Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SSH & RADIUS Authentication

Hi all,

I need some advice on the authentication of my switches.

I have a network set up where every switch uses telnet only for the transport input method. I need this to change to SSHv2 only.

I also have a RADIUS server backing off to Active Directory that I can use for AAA authentication against users of the switches.

Once I use SSH to login, I am in User EXEC mode. I would like to use RADIUS authentication to authenticate users to enter Privileged EXEC mode.

Is this possible to do?

I have been working on this for a while, now I have got to the point where I have to give in and ask for help.

Thank you.

Everyone's tags (4)
7 REPLIES

SSH & RADIUS Authentication

Hi Simon,

Are you using AAA authentication with ACS?

New Member

SSH & RADIUS Authentication

Hi Javier!

No unfortunately I don't have ACS at my disposal; I have only a RADUIS server. I currently have some Wireless LAN Controllers authenticating clients on RADIUS and I was told that it can authenticate users going into Privileged EXEC (Enable) on a switch too. I have tired configuring this many times however I can't seem to get it to work.

New Member

SSH & RADIUS Authentication

Hi Simon,

ACS use TACACS+ for authentication but we have ISE now, which doesn't support TACACS+ instead it use RADIUS to authenticate switches/users.

You can integrate your AD with ISE and then with the proper configuration on switches and ISE, we can restrict user to go to Enable mode.

Regards,
Gurpreet S Puri

****************************
Keep Smiling, Peace :)
****************************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)

Re: SSH & RADIUS Authentication

@Gurpreet Puri

That's true, but I think Simon does not have an ISE neither.

Simon, are you using NPS, IAS or any other vendor?

If so, we would need to check the vendor's documentation to see how to send the privilege level 15 to the SW.

You can check this one:

Cisco Privilege Level Access with Radius and NPS Server

Also:

How-to : Integrating Cisco devices CLI access with Microsoft NPS/RADIUS

HTH.

New Member

SSH & RADIUS Authentication

Hi all,

Thanks for your feedback. I have Cisco ISE being deployed within the next couple of months so hopefully that will help to solve this problem. I'll wait until then to start configuring it.

Thank you for your replies, this has been very helpful.

Simon

SSH & RADIUS Authentication

You welcome.

Please rate any helpful posts.

New Member

SSH & RADIUS Authentication

From security perspective, I would still recommend applying an ACL to the VTY lines to prevent DoS on the network device. You can go beyond that and apply control plane policing.

1. The VTY access-list needs to add to all VTY lines (e.g. 0 ~ 15 on a Cisco 3K) to be effective.

2. On a 3560X running IOS 15.0(1)SE3, I added the following line before the SSH client IP address showing up as calling-station-id in RADIUS access requests:

radius-server attribute 31 send nas-port-detail

1026
Views
15
Helpful
7
Replies
CreatePlease to create content