"enable view" command fails authentication when implementing RADIUS

david.robitaille1 · ‎01-26-2016

Hi all,

I am facing an unexpected problem while configuring view command in our 3750x switches.

We are currently using NPS on a 2008 R2 server built specifically for RADIUS AAA. First, I'd like to point out that the RADIUS configuration works well, in the sense that we can successfully connect on our devices using our domain credentials and we also already implemented parser view depending on user's access level.

When I enter the enable view command, I get the following error: "%authentication failure"

If I disable AAA on a selected switch and use local credential instead, the command works fine. This only does not work when AAA via RADIUS is functional. My understanding, based on the logs in our RADIUS server, is that the "enable view" command appears to be using the root user, which is local and therefore explains the error.

Is there any way to make this command work in conjunction with AAA?

I am ready to share more detailed information of the configuration if someone would like to have a look at this.

Best regards,

David

Jatin Katyal · ‎01-26-2016

David,

Ensure that your system is in root view—not privilege level 15.

The difference between a user who has level 15 privileges and a root view user is that a root view user can configure a new view and add or remove commands from the view. Also, when you are in a CLI view, you have access only to the commands that have been added to that view by the root view user.

~ Jatin

~Jatin

david.robitaille1 · ‎01-26-2016

Hi Jatin,

Thank you very much for your answer. I understand the difference between lvl15 and root view. When I authenticate locally on the switch, everything works. I can access enable view using the enable secret password and thus create a view with parser view. When I add RADIUS into the equation, it tries to authenticate the root view on the NPS server. I do not want want. I would like the authentication to stay local on the switch. How can I do that without having to create a root user on our NPS server/AD?

Best regards,

David

Jatin Katyal · ‎01-26-2016

Can I look at the output of "show run | in aaa" & "show run | in radius".

~ Jatin

~Jatin

david.robitaille1 · ‎01-27-2016

Hi Jatin,

You can certainly have a look at it.

sh run | i aaa

aaa new-model
aaa group server radius SPQCRAD01
aaa authentication login userAuthentication group SPQCRAD01 local
aaa authorization exec userAuthorization local group SPQCRAD01 if-authenticated
aaa authorization network userAuthorization local group SPQCRAD01
aaa accounting exec default start-stop group SPQCRAD01
aaa accounting system default start-stop group SPQCRAD01

sh run | i radius

aaa group server radius SPQCRAD01
radius-server host 10.28.32.80 key 7 XXXXXXXXXXXXXXX

Best regards,

David

Jatin Katyal · ‎01-27-2016

David,

Per my reading on this feature, the catch is "Enable view" requires to be authenticated by non-none methods. Now you don't want the Root user to be created on NPS/AD - the only thing we can do that is to replace the below listed commands:

aaa authentication login userAuthentication group SPQCRAD01 local
aaa authorization exec userAuthorization local group SPQCRAD01 if-authenticated

With;

aaa authentication login default local group SPQCRAD01

aaa authorization exec default local group SPQCRAD01

This way local database will be checked first and if "user not found", it will be queries against NPS/AD. The only downside of this workaround is the users who are on AD would face few seconds delay while the IOS device is looking the user in the local database. I couldn't think anything better in this scenario.

HTH

~ Jatin

~Jatin