Solved: Auth on switch via Active directory

Kevin2023FromFrance · ‎04-19-2023

Hi guys ,
I want to authent on my switchs witch my Active Directory account when i connect on witch SSH.
A can use a MS radius server ( NPS )
A had configured all and all is ok But betwen Switch and NPS the authent is in PAP.
So i ask , what are you doing in your's infra.
Best regards

M02@rt37 · ‎04-20-2023

@Kevin2023FromFrance,

pour ce type de co je ne vois que du PAP. MS-Chap-V2 est utilisé pour l'authentification des utilisateurs comme du dial-in et le vpn et non pour la gestion des Sw/Ro.

Pourquoi ne pas passer via TACACS au lieu de RADIUS ? Radius crypte le mot de passe mais envoie le nom d'utilisateur en clair. Tacacs crypte à la fois le nom d'utilisateur et le mot de passe.

--------------------------------

MS-Chap-V2 is used for user authentication like dial-in and vpn and not for switch management.

Why not use TACACS instead of RADIUS ? Radius encrypts the password but sends the user name in the clear. Tacacs encrypts both username and password.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

Kevin2023FromFrance · ‎04-20-2023

Ok je comprend , merci pour ta réponse

View solution in original post

M02@rt37 · ‎04-19-2023

Hello @Kevin2023FromFrance,

In our infrastructure, we use 802.1X authentication for switch access control using our Active Directory credentials. We use a combination of Microsoft NPS and a RADIUS server to achieve this.

The NPS server is configured to authenticate users based on their Active Directory credentials and then communicate with the RADIUS server for further authentication and authorization. This ensures that only authorized users can access the network and that their credentials are protected.

In terms of the authentication method used between the switch and NPS server, we use EAP with MS-CHAP v2 as the authentication protocol. This provides a secure way to transmit credentials between the switch and NPS server.

We plan to move to EAP-TLS which provides mutual authentication, which means that both the client and the server must present a certificate to authenticate themselves. This provides protection against man-in-the-middle attacks and ensures that the client is connecting to the correct server.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Kevin2023FromFrance · ‎04-20-2023

Hello ,

Thank's for you reply
My question is for the administrator's acces with SSH , it's that you understood ?

How do you define authentication method between the switch and NPS server in this case ?

Best regard

M02@rt37 · ‎04-20-2023

@Kevin2023FromFrance,

Yes, OK your question is specifically about configuring SSH authentication for administrator access to your switches using Active Directory accounts authenticated through the NPS server.

To define the authentication method between the switch and the NPS server, you would need to configure the switch to use RADIUS as the authentication method for SSH connections. This involves configuring the switch to send RADIUS authentication requests to the NPS server when an administrator attempts to log in via SSH, and configuring the NPS server to authenticate the user's Active Directory credentials and send a response back to the switch indicating whether the authentication was successful or not.

In order to configure RADIUS authentication for SSH on your switches, you will need to specify the IP address and shared secret of your NPS server, as well as the RADIUS authentication port (typically UDP port 1812) and accounting port (typically UDP port 1813). You will also need to configure the switch to use SSH version 2 and specify the SSH authentication method as RADIUS.

Once the switch is configured to use RADIUS authentication for SSH, the administrator can log in using their Active Directory username and password, and the switch will send a RADIUS authentication request to the NPS server. The NPS server will then authenticate the user's credentials against Active Directory, and send a response back to the switch indicating whether the authentication was successful or not.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎04-20-2023

Clear text or encrypt text for connect between radius/tacacs and SW/R

That good something to check.

M02@rt37 · ‎04-20-2023

@Kevin2023FromFrance, ce qui te dérange c'est que tu es en PAP seulement ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Kevin2023FromFrance · ‎04-20-2023

Oui exactement

M02@rt37 · ‎04-20-2023

@Kevin2023FromFrance,

pour ce type de co je ne vois que du PAP. MS-Chap-V2 est utilisé pour l'authentification des utilisateurs comme du dial-in et le vpn et non pour la gestion des Sw/Ro.

Pourquoi ne pas passer via TACACS au lieu de RADIUS ? Radius crypte le mot de passe mais envoie le nom d'utilisateur en clair. Tacacs crypte à la fois le nom d'utilisateur et le mot de passe.

--------------------------------

MS-Chap-V2 is used for user authentication like dial-in and vpn and not for switch management.

Why not use TACACS instead of RADIUS ? Radius encrypts the password but sends the user name in the clear. Tacacs encrypts both username and password.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Kevin2023FromFrance · ‎04-20-2023

Ok je comprend , merci pour ta réponse

MHM Cisco World · ‎04-20-2023

One feature that provides more security under TACACS+, as opposed to its alternative RADIUS, is the encryption of the entire packet. This encryption is sent between the AAA client and the AAA server running the TACACS+ daemon. This is not to be confused with encryption of user data. This is not an encryption such as 3DES-IPSec or RSA encryption, but is rather a combination of a hashing algorithm and an XOR function. TACACS+ uses MD5 to hash using a secret key provided on both ends.

The process of TACACS+ encryption is as follows:

Step 1. Information is taken from the packet header, and the preshared key calculates a series of hashes. The first is a hash that is calculated on a concatenation of the session_id, the version, the seq_no, and the pre-shared key value. Each hash that is created has the previous hash in it as well. This is done a number of times that is dependent on the particular implementation of TACACS+.

Step 2. The calculated hash is concatenated and then truncated to the length of the data that is being encrypted. Each hash has the previous hash concatenated to its input values. The result is called the pseudo_pad.

Step 3. The cipher text is produced by doing a bytewise XOR on the pseudo_pad with the data that is being encrypted.

Step 4. The receiving device uses its pre-shared key to calculate the pseudo_pad, and then an XOR of the newly created pseudo_pad results in the original data in clear text.

I READ ABOUT encrypt tacacs but it not mention that password will be send as clear text and not encrypt what tacacs do is make hash and attach to packet to protect it from any hack that can change it.

Here is lead me to other network design' many admin config aaa server in secure site or connect to that site via ipsec.

This prevents man in middle from capture and see clear text password.

M02@rt37 am I right?

M02@rt37 · ‎04-20-2023

Hello @MHM Cisco World,

you're right, TACACS+ does not encrypt user passwords, but it does provide a secure method for transporting authentication and authorization information between network devices. Instead of sending the user password in clear text, TACACS+ uses a secure hash algorithm to create a one-way hash of the password that is sent to the AAA server for authentication. This hash value cannot be reversed to obtain the original password, which makes it more secure than sending the password in clear text.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎04-20-2023

Yes' this which make me think ing' the password sene hash or clear text'

As I read and I know the whole packet is hash and this hash is attach to packet'

Later when one side receive packet it check hash if it match or not.

So I think the password is send clear even with encrypt tacacs.

But I will make deep dive and check this point and share update here.

Thanks

MHM