On my to-do list for a year or so has been setting up Radius authentication on all of our switches. I don’t want to have to give everyone the local password on the switches, but still be able to grant access to people that [think they] have to have access to the switches.
By doing Radius Authentication I can create rules on the Radius Server as to who can access the switches and what level of access they receive. We already use Microsoft Active Directory, so Microsoft’s IAS was the easy choice for a Radius Server. I’m working on finding a way to script the creation of the client Objects, but for now I created a small number of clients for a small number of switches for testing.
In the IAS console, choose Radius Client. Either Action -> New Radius Client, or right click in the right half of the screen and choose New Radius Client.
Friendly name: DataCenter-1
Enter the IP or the DNS Name of the switch.
Shared Secret: the “password” that the switch and the radius server use to talk. Should be different from other passwords used on your network as it is passed unencrypted.
Next you need to create a Remote Access Policy. Right click in the right half of the screen and choose new Remote Access Policy.
Access Method: VPN
Choose Group and then click Add. Type the name of the Group in Active Directory that you want to grant access to the switches to. I created a group that I’m going to use just for granting access to the switches with.
Click Next a couple of times and then Finish.
Now we have to make one change and that is the authentication method. Right click on the remote access policy you just created and choose Properties. Click Edit Profile and then choose the Authentication Tab. Unselect anything that is selected on the screen and then check unencrypted Authentication (PAP, SPAP). Click ok twice.
Lastly, we need to set up a Connection Request Policy. I setup a connection request Policy for each User that I wanted to access the switch. One of the reasons that I did this was to be able to include the service type to give certain people manager rights on the switches and everyone else operator rights.
Right Click on the right side of the Connection Policy Screen and Choose new Connection Policy.
I chose to do a Custom Policy
Profile Name: SysAdmin
I added User-Name and entered my username.
On the next screen Choose Edit Profile and Choose the Advanced Tab
Click add and find Service-Type. The default is Administrative, leave this if you want the user to have manager access to the switch. Set it to NAS Prompt if you want the user to be an operator. This user will get be asked to authenticate if they try to enter manager mode, and will get Access Denied If they enter their credentials since they don’t have manager access.
You will need to create a Connection Policy for each user that you want to access the switches.
You will notice that I have not entered an IP address for either of the two Policies that we created. The reason I’ve done this is that I don’t want to have to create a policy for each of the switches, or each of the switch\user combos in the connection policies.
On the switch you will need to enter four commands:
Radius-server host <ipaddress> key <PassPhrase> aaa authentication ssh login radius local aaa authentication ssh enable radius local aaa authentication login privilege-mode
the first sets up what Radius Server you want the switch to use and what the Passphrase it should use is. The next two allow you to login to the switch over SSH using radius credentials as allowed by the radius server. The last command enables the processing of the Service Type field that we added to the connection Policy to give access levels.
You can also use radius to Console, web, and telnet authentication, just replace the ssh with the one you want above.
You now can use select AD Credentials to login to the switch. This is part of another project I’m working on which is getting Rancid up and running. I’m hoping to have a post about that up sometime next week.