11-06-2007 12:32 PM - edited 03-03-2019 05:42 AM
I have a 3750 on 12.2(25)SEE2. I have enabled Radius admin authentication to the switch, I want users to authenticate against the Radius server in order to gain access to the switch. The config I have is not allowing a person to gain enable access to the switch via Radius authentication in all connection situations:
I am able to Telnet to the switch remotely, and login to it using either Radius login or the local username - both take me to switch# prompt.
I am able to direct-connect to the switch via Console cable, and login to it using the Radius login but this does not take me to switch# prompt, it takes me to the limited switch> prompt. I have to type in the local username password in order to get enable mode. Or I can login directly to enable mode using the local username only.
I can connect to the switch via HTTP interface, but I can only login with the local username, I cannot login with the Radius login.
I can't figure out what I need to do in order to login via HTTP with the Radius login, or to get myself to enable mode directly when using a Console cable connection! Any advice? (Some config pieces below...)
username cisco privilege 15 secret xxx
aaa new-model
aaa group server radius RAD_AUTH_GRP
server 10.0.0.2 auth-port 1812 acct-port 1813
server 10.0.0.3 auth-port 1812 acct-port 1813
!
aaa group server radius RAD_ACCT_GRP
server 10.0.0.2 auth-port 1812 acct-port 1813
server 10.0.0.3 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication login test line
aaa authentication login RAD_AUTH_METHOD local group RAD_AUTH_GRP
aaa authentication dot1x default group radius
aaa authorization exec default local group RAD_AUTH_GRP if-authenticated
aaa authorization exec RAD_AUTH_METHOD local group RAD_AUTH_GRP if-authenticated
aaa accounting delay-start
aaa accounting exec default start-stop group RAD_ACCT_GRP
aaa accounting exec RAD_AUTH_METHOD start-stop group RAD_ACCT_GRP
radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 key SSKEY
radius-server host 10.0.0.3 auth-port 1812 acct-port 1813 key SSKEY
radius-server source-ports 1645-1646
radius-server retransmit 2
radius-server timeout 10
radius-server deadtime 10
radius-server key SSKEY
line con 0
login authentication RAD_AUTH_METHOD
line vty 0 4
exec-timeout 15 0
password cisco
login authentication RAD_AUTH_METHOD
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
line vty 5 15
Solved! Go to Solution.
11-07-2007 02:50 PM
The local admin is only used when the Radius server is not reachable. It is used as a sort of 'fallback' option. When you create the aaa lists you specify your 1st, 2nd and even 3rd choices:
- i.e. aaa authentication default group RAD_GROUP local line
They are tried in order. What happens is if any of the radius servers in the group you have defined called 'RAD_GROUP' are available they will be used. If all the radius servers in the group are down (i.e. the switch is disconnected from the network or you have shutdown the servers) then a local account configured on the device will be used, if no local accounts are configured then it will use the line password.
Generally you would only need two choices - i.e. Radius & Local. The local accounts will only ever be used when the Radius servers are not available so there is no 'local override' if the Radius servers are reachable.
I think in earlier IOS releases there was an option to specify a local-override option when you created the aaa lists. I haven't seen this in IOS since about 12.0 though, with good reason I think. Why would you want a local override?
Andy
11-06-2007 01:36 PM
There are a few things here you need to add on. You should configure authentication for 'enable' as well
aaa authentication enable default RAD_AUTH_GRP enable
This makes the IOS device send an authentication request to the Radius server for the user account '$enab15$' (you can add additional accounts for different privilege levels - '$enab10$' for Level 10 privilege etc.
Alternatively you can add a Cisco AV Pair to your Radius server to make the user have Level 15 Privileges by default. Based on the existing configuration I assume you are using MS IAS. So in your Remote Access Policy in the Advanced Tab add the attribute 'Cisco-AV-Pair' and set the string to be 'shell:priv-lvl=15'. Again you could change the privilege level to 10 by setting the AV Pair to 'shell:priv-lvl=10' etc
To allow HTTP access using Radius you need to add the line:
ip http authentication aaa
Bear in mind HTTP privilege level is 15 and can't be changed (I think?).
Lastly by default Console authorisation is disabled and the command to enable it is hidden (or at least it was, I think in 12.2(40)SE for the 3750 it is now visible).
aaa authorization console
HTH
Andy
11-07-2007 10:34 AM
Thanks Andy, that was just what I needed to know! The console Radius auth works now.
You are right about the HTTP privilege level, unfortunately even with that ip http auth aaa command, I can't login to HTTP via Radius authentication. Anyone know if that will ever be possible?
We are using Juniper's Steel Belted Radius server for aaa authentication (formerly Funk), which does allow me to return the basic Cisco priv levels for users. I wish I had the flexibility you do with ACS in terms of customizing a user's administrative abilities, but oh well.
11-07-2007 10:37 AM
I have HTTP Authentication working on a 3550 running 12.2(40)SE here, however the settings are slightly different from what I posted before... whoops.. I have:
ip http authentication aaa login-authentication default
So you should change the authentication list to what you have (ip http authentication aaa login-authentication RAD_AUTH_GRP).
I must admit though I never use the WEB interface on any of the switches (or routers). I think one of the first things on the security best practise list is to disable the HTTP/HTTPS server...
HTH
Andy
11-07-2007 11:19 AM
Thanks again, Andy. I don't have much time today to take a closer look, although I did quickly add this new config line. I can't authenticate yet via HTTP even after adding the line, but will look into it more closely tomorrow!
This was the output...
XTECH-TC000-A(config)#$hentication aaa login-authentication RAD_AUTH_GRP
Warning: Authentication list "RAD_AUTH_GRP" is not defined for LOGIN.
11-07-2007 12:05 PM
Sorry, after looking at your original configuration and what I have suggested you need to do a bit more editing...
Make it look like this and you should be fine:
username cisco privilege 15 secret 5 $1$SiPm$RuKLDG8EDPjea4jkkXOta0
!
aaa new-model
radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 key SSKEY
radius-server host 10.0.0.3 auth-port 1812 acct-port 1813 key SSKEY
!
aaa group server radius RAD_AUTH_GRP
server 10.0.0.2 auth-port 1812 acct-port 1813
server 10.0.0.3 auth-port 1812 acct-port 1813
!
aaa authentication login default group RAD_AUTH_GRP local
aaa authentication dot1x default group RAD_AUTH_GRP
aaa authorization console
aaa authorization exec default group RAD_AUTH_GRP if-authenticated
aaa authorization network default group RAD_AUTH_GRP
aaa accounting dot1x default start-stop group RAD_AUTH_GRP
aaa accounting exec default start-stop group RAD_AUTH_GRP
aaa accounting network default start-stop group RAD_AUTH_GRP
!
ip http authentication aaa login-authentication default
!
line con 0
login authentication default
!
line vty 0 15
exec-timeout 15 0
login authentication default
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
I have removed the specific AAA list names (RAD_AUTH_...). You can add multiple list names but you appear to only be using one and the easiest is to just define the 'default' ones since they automatically get applied.
HTH
Andy
11-07-2007 02:24 PM
Very cool, I was able to get Radius admin auth to work via HTTP, console, and SSH! The only thing I can't do now is login with the local username... my group is thinking we will maintain a local username on the switches in case the link back to the Radius server goes down. The way I had it configured previously, I could login to the switch using all three methods with the local username (cisco in this case).
I've tried adding various command lines to the switch now that it has your configuration running, but whatever I do ends up kicking me out of HTTP, and preventing me from logging in again with the Radius auth!
Can I have it all, or am I now getting difficult? ;-)
11-07-2007 02:50 PM
The local admin is only used when the Radius server is not reachable. It is used as a sort of 'fallback' option. When you create the aaa lists you specify your 1st, 2nd and even 3rd choices:
- i.e. aaa authentication default group RAD_GROUP local line
They are tried in order. What happens is if any of the radius servers in the group you have defined called 'RAD_GROUP' are available they will be used. If all the radius servers in the group are down (i.e. the switch is disconnected from the network or you have shutdown the servers) then a local account configured on the device will be used, if no local accounts are configured then it will use the line password.
Generally you would only need two choices - i.e. Radius & Local. The local accounts will only ever be used when the Radius servers are not available so there is no 'local override' if the Radius servers are reachable.
I think in earlier IOS releases there was an option to specify a local-override option when you created the aaa lists. I haven't seen this in IOS since about 12.0 though, with good reason I think. Why would you want a local override?
Andy
11-08-2007 08:49 AM
Good point, the 'fallback' method is all we should really need. I'll disconnect my switch from the network and verify that all is well. Thanks so much for your help, Andy!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: