Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
945
Views
0
Helpful
2
Replies

[ACS 5.2] Switch administration using SSH

Go to solution
Patrick Tran
Level 1
Level 1

‎12-20-2011 06:38 AM - edited ‎03-10-2019 06:38 PM

Hi,

I want to use LDAP accounts to administrate switches.

It works fine when I use telnet.

I just need to push RADIUS attribute Login-Service (ID 15) with Telnet value (ID 0)

Now, I want to use SSH (for security reasons )

RADIUS have to push RADIUS attribute Login-Service (ID 15) with SSH value (ID 50)

(For example with Steel-belt RADIUS http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=110&prodSeriesId=4174801&prodTypeId=12883&objectID=c02602225 )

SSH value doesn't exist in RADIUS IETF dictionary for Login-Service attribute.

I can't create SSH value because this dictionary is protected...

Is there a workaround?

Thanks,

Patrick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
camejia
Level 3
Level 3

‎12-22-2011 12:58 PM

Hello Patrick,

The ACS 5.x will not allow us to edit/remove/add Attribute Values to the RADIUS IETF dictionary as it is standard and reserved.

If you check the RADIUS RFC at http://www.ietf.org/rfc/rfc2865.txt under the Login-Service description the SSH service is not listed there:

5.15.  Login-Service

   Value

      The Value field is four octets.

       0   Telnet
       1   Rlogin
       2   TCP Clear
       3   PortMaster (proprietary)
       4   LAT
       5   X25-PAD
       6   X25-T3POS
       8   TCP Clear Quiet (suppresses any NAS-generated connect string)

The Access Control System 5.x will not allow us to modify such dictionaries as RADIUS IETF in order to comply with the documented standards.

The best approach at this point would be to contact the switches vendor in order to determine how to enable SSH on those devices.

Hope this helps. Regards.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
camejia
Level 3
Level 3

‎12-22-2011 12:58 PM

Hello Patrick,

The ACS 5.x will not allow us to edit/remove/add Attribute Values to the RADIUS IETF dictionary as it is standard and reserved.

If you check the RADIUS RFC at http://www.ietf.org/rfc/rfc2865.txt under the Login-Service description the SSH service is not listed there:

5.15.  Login-Service

   Value

      The Value field is four octets.

       0   Telnet
       1   Rlogin
       2   TCP Clear
       3   PortMaster (proprietary)
       4   LAT
       5   X25-PAD
       6   X25-T3POS
       8   TCP Clear Quiet (suppresses any NAS-generated connect string)

The Access Control System 5.x will not allow us to modify such dictionaries as RADIUS IETF in order to comply with the documented standards.

The best approach at this point would be to contact the switches vendor in order to determine how to enable SSH on those devices.

Hope this helps. Regards.

0 Helpful

Go to solution
Patrick Tran
Level 1
Level 1
In response to camejia

‎12-23-2011 12:06 AM

Hello Carlos,

Thanks for your answer!

I will contact switches vendor but I don't think they have other solutions

Other RADIUS solutions allow us to modify RADIUS IETF dictionaries.

Best regards,

Patrick

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents