Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AAA Authorization Question

Status
Not open for further replies.
JohnPtrs

JohnPtrs

MIS
Jun 13, 2006
91
US
I am in the process of trying to get my Cisco IOS devices to authenticate to a RADIUS Server on my network and it is working, however I want to have two groups that can log in at different privilege levels... Is there a AAA Authorization command I can use on the IOS devices to set the users to their appropriate privilege level? I have a MS IAS server doing RADIUS and the users will be in two different Active Directory groups...

Here is the RADIUS setup I'm using->

conf t
aaa new-model

radius-server host 10.18.0.49 auth-port 1812 acct-port 1813 key C15K0!

aaa group server radius RadiusServers
server 10.18.0.49 auth-port 1812 acct-port 1813
exit

aaa authentication login default group RadiusServers local
exit

Thanks,

JP
 
Sort by date Sort by votes
Hello Andy,

Thank you for the input. I tested it and it changed the situation to almost what I was looking for. I created an AD account called $enab15$ with a password. When I login as a read-only user and try to enable I am unable to do so even if I use the $enab15$ user password. Any idea why? The radius is receiving the request to authenticate $enab15$ but somehow it just won't do.

Another thing I noticed is that if a level 15 user logs in then he had level 15 access. If I then use DISABLE to revoke the rights and then try to ENABLE again it also does not work. This is regardless of using the Level 15 user password or the $enab15$ user password. Is this correct behaviour?

Thanks,

Mike
 
Upvote 0 Downvote
Hello Andy,

Thank you for the input. I tested it and it changed the situation to almost what I was looking for. I created an AD account called $enab15$ with a password. When I login as a read-only user and try to enable I am unable to do so even if I use the $enab15$ user password. Any idea why? The radius is receiving the request to authenticate $enab15$ but somehow it just won't do.

Another thing I noticed is that if a level 15 user logs in then he had level 15 access. If I then use DISABLE to revoke the rights and then try to ENABLE again it also does not work. This is regardless of using the Level 15 user password or the $enab15$ user password. Is this correct behaviour?

Thanks,

Mike
Click to expand...

Mike, I am not sure to be honest... If the authentication request is getting to IAS is it coming back successful? There should be a log in the Event log on the Windows IAS server, plus a log in the %SystemRoot%\system32\LogFiles\ folder. Other than that I can show you what I have configured that works:


Code: 
aaa new-model
!
aaa group server radius IAS-Servers
 server 10.1.1.1 auth-port 1812 acct-port 1813
 server 10.1.1.2 auth-port 1812 acct-port 1813
!
aaa authentication login default group IAS-Servers local
aaa authentication enable default group IAS-Servers enable
aaa authentication ppp default local
aaa authorization console
aaa authorization exec default group IAS-Servers if-authenticated
aaa authorization network default if-authenticated
aaa accounting exec default start-stop group IAS-Servers
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.100.60 auth-port 1812 acct-port 1813 key CISCO-KEY
radius-server host 192.168.121.12 auth-port 1812 acct-port 1813 key CISCO-KEY
!

I have changed the IP addresses and Radius keys, but that is all I have configured and it works for me....

HTH

Andy
 
Upvote 0 Downvote
Hi Andy,

Thanks for posting your Cisco configuration. I found my problem. It was that the $enab15$ user RADIUS policy did not work correctly for a single user. I made the $enab15$ user part of my Level 1 (login access) AD group and now everything works. If I disable the $enab15$ user account in AD then users of my level 1 group can no longer ENABLE the cisco devices. Level 15 user can still login directly into ENABLE mode and therefore have no problem with the user $enab15$ being disabled.

One more question if I may:
If my Cisco device is disconnected from the network (or the RADIUS is down), then the local user/password should work. In my tests I noticed that I can login using a local username and password but it takes a long time. I assume this is due to the Cisco device checking for the RADIUS and time-outs involved. Once I am logged and try to ENABLE the device I need to enter the password twice to have success. In other words I enter it once and nothing seems to happen. Then the password prompt shows again. If I enter the same password again then I am in enable mode.

Is that normal behaviour? What can I do so that I need to enter the ENABLE password only once if the RADIUS is not accessible?

Thanks.

Mike
 
Upvote 0 Downvote
If my Cisco device is disconnected from the network (or the RADIUS is down), then the local user/password should work. In my tests I noticed that I can login using a local username and password but it takes a long time. I assume this is due to the Cisco device checking for the RADIUS and time-outs involved. Once I am logged and try to ENABLE the device I need to enter the password twice to have success. In other words I enter it once and nothing seems to happen. Then the password prompt shows again. If I enter the same password again then I am in enable mode.

Is that normal behaviour? What can I do so that I need to enter the ENABLE password only once if the RADIUS is not accessible?
Click to expand...

Yes this is the expected behaviour. For the initial login and delay you are seeing the timeout being hit and then the router authenticating the user against the local database (or the 2nd option you configured in the list). For the enable delay you are seeing the Radius timeout delay and then a 2nd prompt to enter the local enable secret, this is normal behaviour.
Obviously if you have people who want to get around Radius authentication then they must break the IP connectivity from the device to your Radius server(s) and then they can use the local information (if known). You can disable this local fallback by not specifying a 2nd option - i.e.

Code: 
aaa authentication login default group IAS-Servers

The downside of this is the only way to get in if the Radius server goes is by using password recovery.

HTH

Andy

 
Upvote 0 Downvote
Hi Andy,

If I implement that change then yes, I cannot at all ENABLE the Cisco at all anymore in case of a RADIUS failure. I would like to be able to ENABLE the device in case of a RADIUS failure without having to go through the recovery process.

My current problem is that if I try to ENABLE the device during a RADIUS failure I get a prompt for password twice. My first try to enter the password gets processed with no results. The second try finally puts me in ENABLE mode. Here is how this looks like:

CISCO_DEVICE>en
Password: (password gets entered correctly, ENTER)
Password: (password gets entered correctly, ENTER)
CISCO_DEVICE#

Any ideas why this is happening?

Thanks in advance for all the great input !!

Mike
 
Upvote 0 Downvote
My current problem is that if I try to ENABLE the device during a RADIUS failure I get a prompt for password twice. My first try to enter the password gets processed with no results. The second try finally puts me in ENABLE mode. Here is how this looks like:

CISCO_DEVICE>en
Password: (password gets entered correctly, ENTER)
Password: (password gets entered correctly, ENTER)
CISCO_DEVICE#

Any ideas why this is happening?

Thanks in advance for all the great input !!

Mike
Click to expand...

Sorry but that's how it's supposed to work, it's not really a problem is it? Remember this should only occur in the event of a failure and typing the enable secret twice is not a big penalty to pay is it?

Andy
 
Upvote 0 Downvote
Thanks for this confirmation. I just wanted to make sure that how it presents itself to me is correct.

Thanks again for all your feedback and support !!

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
321
Zero6
Zero6
DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
591
DigiByte34
DigiByte34
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
265
burtsbees
burtsbees
mkc1962
  • Locked
  • Question
Cisco 2602e connection question
Replies
0
Views
153
mkc1962
mkc1962
azrael2000
  • Locked
  • Question
quick question...re layer 3 with routing
Replies
1
Views
246
chieftan
chieftan

Part and Inventory Search

Sponsor

Back
Top