Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2169
Views
0
Helpful
4
Replies

Secure Telnet Acces To Switches & Routers With RSA RADIUS

lewisdarrel
Level 1
Level 1

‎05-02-2008 12:54 AM - edited ‎03-10-2019 03:49 PM

Hello,

I am trying to setup RSA RADIUS to authenticate support staff accessing Cisco Switches and Routers by telnet.

Does anybody have any exeprience of this RADIUS server and any pointers please?

The system is setup and the RADIUS clients have also been setup using a standard dictionary but I cant authenticate I just get Access Denied from the router when logging in.

I am not sure if I need to configure specific responses in the profiles section on the RADIUS server.

I would appreciate any assistance or pointers.

Thanks in advance.

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎05-02-2008 05:26 AM

Darrel

I have some experience using the RSA Radius server to authenticate users (though since a different team support the server I do not have much specific insight into the server configuration). I am not clear from your post whether the problem is something in the configuration of the server, something in the configuration of your routers and switches, or something in the communication between them. Based on my experience I would suggest that these are things that you might check:

- are the requests getting from the routers and switches to the server? Can you check the server logs and see if there is any sign that the server is receiving the requests?

- if the server is receiving the requests does it think that it authenticated or denied the request?

- if the server denied the request is there an indication of why the server denied the request?

- can you verify that there is correct IP connectivity from the routers and switches to the server?

- you might check for the possibility of firewalls or packet filters (access lists) that are not allowing the requests or not allowing the responses?

- you might check that the address that the router or switch is using as the source of the request is the address that the server is configured to use for that client. (it is frequently helpful to specify the source address for Radius requests on the routers and switches)

- you might check that the routers and switches have correct configuration of the server.

- you might check to verify that the aaa configuration of the routers and switches is correct.

If you look at these and still do not identify the problem then it might be helpful if you would run debug radius authentication and post the output.

HTH

Rick

HTH

Rick
0 Helpful

cisco24x7
Level 6
Level 6
In response to Richard Burts

‎05-10-2008 09:49 PM

This is how it normally works in the real world.

1- install RSA SecurID on host_A,

2- install Cisco ACS on host_B,

3- install RSA Agent host on host_B,

4- configure ACS to use RSA SecurID as

external database authentication,

5- configure Cisco router and switch for AAA

TACACS+ authentication,

6- Configure ACS to include Cisco router and

switches.

Here is an example output when everything

is working. You can even change the password

too, if you like:

[root@dca2-LinuxES root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

C

*****************

User Access Verification

Username: test2

Enter PASSCODE:

Enter your new Numerical PIN, containing 4 to 8 digits

or

"x" to cancel the new PIN procedure:

Reenter PIN:

C2960>en

Password:

C2960#exit

Connection closed by foreign host.

[root@dca2-LinuxES root]#

Look easy right?

CCIE Security

Preview file
16 KB
0 Helpful

lewisdarrel
Level 1
Level 1
In response to Richard Burts

‎05-14-2008 04:00 AM

Hi Rick,

Thanks for your reply.

I have managed to get telnet authentication working now from Cisco devices through the Radius system, but still dont seem to be able to get exec level authorization to work.

The Radius server is Steelbelt which comes with the RSA authentication manager product.

I have tried all sorts of different configurations but no joy yet.

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to lewisdarrel

‎05-14-2008 06:43 AM

Lewis,

configure the following setting on Steel belted Radius server:

AAA command on NAS would be:

aaa author exec default group radius none

And radius server config, configure "Radius IETF attribute":

[006] Service-Type= "Administrative"

Cisco-AV Pair = "shell:priv-lvl=15;"

Please do configure Radius IETF Attribute

and in that you need to configure Service Type= Administrative.

Regards,

~JG

Do rate helpful posts

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents