Central Authentication Radius/LDAP 3

[peterlyttle]

Hello,

Im currently looking at removing all local logins from our cisco devices and replacing them with a centralised system. Ciscos offering is too expensive so I've been looking at Radius using NPS on server 2008 or ideally LDAP so we can use AD groups to permission on devices.

Does anyone have any tips on how to go about this? Is there a specific IOS needed other than base to enable RADIUS and LDAP SERVER commands?

Any help to point me in the right direction much appreciated.

 

[unclerico]

you need something with a crypto image (typically referenced with a k9 in the ios image name).

aaa new-model

crypto key generate rsa general-keys modulus 1024

radius-server host xxx.xxx.xxx.xxx key blah
radius-server host yyy.yyy.yyy.yyy key blah

aaa group server radius group_name
  server xxx.xxx.xxx.xxx
  server yyy.yyy.yyy.yyy

aaa authentication login default group group_name local
aaa authentication enable default group group_name enable
aaa authorization exec default group group_name local
aaa authorization network default group group_name local 

line vty 0 15
  transport input ssh
  login authentication default

your configuration on NPS should include the following policy conditions:
- client-ip-address matches <switch_ip_address>
- windows-groups matches <windows_group>

the following attributes:
- cisco-av-pair -- shellriv-lvl=15

authentication should be unencrypted authentication (PAP,SPAP)

that should be pretty much it.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[drewdown]

unclerico..is right..although it can be somewhat confusing, here are my notes. Hopefully they help. I use NPS on 2008 for all my Cisco devices and VPN.

#config t
#radius-server host <radius server IP> <raidus key>
#aaa new-model
#aaa group server radius <group_name>
#server <radius server IP>
#aaa authentication login default local
#aaa authentication login <group_name> group radius group <group_name> local
#line vty 0 15
#login authentication ADMINS
#Copy run start

aaa authentication login default local is for whenever I need to login to the console to ensure that I have access. I assume if I need to do that then there is a problem with the switch and RADIUS authentication is broken so I bypass it. Feel free to leave it out if you want all authentication done via RADIUS.

 

[drewdown]

Sorry fat fingered one line in my reply:

this #login authentication ADMINS

Should be #login authentication <group_name>

 

[peterlyttle]

Fantastic thanks guys, i'll give it a shot and let you know how it goes!!

 

[peterlyttle]

Maybe I am doing something wrong but when I add the -

aaa authentication login default local

I get prompted to auth even when consoled into the device. Without the line I dont get prompted for radius authentication.

Basically Im after radius authentication for TELNET/SSH (user ane priv mode) but local for CONSOLE (user and priv mode)

Any ideas?

 

[unclerico]

can you post your config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[brianinms]

I believe you would need ....


aaa authentication login CONSOLE local
aaa authentication login default radius local

line con 0
exec-timeout 0 0
login authentication CONSOLE


Its been a while and I dont have access to my lab to test.

 

[peterlyttle]

unclerico the config as requested -

aaa new-model
aaa group server radius <GROUP>
 server x.x.x.x auth-port 1812 acct-port 1813

aaa authentication login <GROUP> group radius group <GROUP> local
enable secret <PASSWORD>
enable password <PASSWORD>

radius-server host x.x.x.x auth-port 1812 acct-port 1813 key <KEY>
radius-server retransmit 3
line con 0
line vty 0 4
 password <PASSWORD>
 login authentication <GROUP>
line vty 5 15
 password <PASSWORD>

brianinms - cheers ill give it a shot this morning and post back later.

 

[peterlyttle]

No luck unfortunatly... can you even used radius for the Enable password, been doing a bit of google'ing and not found anything as of yet.

 

[peterlyttle]

I got this working in the end.

You need to create and AD account with the username $enab15$

If the RADIUS servers are unavailable it will roll back to local credentials but should they be contactable the local credentials wont work.

username Admin password 0 <PASSWORD>
aaa new-model
!
!
aaa group server radius CISCO server 10.1.1.1 auth-port 1812 acct-port 1813
 server 10.2.1.1 auth-port 1812 acct-port 1813
!
aaa authentication login CISCO group radius group CISCO local
aaa authentication enable default group CISCO enable
!
!
!
aaa session-id common
ip domain-name acme.com
!
!
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key <KEY>
radius-server host 10.2.1.1 auth-port 1812 acct-port 1813 key <KEY>
!
!
line vty 0 4
 login authentication CISCO
 transport input ssh

 

[ADB100]

As part of the RADIUS policy you can push down the privilege level for the user to the switch using an AV pair. If you make multiple security groups for different privilege levels and assign users you can then create multiple IAS/NPS policies and push down different privilege levels. I don't like having the $enab15$ user as you can simply login using this as the username and it kind of defeats the whole security objective...

The Cisco-AV-Pair should be 'shellriv-lvl=15' or whatever level you wish to assign to the user. You need to enable aaa authorization to get the switch to accept the privilege level from the RADIUS Server.

This is what I have configured on most of my equipment. Some IOS versions vary and if you want 802.1x with switches or WiFi APs then there is additional configuration etc.

aaa group server radius Radius-Servers
 server 10.1.1.1 auth-port 1812 acct-port 1813
 server 10.2.2.2 auth-port 1812 acct-port 1813
 ip radius source-interface Loopback0
!
aaa authentication login default group Radius-Servers local line
aaa authentication enable default group Radius-Servers enable
aaa authorization console
aaa authorization exec default group Radius-Servers if-authenticated
aaa authorization network default group Radius-Servers
aaa accounting exec default start-stop group Radius-Servers
aaa accounting network default start-stop group Radius-Servers
aaa accounting system default start-stop group Radius-Servers
!
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key XXXXXXX
radius-server host 10.2.2.2 auth-port 1812 acct-port 1813 key XXXXXXX
!