Radius admin auth problems on a 3750

Answered Question

I have a 3750 on 12.2(25)SEE2. I have enabled Radius admin authentication to the switch, I want users to authenticate against the Radius server in order to gain access to the switch. The config I have is not allowing a person to gain enable access to the switch via Radius authentication in all connection situations:


I am able to Telnet to the switch remotely, and login to it using either Radius login or the local username - both take me to switch# prompt.


I am able to direct-connect to the switch via Console cable, and login to it using the Radius login but this does not take me to switch# prompt, it takes me to the limited switch> prompt. I have to type in the local username password in order to get enable mode. Or I can login directly to enable mode using the local username only.


I can connect to the switch via HTTP interface, but I can only login with the local username, I cannot login with the Radius login.


I can't figure out what I need to do in order to login via HTTP with the Radius login, or to get myself to enable mode directly when using a Console cable connection! Any advice? (Some config pieces below...)


username cisco privilege 15 secret xxx

aaa new-model

aaa group server radius RAD_AUTH_GRP

server 10.0.0.2 auth-port 1812 acct-port 1813

server 10.0.0.3 auth-port 1812 acct-port 1813

!

aaa group server radius RAD_ACCT_GRP

server 10.0.0.2 auth-port 1812 acct-port 1813

server 10.0.0.3 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication login test line

aaa authentication login RAD_AUTH_METHOD local group RAD_AUTH_GRP

aaa authentication dot1x default group radius

aaa authorization exec default local group RAD_AUTH_GRP if-authenticated

aaa authorization exec RAD_AUTH_METHOD local group RAD_AUTH_GRP if-authenticated

aaa accounting delay-start

aaa accounting exec default start-stop group RAD_ACCT_GRP

aaa accounting exec RAD_AUTH_METHOD start-stop group RAD_ACCT_GRP



radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 key SSKEY

radius-server host 10.0.0.3 auth-port 1812 acct-port 1813 key SSKEY

radius-server source-ports 1645-1646

radius-server retransmit 2

radius-server timeout 10

radius-server deadtime 10

radius-server key SSKEY



line con 0

login authentication RAD_AUTH_METHOD

line vty 0 4

exec-timeout 15 0

password cisco

login authentication RAD_AUTH_METHOD

transport preferred ssh

transport input telnet ssh

transport output telnet ssh

line vty 5 15

Correct Answer by andrew.butterworth about 9 years 5 months ago

The local admin is only used when the Radius server is not reachable. It is used as a sort of 'fallback' option. When you create the aaa lists you specify your 1st, 2nd and even 3rd choices:


- i.e. aaa authentication default group RAD_GROUP local line


They are tried in order. What happens is if any of the radius servers in the group you have defined called 'RAD_GROUP' are available they will be used. If all the radius servers in the group are down (i.e. the switch is disconnected from the network or you have shutdown the servers) then a local account configured on the device will be used, if no local accounts are configured then it will use the line password.

Generally you would only need two choices - i.e. Radius & Local. The local accounts will only ever be used when the Radius servers are not available so there is no 'local override' if the Radius servers are reachable.


I think in earlier IOS releases there was an option to specify a local-override option when you created the aaa lists. I haven't seen this in IOS since about 12.0 though, with good reason I think. Why would you want a local override?


Andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
andrew.butterworth Tue, 11/06/2007 - 13:36
User Badges:
  • Gold, 750 points or more

There are a few things here you need to add on. You should configure authentication for 'enable' as well


aaa authentication enable default RAD_AUTH_GRP enable


This makes the IOS device send an authentication request to the Radius server for the user account '$enab15$' (you can add additional accounts for different privilege levels - '$enab10$' for Level 10 privilege etc.


Alternatively you can add a Cisco AV Pair to your Radius server to make the user have Level 15 Privileges by default. Based on the existing configuration I assume you are using MS IAS. So in your Remote Access Policy in the Advanced Tab add the attribute 'Cisco-AV-Pair' and set the string to be 'shell:priv-lvl=15'. Again you could change the privilege level to 10 by setting the AV Pair to 'shell:priv-lvl=10' etc


To allow HTTP access using Radius you need to add the line:


ip http authentication aaa


Bear in mind HTTP privilege level is 15 and can't be changed (I think?).


Lastly by default Console authorisation is disabled and the command to enable it is hidden (or at least it was, I think in 12.2(40)SE for the 3750 it is now visible).


aaa authorization console


HTH


Andy


Thanks Andy, that was just what I needed to know! The console Radius auth works now.


