Configuring TACACS+, RADIUS, and Kerberos on Cisco Catalyst Switches



Similar documents
Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

BRI to PRI Connection Using Data Over Voice

Configuring the Cisco Secure PIX Firewall with a Single Intern

Configuring CSS Remote Access Methods

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Network Security and AAA

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Configuring RADIUS Dial Up with Livingston Server Authentication

ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

TACACS+ Authentication

Cisco Configuring Secure Shell (SSH) on Cisco IOS Router

Locking Users into a VPN 3000 Concentrator Group Using a RADIUS Server

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Configuring Access Service Security

Configure Backup Server for Cisco Unified Communications Manager

Lab Configure Basic AP Security through IOS CLI

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

Supported Platforms. Supported Standards, MIBs, and RFCs. Prerequisites. Related Features and Technologies. Related Documents. