Hello MHM,

Thank you for your return and informations.

Question 01 : 

Switch AAA Configuration

It's the same configuration to implement on the switches, of corse modifying @ip and name of server with my local informations ? just to confirm

Regards.

You need radius for dot1x or for admin?

For admin I share link which steps you confuse about

MHM

What's difference ?

I read on the internet but I didn't understand what the difference !!! . In my case, what should I activate?

knowing that it's for remote administration via another SVI with ssh protocol or console, Instead of using the local admin account, I use the AD account(s)

Regards.

RADIUS is typically used to authenticate and authorized the end users to the network. With RADIUS we have three common authentication methods, dot1x, MAB, and WebAuth. On the other hand the device admin is just another name of TACACS+ which is used to authenticate and authorized the network admins to the network devices. A main difference between RADIUS and TACACS+ is that TACACS+ is more secure and could authorize every single command the network admins would issue on a network device because it separates the authentication, authorization, and accounting transactions. However, you could use RADIUS to authenticate and authorize network admins to the network devices as per this post of mine:

Privilege Level 15 with Cisco ISE | Blue Network Security (bluenetsec.com)

Hello Aref,

Thx for your return and informations.

I succeeded in configuring radius authentication with a C2960 switch just for testing and it works with several privileges 15 - 5 (AD_Users) and also with local authentication in case of loss of access to the Radius.

Now I'm going to reproduce it on the C900L with commands appropriate if I find any problems I'll get back to you.

Just one last question about authentication via dot1x or for admin: what's the impact if I apply it only for admin access (In the Switch)?

Thx again.

You're welcome. Do you mean admin accesses via RADIUS or TACACS? if you are referring to RADIUS then please note that in my blog post I shared above it shows privilege 15 by default when you select "Web Authentication (Local Web Auth)" from the authorization profile common tasks. However, if you want to assign a different privilege level for a specific set of users, then you can create a new authorization profile with a custom RADIUS attribute "cisco-av-pair = priv-lvl=< the privilege level you want >", and then you create a new authorization rule point to the interested AD group and finally you associate the new authorization profile you created.

However, if you are referring to TACACS then TACACS policies won't interfere with RADIUS policies because TACACS aaa configs on the network devices will be different even if you use the same ISE PSNs as both RADIUS and TACACS servers.

RADIUS and TACACS accesses to the network devices themselves are terminated on the network devices VTY lines. So in both cases if you use a different aaa method list than the default you would need to define the new method list as shown in my post config snippet. However, these accesses are the accesses to the network devices themselves, not to the network (LAN).

Generally speaking RADIUS is used to allow the end users accesses to the network, not to the network devices themselves, and TACACS is used to allow accesses to the network devices themselves. Although technically speaking you could use TACACS to allow network accesses, RADIUS has been known as a standard protocol for the users network accesses because it is much more flexible in terms of defining vendor custom attributes.

The main differences between RADIUS and TACACS is that RADIUS encrypts only the password in a packet, TACACS on the other side encrypts the whole payload. Also, TACACS separate the authentication and authorization which means you can decide which single commands each user is allowed/denied to run on a network devices. RADIUS on the other hand consolidates authentication and authorization together.

Also, when you turn on dot1x in your environment and you are still not a 100% sure if all your endpoints are ready for this enforcement, then what you can do is starting with monitor mode which basically has no enforcement at all, but will allow you to have visibility of what's going on on your network and adjust the endpoints NIC settings, ISE policies etc. Once you are happy with everything you can swich to close mode where the enforcement will start.

Another common approach to deal with this would be to specific a set of test users and add them to a test AD group, and then you create the rules on ISE to only affect those users leaving the default actions on ISE to allow both authentication and authorization when they fail.

Hello Aref,

Thank you for sharing this information.

For now, I only have a Windows server that includes the NPS functionality, which will only be used to authenticate equipment on the network via AD_IT accounts.

So I wanted to know if it's recommended in my case to use the aaa Dot1x ? and I remember it's only for authentication of Administrators via their AD account for access Cisco Device L2/L3.

I've tried the login phase and it works. Here's the basic configuration shared

aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius local
!
!
!
!
!
aaa server radius dynamic-author
client IP_Radius

radius server NAMEOFSERVER
address ipv4 IP_Radius auth-port 1812 acct-port 1813
timeout 2
retransmit 2
key encrypted 7 (I have enabled service password-encryption on conf t)

Should I add anything else?

Regards.

You're welcome. It is always recommended to use dot1x where possible as it provides secure accesses but that applies to the network accesses of the end users. However, in your case I think dot1x wouldn't apply as you are using a virtual login session to the network devices over their VTY lines.

Hello Aref,

Thank you for your return and information,

Now I have a problem on the C9500 (Core) with VRRP . I've managed to apply the RADIUS configuration but it doesn't work, and activating the debug won't be possible now.

Is the configuration on the access switches not the same on the core L3 switches?

I'll try to configure it from the WEB interface and see otherwise if you have any information please share it with me.

Regards.

Could you please elaborate a bit more on what the issue is? RADIUS configs would be the same on the switches, however, if you configured different preshared keys on the RADIUS servers for the switches, then each should have its own configured. Also, if you configured the source interface for RADIUS traffic that would also be different. Please share your santized RADIUS configs of both switches for review. Also, please make sure you applied the right commands under the switches interfaces where the clients will be connected.

It's a single shared key, for the interface source I haven't defined, the configuration is the same as the one I posted before.

I try with interface GUI after I back to you.

Thx again Aref.

For admin 

Aaa authentication login 

For network access 

Aaa authentication dot1x 

Using command authz  with radius not support as I know 

Using command authz with tacacs is support

So use privilege form 1 to 15 for each user.

Note:- if you use aaa authorization exec you need to use local with command 

And also the local username must have privilege 15 otherwise you can not access to conf+t mode

MHM

Thanks for your feedback and information

For network access = Aaa authentication dot1x

What's the impact if I use it and what's the impact if I don't? Does it have a relationship with the end user or the administrator? its my last question.

Regards.