole packet, making it less prone to MITM attacks.

Thanks a lot for your proposal. We will study it for other scenarios where remote access applies through IPSec VPN. SSH keys or CA are an additional level there in our case.

Arne Bier
VIP
VIP

I see what you mean. but in the case of SSH public key authentication, there is no AAA involved at all. Therefore there is no attack vector.  AAA is optionally involved if you're performing "aaa authorization ..." commands - and you can tell the IOS to only authorized if authenticated. If a user did not pass authentication (if an attacker can bypass SSH public key auth then you have a real genius on your hands!!) then the aaa authorization makes no sense and will not be used, even if someone performs a MITM on the UDP stream.  I guess what I am saying is that authentication does not involve aaa when using public key auth, hence, BlastRADIUS is less likely to be an issue for you.