Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3167
Views
10
Helpful
8
Replies

Radius AAA with 3750E Version 12.2(53)SE2

Go to solution
Leon Khanan
Level 1
Level 1

‎01-05-2012 12:17 PM - edited ‎03-10-2019 06:41 PM

Hi Guys,

i am struggling with configuring NPS AA for our 3750 array ... authentication and autorization

i tried almost every config i could find online but the most i got out of it is a simple authentication. What i need is quite simple:

we have several AD groups

1- Admin

2- Readonly with few privileges for ping, show, traceroute and telnet

i need my switches to be able to recognize the groups and assign them the correct priv. But it doesnt seem to be happening. Can anyone post a clean config for  the switch and for NPS ?

Thanks

P.S. i created and deleted most of my configs so if anyone has something clean and details i would greatly apreciate it.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
camejia
Level 3
Level 3
In response to Leon Khanan

‎01-05-2012 01:02 PM

Hello,

This is the configuration I have on my IOS switch:

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authorization exec default group radius if-authenticated

radius-server host x.x.250.20 auth-port 1645 acct-port 1646 key xxxxxxx

I created two policies on the IAS (yours would be NPS). Both have Windows Groups as condition one referring to group ReadOnly and the other to group FullAccess.

ReadOnly results return Service-Type NAS-Prompt

FullAccess results return Service-Type Administrative

When accessing with a ReadOnly user I get:

User Access Verification

Username: priv1

Password:

Switch>en

Password:

% Error in authentication.

Switch>

So, the user is restricted to unpriviledged mode (>) commands.

When accessing with a FullAccess user:

User Access Verification

Username: priv15

Password:

Switch#

I get directly assigned to Enable Mode (#) due to the Administrative Value of the Service-Type Attribute.

As per the Role Based there is a document on the Forum that refers to TACACS+ as well

https://supportforums.cisco.com/docs/DOC-15765

Regards.

View solution in original post

Go to solution
camejia
Level 3
Level 3
In response to Leon Khanan

‎01-05-2012 02:12 PM

Leon,

When using RADIUS for Device Management we cannot specify the Challenge-Handshake protocol. However, RADIUS will encrypt the User password during the transaction.

NOTE: TACACS+ will encrypt the whole packet.

Regards.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
camejia
Level 3
Level 3

‎01-05-2012 12:36 PM

Leon,

Cisco IOS Command Authorization is not supported when authenticating with RADIUS. This is a protocol limitation.

RADIUS is meant for Network Access (Wireless, VPN) as it has a huge scope of Network Access attributes.

TACACS+ on the other hand is meant for Device Administration (SSH, Telnet). TACACS+ can assign Command Set, EXEC Privileges, Management Session timeouts and others.

TACACS+ can split Authentication and Authorization on different packets, whereas RADIUS send both Authentication/Authorization on the same packet.

Radius has no capability to send a separate authorization request for every executed command like TACACS+ does.

You can use a MS RADIUS server to return the EXEC privilege for users with the "Service-Type" attribute. You can set it to "Administrative" for full access and "NAS-Prompt" for only unprivileged mode.

However, in order to define specific commands to be allowed on a "Per-Group Basis" a TACACS+ server is needed. Cisco IOS "aaa authorization commands" include Group RADIUS as an argument, however it will not work.

Regards.

Go to solution
Leon Khanan
Level 1
Level 1
In response to camejia

‎01-05-2012 12:45 PM

so unless i use TACACs i cant even set NPS to provide access per privilege?

as in

Ad group Admins - priv 15

AD group Readonly - priv1

?

is there a way to create a role based authentication like on Nexus ? using rules for each role ?

0 Helpful

Go to solution
camejia
Level 3
Level 3
In response to Leon Khanan

‎01-05-2012 01:02 PM

Hello,

This is the configuration I have on my IOS switch:

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authorization exec default group radius if-authenticated

radius-server host x.x.250.20 auth-port 1645 acct-port 1646 key xxxxxxx

I created two policies on the IAS (yours would be NPS). Both have Windows Groups as condition one referring to group ReadOnly and the other to group FullAccess.

ReadOnly results return Service-Type NAS-Prompt

FullAccess results return Service-Type Administrative

When accessing with a ReadOnly user I get:

User Access Verification

Username: priv1

Password:

Switch>en

Password:

% Error in authentication.

Switch>

So, the user is restricted to unpriviledged mode (>) commands.

When accessing with a FullAccess user:

User Access Verification

Username: priv15

Password:

Switch#

I get directly assigned to Enable Mode (#) due to the Administrative Value of the Service-Type Attribute.

As per the Role Based there is a document on the Forum that refers to TACACS+ as well

https://supportforums.cisco.com/docs/DOC-15765

Regards.

Go to solution
Leon Khanan
Level 1
Level 1
In response to camejia

‎01-05-2012 01:53 PM

yup, works

thanks for your time.

0 Helpful

Go to solution
Leon Khanan
Level 1
Level 1
In response to Leon Khanan

‎01-05-2012 01:42 PM

Thanks,

I will try it on my switch and update  you on the progress

Thanks alot.

0 Helpful

Go to solution
Leon Khanan
Level 1
Level 1
In response to camejia

‎01-05-2012 02:09 PM

one more question if i may ...

can i set mschap v2 on authentication ? or is it  clear text only?

0 Helpful

Go to solution
camejia
Level 3
Level 3
In response to Leon Khanan

‎01-05-2012 02:12 PM

Leon,

When using RADIUS for Device Management we cannot specify the Challenge-Handshake protocol. However, RADIUS will encrypt the User password during the transaction.

NOTE: TACACS+ will encrypt the whole packet.

Regards.

0 Helpful

Go to solution
Leon Khanan
Level 1
Level 1
In response to camejia

‎01-05-2012 02:14 PM

Thanks again, thats about covers what i needed to know

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents