Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Secure Telnet Acces To Switches & Routers With RSA RADIUS

Hello,

I am trying to setup RSA RADIUS to authenticate support staff accessing Cisco Switches and Routers by telnet.

Does anybody have any exeprience of this RADIUS server and any pointers please?

The system is setup and the RADIUS clients have also been setup using a standard dictionary but I cant authenticate I just get Access Denied from the router when logging in.

I am not sure if I need to configure specific responses in the profiles section on the RADIUS server.

I would appreciate any assistance or pointers.

Thanks in advance.

4 REPLIES
Hall of Fame Super Silver

Re: Secure Telnet Acces To Switches & Routers With RSA RADIUS

Darrel

I have some experience using the RSA Radius server to authenticate users (though since a different team support the server I do not have much specific insight into the server configuration). I am not clear from your post whether the problem is something in the configuration of the server, something in the configuration of your routers and switches, or something in the communication between them. Based on my experience I would suggest that these are things that you might check:

- are the requests getting from the routers and switches to the server? Can you check the server logs and see if there is any sign that the server is receiving the requests?

- if the server is receiving the requests does it think that it authenticated or denied the request?

- if the server denied the request is there an indication of why the server denied the request?

- can you verify that there is correct IP connectivity from the routers and switches to the server?

- you might check for the possibility of firewalls or packet filters (access lists) that are not allowing the requests or not allowing the responses?

- you might check that the address that the router or switch is using as the source of the request is the address that the server is configured to use for that client. (it is frequently helpful to specify the source address for Radius requests on the routers and switches)

- you might check that the routers and switches have correct configuration of the server.

- you might check to verify that the aaa configuration of the routers and switches is correct.

If you look at these and still do not identify the problem then it might be helpful if you would run debug radius authentication and post the output.

HTH

Rick

Silver

Re: Secure Telnet Acces To Switches & Routers With RSA RADIUS

This is how it normally works in the real world.

1- install RSA SecurID on host_A,

2- install Cisco ACS on host_B,

3- install RSA Agent host on host_B,

4- configure ACS to use RSA SecurID as

external database authentication,

5- configure Cisco router and switch for AAA

TACACS+ authentication,

6- Configure ACS to include Cisco router and

switches.

Here is an example output when everything

is working. You can even change the password

too, if you like:

[root@dca2-LinuxES root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

C

*****************

User Access Verification

Username: test2

Enter PASSCODE:

Enter your new Numerical PIN, containing 4 to 8 digits

or

"x" to cancel the new PIN procedure:

Reenter PIN:

C2960>en

Password:

C2960#exit

Connection closed by foreign host.

[root@dca2-LinuxES root]#

Look easy right?

CCIE Security

New Member

Re: Secure Telnet Acces To Switches & Routers With RSA RADIUS

Hi Rick,

Thanks for your reply.

I have managed to get telnet authentication working now from Cisco devices through the Radius system, but still dont seem to be able to get exec level authorization to work.

The Radius server is Steelbelt which comes with the RSA authentication manager product.

I have tried all sorts of different configurations but no joy yet.

Re: Secure Telnet Acces To Switches & Routers With RSA RADIUS

Lewis,

configure the following setting on Steel belted Radius server:

AAA command on NAS would be:

aaa author exec default group radius none

And radius server config, configure "Radius IETF attribute":

[006] Service-Type= "Administrative"

Cisco-AV Pair = "shell:priv-lvl=15;"

Please do configure Radius IETF Attribute

and in that you need to configure Service Type= Administrative.

Regards,

~JG

Do rate helpful posts

1544
Views
0
Helpful
4
Replies
CreatePlease to create content