Integrating Switches with Radius Server and authenticating using AD Credential is pretty much easy to setup but the interesting and configuring part where many people may find difficulties is the User Privilege level access through Radius Server.First lets understand how to integrate switches with Radius Server and later we can control user level access through Radius server.
Hope everyone is aware of how to make a Secure Certificate Infrastructure, With Active Windows Certificate and NPS (Network Policy Server) Role installed in your Server, You need to create Connection request policy and Network Policy as mentioned below.
NPS Policy Configuration:
Connection Request Policy: NAS Port Type=Virtual(VPN)
Network policy: NAS Port Type= Virtual (VPN) + Windows Group.
Switch End Configuration:
I've added the following fairly standard Radius Configuration to the Switch, Since I've already completed my testing phase with WEB authentication. I'm configuring SSH.
aaa authentication SSH login radius local
aaa authentication SSH enable radius local
radius-server host 10.100.10.229 key 123456789
With this configuration I'm able to login the switch using AD Credentials but the problem hear is all the user accounts specified in NPS Network Policy windows group have full access to switch. Let's restrict user level privilege access through RADIUS Server.
You can assign the privilege level access on RADIUS server by using Service-Type attribute.This will only take effect when you configure your switch with below command.
hostname(config)# aaa authentication login privilege-mode
–Service-Type 6 (Administrative) - Allows full access to any services specified by the aaa authentication console commands.
–Service-Type 7 (NAS prompt) - If you configure the aaa authentication for TELNET/SSH it allows access to CLI but Configuration Mode is blocked.Only Monitoring access is allowed.
Integrating Switch With Radius Server:
Hope everyone is aware of how to make a Secure Certificate Infrastructure, With Active Windows Certificate and NPS (Network Policy Server) Role installed in your Server, You need to create Connection request policy and Network Policy as mentioned below.
NPS Policy Configuration:
Connection Request Policy: NAS Port Type=Virtual(VPN)
Network policy: NAS Port Type= Virtual (VPN) + Windows Group.
Switch End Configuration:
I've added the following fairly standard Radius Configuration to the Switch, Since I've already completed my testing phase with WEB authentication. I'm configuring SSH.
aaa authentication SSH login radius local
aaa authentication SSH enable radius local
radius-server host 10.100.10.229 key 123456789
With this configuration I'm able to login the switch using AD Credentials but the problem hear is all the user accounts specified in NPS Network Policy windows group have full access to switch. Let's restrict user level privilege access through RADIUS Server.
User Privilege level access through Radius Server:
You can assign the privilege level access on RADIUS server by using Service-Type attribute.This will only take effect when you configure your switch with below command.
hostname(config)# aaa authentication login privilege-mode
–Service-Type 6 (Administrative) - Allows full access to any services specified by the aaa authentication console commands.
–Service-Type 7 (NAS prompt) - If you configure the aaa authentication for TELNET/SSH it allows access to CLI but Configuration Mode is blocked.Only Monitoring access is allowed.
No comments:
Post a comment