How to access network devices via Radius server

Suppose you manage hundreds of Cisco devices; how can you connect and secure it against unauthorized access? You can use local username, but it isn’t scalable and granular, or use an AAA Server. In fact, the benefits of AAA are:

  • Increased flexibility and control of access configuration.
  • Scalability.
  • Standardized authentication methods.
  • Multiple backup system.

Additionally, AAA provides a modular way of performing the following services:

Authentication is the way a user is identified prior to being allowed access to the network and network services.

Authorization works by assembling a set of attributes that describe what the user is authorized to perform. These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user‘s actual capabilities and restrictions.

Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming.

A typical AAA server is Radius (Remote Authentication Dial-In User Service): it is an open protocol, distributed client/server system that provides Authentication, Authorization and Accounting (AAA) management.

Remember: In Radius, authentication and authorization are coupled together. If the username is found and the password is correct, the RADIUS server returns an Access-Accept response, including a list of attribute-value pairs that describe the parameters to be used for this session.

Radius server configuration on Cisco IOS is performed in few steps:

Enable the AAA feature

aaa new-model

Define the Radius server and the key server

radius server radius-ise
 address ipv4 192.168.245.123
 key c1sc0ziN3

Define a Radius server group

aaa group server radius radius-ise-group
 server name radius-ise

Remember: The radius group can contain more than one server for redundancy/load balancing.

Note: If the “radius server” command is not supported you need to use legacy commands:

radius-server host 192.168.245.123 key c1sc0ziN3

aaa group server radius radius-ise-group
 server 192.168.245.123

After that, it is possible define the method lists:

aaa authentication login VTY_authen group radius-ise-group local
aaa authorization exec VTY_author group radius-ise-group local
aaa accounting exec default

These lines define the AAA characteristics; if the radius server is alive use the group “radius-ise-group”, otherwise use local username defined with the command:

username "username" privilege 15 secret "password"

Now it is possible link the “VTY_authen” and “VTY_author” template to the vty lines:

line vty 0 4
 authorization exec VTY_author
 login authentication VTY_authen

Tips: add these lines

aaa authentication login default none
aaa authorization exec default none

so default authentication/authorization is not permitted.

If the Radius server configuration is done, you can access to devices with username/password defined in the server!

 

Other tips

In the previous commands, the AAA template is applied to the vty lines. What about console? If you want to access to the console using only the enable password, use this template:

aaa authentication login CONSOLE enable
line con 0
 privilege level 15
 login authentication CONSOLE

Note: The command “privilege level 15” permits to access directly in privileged mode.

And what about http server, if enabled? To access via RADIUS add these lines:

ip http authentication aaa login-authentication VTY_authen
ip http authentication aaa exec-authorization VTY_author

 

Troubleshooting

To validate that the Cisco device can access and securely communicate with the RADIUS server:

test aaa group radius-ise-group "username" "password" new-code

Two result can occurs.

Authentication success:

Ciscozine#test aaa group radius-ise-group fabio myp4ssw0rD new-code
User successfully authenticated

USER ATTRIBUTES

username             "fabio"
service-type         1 [Login]
priv-lvl             15 (0xF)
Ciscozine#

Failed authentication:

Ciscozine#test aaa group radius-ise-group fabio wr0ngpwd new-code
User rejected

Ciscozine#

Some interesting show are “show radius server-group all” and “show aaa servers”, while “debug radius”, “debug aaa authentication” and “debug aaa authorization” are useful during troubleshooting.

References:

1 COMMENT

  1. Watch out with chatty NMS systems that connect at relatively high (n/sec) rate with the devices; it will look like a DDoS attack on your RADIUS server coming from every network device.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.