You are right about the HTTP privilege level, unfortunately even with that ip http auth aaa command, I can't login to HTTP via Radius authentication. Anyone know if that will ever be possible?


We are using Juniper's Steel Belted Radius server for aaa authentication (formerly Funk), which does allow me to return the basic Cisco priv levels for users. I wish I had the flexibility you do with ACS in terms of customizing a user's administrative abilities, but oh well.

andrew.butterworth Wed, 11/07/2007 - 10:37
User Badges:
  • Gold, 750 points or more

I have HTTP Authentication working on a 3550 running 12.2(40)SE here, however the settings are slightly different from what I posted before... whoops.. I have:


ip http authentication aaa login-authentication default


So you should change the authentication list to what you have (ip http authentication aaa login-authentication RAD_AUTH_GRP).


I must admit though I never use the WEB interface on any of the switches (or routers). I think one of the first things on the security best practise list is to disable the HTTP/HTTPS server...


HTH


Andy

Thanks again, Andy. I don't have much time today to take a closer look, although I did quickly add this new config line. I can't authenticate yet via HTTP even after adding the line, but will look into it more closely tomorrow!


This was the output...


XTECH-TC000-A(config)#$hentication aaa login-authentication RAD_AUTH_GRP

Warning: Authentication list "RAD_AUTH_GRP" is not defined for LOGIN.

andrew.butterworth Wed, 11/07/2007 - 12:05
User Badges:
  • Gold, 750 points or more

Sorry, after looking at your original configuration and what I have suggested you need to do a bit more editing...


Make it look like this and you should be fine:


username cisco privilege 15 secret 5 $1$SiPm$RuKLDG8EDPjea4jkkXOta0

!

aaa new-model


radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 key SSKEY

radius-server host 10.0.0.3 auth-port 1812 acct-port 1813 key SSKEY

!

aaa group server radius RAD_AUTH_GRP

server 10.0.0.2 auth-port 1812 acct-port 1813

server 10.0.0.3 auth-port 1812 acct-port 1813

!

aaa authentication login default group RAD_AUTH_GRP local

aaa authentication dot1x default group RAD_AUTH_GRP

aaa authorization console

aaa authorization exec default group RAD_AUTH_GRP if-authenticated

aaa authorization network default group RAD_AUTH_GRP

aaa accounting dot1x default start-stop group RAD_AUTH_GRP

aaa accounting exec default start-stop group RAD_AUTH_GRP

aaa accounting network default start-stop group RAD_AUTH_GRP

!

ip http authentication aaa login-authentication default

!

line con 0

login authentication default

!

line vty 0 15

exec-timeout 15 0

login authentication default

transport preferred ssh

transport input telnet ssh

transport output telnet ssh



I have removed the specific AAA list names (RAD_AUTH_...). You can add multiple list names but you appear to only be using one and the easiest is to just define the 'default' ones since they automatically get applied.


HTH


Andy

Very cool, I was able to get Radius admin auth to work via HTTP, console, and SSH! The only thing I can't do now is login with the local username... my group is thinking we will maintain a local username on the switches in case the link back to the Radius server goes down. The way I had it configured previously, I could login to the switch using all three methods with the local username (cisco in this case).


I've tried adding various command lines to the switch now that it has your configuration running, but whatever I do ends up kicking me out of HTTP, and preventing me from logging in again with the Radius auth!


Can I have it all, or am I now getting difficult? ;-)

Correct Answer
andrew.butterworth Wed, 11/07/2007 - 14:50
User Badges:
  • Gold, 750 points or more

The local admin is only used when the Radius server is not reachable. It is used as a sort of 'fallback' option. When you create the aaa lists you specify your 1st, 2nd and even 3rd choices:


- i.e. aaa authentication default group RAD_GROUP local line


They are tried in order. What happens is if any of the radius servers in the group you have defined called 'RAD_GROUP' are available they will be used. If all the radius servers in the group are down (i.e. the switch is disconnected from the network or you have shutdown the servers) then a local account configured on the device will be used, if no local accounts are configured then it will use the line password.

Generally you would only need two choices - i.e. Radius & Local. The local accounts will only ever be used when the Radius servers are not available so there is no 'local override' if the Radius servers are reachable.


I think in earlier IOS releases there was an option to specify a local-override option when you created the aaa lists. I haven't seen this in IOS since about 12.0 though, with good reason I think. Why would you want a local override?


Andy

Actions

This Discussion