Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6429
Views
15
Helpful
7
Replies

SSH & RADIUS Authentication

SHEXER-401
Level 1
Level 1

‎02-11-2014 03:12 AM - edited ‎03-10-2019 09:23 PM

Hi all,

I need some advice on the authentication of my switches.

I have a network set up where every switch uses telnet only for the transport input method. I need this to change to SSHv2 only.

I also have a RADIUS server backing off to Active Directory that I can use for AAA authentication against users of the switches.

Once I use SSH to login, I am in User EXEC mode. I would like to use RADIUS authentication to authenticate users to enter Privileged EXEC mode.

Is this possible to do?

I have been working on this for a while, now I have got to the point where I have to give in and ask for help.

Thank you.

Labels:
0 Helpful
7 Replies 7

Javier Portuguez
Level 9
Level 9

‎02-11-2014 12:34 PM

Hi Simon,

Are you using AAA authentication with ACS?

0 Helpful

SHEXER-401
Level 1
Level 1
In response to Javier Portuguez

‎02-12-2014 02:14 AM

Hi Javier!

No unfortunately I don't have ACS at my disposal; I have only a RADUIS server. I currently have some Wireless LAN Controllers authenticating clients on RADIUS and I was told that it can authenticate users going into Privileged EXEC (Enable) on a switch too. I have tired configuring this many times however I can't seem to get it to work.

0 Helpful

Gurpreet Puri
Level 1
Level 1
In response to SHEXER-401

‎02-12-2014 03:02 AM

Hi Simon,

ACS use TACACS+ for authentication but we have ISE now, which doesn't support TACACS+ instead it use RADIUS to authenticate switches/users.

You can integrate your AD with ISE and then with the proper configuration on switches and ISE, we can restrict user to go to Enable mode.

Regards,
Gurpreet S Puri

****************************
Keep Smiling, Peace :)
****************************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

Javier Portuguez
Level 9
Level 9
In response to Gurpreet Puri

‎02-12-2014 07:50 AM

@Gurpreet Puri

That's true, but I think Simon does not have an ISE neither.

Simon, are you using NPS, IAS or any other vendor?

If so, we would need to check the vendor's documentation to see how to send the privilege level 15 to the SW.

You can check this one:

Cisco Privilege Level Access with Radius and NPS Server

Also:

How-to : Integrating Cisco devices CLI access with Microsoft NPS/RADIUS

HTH.

SHEXER-401
Level 1
Level 1
In response to Javier Portuguez

‎02-14-2014 05:22 AM

Hi all,

Thanks for your feedback. I have Cisco ISE being deployed within the next couple of months so hopefully that will help to solve this problem. I'll wait until then to start configuring it.

Thank you for your replies, this has been very helpful.

Simon

Javier Portuguez
Level 9
Level 9
In response to SHEXER-401

‎02-14-2014 07:24 AM

You welcome.

Please rate any helpful posts.

0 Helpful

blenka
Level 3
Level 3

‎02-20-2014 04:07 AM

From security perspective, I would still recommend applying an ACL to the VTY lines to prevent DoS on the network device. You can go beyond that and apply control plane policing.

1. The VTY access-list needs to add to all VTY lines (e.g. 0 ~ 15 on a Cisco 3K) to be effective.

2. On a 3560X running IOS 15.0(1)SE3, I added the following line before the SSH client IP address showing up as calling-station-id in RADIUS access requests:

radius-server attribute 31 send nas-port-detail

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents