Solved: Radius AAA with 3750E Version 12.2(53)SE2

Leon Khanan · ‎01-05-2012

Hi Guys,

i am struggling with configuring NPS AA for our 3750 array ... authentication and autorization

i tried almost every config i could find online but the most i got out of it is a simple authentication. What i need is quite simple:

we have several AD groups

1- Admin

2- Readonly with few privileges for ping, show, traceroute and telnet

i need my switches to be able to recognize the groups and assign them the correct priv. But it doesnt seem to be happening. Can anyone post a clean config for the switch and for NPS ?

Thanks

P.S. i created and deleted most of my configs so if anyone has something clean and details i would greatly apreciate it.

camejia · ‎01-05-2012

Hello,

This is the configuration I have on my IOS switch:

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authorization exec default group radius if-authenticated

radius-server host x.x.250.20 auth-port 1645 acct-port 1646 key xxxxxxx

I created two policies on the IAS (yours would be NPS). Both have Windows Groups as condition one referring to group ReadOnly and the other to group FullAccess.

ReadOnly results return Service-Type NAS-Prompt

FullAccess results return Service-Type Administrative

When accessing with a ReadOnly user I get:

User Access Verification

Username: priv1

Password:

Switch>en

Password:

% Error in authentication.

Switch>

So, the user is restricted to unpriviledged mode (>) commands.

When accessing with a FullAccess user:

User Access Verification

Username: priv15

Password:

Switch#

I get directly assigned to Enable Mode (#) due to the Administrative Value of the Service-Type Attribute.

As per the Role Based there is a document on the Forum that refers to TACACS+ as well

https://supportforums.cisco.com/docs/DOC-15765

Regards.

View solution in original post

camejia · ‎01-05-2012

Leon,

When using RADIUS for Device Management we cannot specify the Challenge-Handshake protocol. However, RADIUS will encrypt the User password during the transaction.

NOTE: TACACS+ will encrypt the whole packet.

Regards.

View solution in original post

camejia · ‎01-05-2012

Leon,

Cisco IOS Command Authorization is not supported when authenticating with RADIUS. This is a protocol limitation.

RADIUS is meant for Network Access (Wireless, VPN) as it has a huge scope of Network Access attributes.

TACACS+ on the other hand is meant for Device Administration (SSH, Telnet). TACACS+ can assign Command Set, EXEC Privileges, Management Session timeouts and others.

TACACS+ can split Authentication and Authorization on different packets, whereas RADIUS send both Authentication/Authorization on the same packet.

Radius has no capability to send a separate authorization request for every executed command like TACACS+ does.

You can use a MS RADIUS server to return the EXEC privilege for users with the "Service-Type" attribute. You can set it to "Administrative" for full access and "NAS-Prompt" for only unprivileged mode.

However, in order to define specific commands to be allowed on a "Per-Group Basis" a TACACS+ server is needed. Cisco IOS "aaa authorization commands" include Group RADIUS as an argument, however it will not work.

Regards.

Leon Khanan · ‎01-05-2012

so unless i use TACACs i cant even set NPS to provide access per privilege?

as in

Ad group Admins - priv 15

AD group Readonly - priv1

?

is there a way to create a role based authentication like on Nexus ? using rules for each role ?

camejia · ‎01-05-2012

Hello,

This is the configuration I have on my IOS switch:

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authorization exec default group radius if-authenticated

radius-server host x.x.250.20 auth-port 1645 acct-port 1646 key xxxxxxx

I created two policies on the IAS (yours would be NPS). Both have Windows Groups as condition one referring to group ReadOnly and the other to group FullAccess.

ReadOnly results return Service-Type NAS-Prompt

FullAccess results return Service-Type Administrative

When accessing with a ReadOnly user I get:

User Access Verification

Username: priv1

Password:

Switch>en

Password:

% Error in authentication.

Switch>

So, the user is restricted to unpriviledged mode (>) commands.

When accessing with a FullAccess user:

User Access Verification

Username: priv15

Password:

Switch#

I get directly assigned to Enable Mode (#) due to the Administrative Value of the Service-Type Attribute.

As per the Role Based there is a document on the Forum that refers to TACACS+ as well

https://supportforums.cisco.com/docs/DOC-15765

Regards.

Leon Khanan · ‎01-05-2012

yup, works

thanks for your time.

Leon Khanan · ‎01-05-2012

Thanks,

I will try it on my switch and update you on the progress

Thanks alot.

Leon Khanan · ‎01-05-2012

one more question if i may ...

can i set mschap v2 on authentication ? or is it clear text only?

camejia · ‎01-05-2012

Leon,

When using RADIUS for Device Management we cannot specify the Challenge-Handshake protocol. However, RADIUS will encrypt the User password during the transaction.

NOTE: TACACS+ will encrypt the whole packet.

Regards.

Leon Khanan · ‎01-05-2012

Thanks again, thats about covers what i needed to know