cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2793
Views
10
Helpful
8
Replies
Leon Khanan
Beginner

Radius AAA with 3750E Version 12.2(53)SE2

Hi Guys,

i am struggling with configuring NPS AA for our 3750 array ... authentication and autorization

i tried almost every config i could find online but the most i got out of it is a simple authentication. What i need is quite simple:

we have several AD groups

1- Admin

2- Readonly with few privileges for ping, show, traceroute and telnet

i need my switches to be able to recognize the groups and assign them the correct priv. But it doesnt seem to be happening. Can anyone post a clean config for  the switch and for NPS ?

Thanks

P.S. i created and deleted most of my configs so if anyone has something clean and details i would greatly apreciate it.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hello,

This is the configuration I have on my IOS switch:

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authorization exec default group radius if-authenticated

radius-server host x.x.250.20 auth-port 1645 acct-port 1646 key xxxxxxx

I created two policies on the IAS (yours would be NPS). Both have Windows Groups as condition one referring to group ReadOnly and the other to group FullAccess.

ReadOnly results return Service-Type NAS-Prompt

FullAccess results return Service-Type Administrative

When accessing with a ReadOnly user I get:

User Access Verification

Username: priv1

Password:

Switch>en

Password:

% Error in authentication.

Switch>

So, the user is restricted to unpriviledged mode (>) commands.

When accessing with a FullAccess user:

User Access Verification

Username: priv15

Password:

Switch#

I get directly assigned to Enable Mode (#) due to the Administrative Value of the Service-Type Attribute.

As per the Role Based there is a document on the Forum that refers to TACACS+ as well

https://supportforums.cisco.com/docs/DOC-15765

Regards.

View solution in original post

Leon,

When using RADIUS for Device Management we cannot specify the Challenge-Handshake protocol. However, RADIUS will encrypt the User password during the transaction.

NOTE: TACACS+ will encrypt the whole packet.

Regards.

View solution in original post

8 REPLIES 8
camejia
Participant

Leon,

Cisco IOS Command Authorization is not supported when authenticating with RADIUS. This is a protocol limitation.

RADIUS is meant for Network Access (Wireless, VPN) as it has a huge scope of Network Access attributes.

TACACS+ on the other hand is meant for Device Administration (SSH, Telnet). TACACS+ can assign Command Set, EXEC Privileges, Management Session timeouts and others.

TACACS+ can split Authentication and Authorization on different packets, whereas RADIUS send both Authentication/Authorization on the same packet.

Radius has no capability to send a separate authorization request for every executed command like TACACS+ does.

You can use a MS RADIUS server to return the EXEC privilege for users with the "Service-Type" attribute. You can set it to "Administrative" for full access and "NAS-Prompt" for only unprivileged mode.

However, in order to define specific commands to be allowed on a "Per-Group Basis" a TACACS+ server is needed. Cisco IOS "aaa authorization commands" include Group RADIUS as an argument, however it will not work.

Regards.

so unless i use TACACs i cant even set NPS to provide access per privilege?

as in

Ad group Admins - priv 15

AD group Readonly - priv1

?

is there a way to create a role based authentication like on Nexus ? using rules for each role ?

Hello,

This is the configuration I have on my IOS switch:

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authorization exec default group radius if-authenticated

radius-server host x.x.250.20 auth-port 1645 acct-port 1646 key xxxxxxx

I created two policies on the IAS (yours would be NPS). Both have Windows Groups as condition one referring to group ReadOnly and the other to group FullAccess.

ReadOnly results return Service-Type NAS-Prompt

FullAccess results return Service-Type Administrative

When accessing with a ReadOnly user I get:

User Access Verification

Username: priv1

Password:

Switch>en

Password:

% Error in authentication.

Switch>

So, the user is restricted to unpriviledged mode (>) commands.

When accessing with a FullAccess user:

User Access Verification

Username: priv15

Password:

Switch#

I get directly assigned to Enable Mode (#) due to the Administrative Value of the Service-Type Attribute.

As per the Role Based there is a document on the Forum that refers to TACACS+ as well

https://supportforums.cisco.com/docs/DOC-15765

Regards.

View solution in original post

yup, works

thanks for your time.

Thanks,

I will try it on my switch and update  you on the progress

Thanks alot.

one more question if i may ...

can i set mschap v2 on authentication ? or is it  clear text only?

Leon,

When using RADIUS for Device Management we cannot specify the Challenge-Handshake protocol. However, RADIUS will encrypt the User password during the transaction.

NOTE: TACACS+ will encrypt the whole packet.

Regards.

View solution in original post

Thanks again, thats about covers what i needed to know

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel