SSH & RADIUS Authentication
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2014 03:12 AM - edited 03-10-2019 09:23 PM
Hi all,
I need some advice on the authentication of my switches.
I have a network set up where every switch uses telnet only for the transport input method. I need this to change to SSHv2 only.
I also have a RADIUS server backing off to Active Directory that I can use for AAA authentication against users of the switches.
Once I use SSH to login, I am in User EXEC mode. I would like to use RADIUS authentication to authenticate users to enter Privileged EXEC mode.
Is this possible to do?
I have been working on this for a while, now I have got to the point where I have to give in and ask for help.
Thank you.
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2014 12:34 PM
Hi Simon,
Are you using AAA authentication with ACS?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2014 02:14 AM
Hi Javier!
No unfortunately I don't have ACS at my disposal; I have only a RADUIS server. I currently have some Wireless LAN Controllers authenticating clients on RADIUS and I was told that it can authenticate users going into Privileged EXEC (Enable) on a switch too. I have tired configuring this many times however I can't seem to get it to work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2014 03:02 AM
Hi Simon,
ACS use TACACS+ for authentication but we have ISE now, which doesn't support TACACS+ instead it use RADIUS to authenticate switches/users.
You can integrate your AD with ISE and then with the proper configuration on switches and ISE, we can restrict user to go to Enable mode.
Regards,
Gurpreet S Puri
****************************
Keep Smiling, Peace :)
****************************
(Please Rate Helpful Post)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2014 07:50 AM
@Gurpreet Puri
That's true, but I think Simon does not have an ISE neither.
Simon, are you using NPS, IAS or any other vendor?
If so, we would need to check the vendor's documentation to see how to send the privilege level 15 to the SW.
You can check this one:
Cisco Privilege Level Access with Radius and NPS Server
Also:
How-to : Integrating Cisco devices CLI access with Microsoft NPS/RADIUS
HTH.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2014 05:22 AM
Hi all,
Thanks for your feedback. I have Cisco ISE being deployed within the next couple of months so hopefully that will help to solve this problem. I'll wait until then to start configuring it.
Thank you for your replies, this has been very helpful.
Simon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2014 07:24 AM
You welcome.
Please rate any helpful posts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2014 04:07 AM
From security perspective, I would still recommend applying an ACL to the VTY lines to prevent DoS on the network device. You can go beyond that and apply control plane policing.
1. The VTY access-list needs to add to all VTY lines (e.g. 0 ~ 15 on a Cisco 3K) to be effective.
2. On a 3560X running IOS 15.0(1)SE3, I added the following line before the SSH client IP address showing up as calling-station-id in RADIUS access requests:
radius-server attribute 31 send nas-port-detail
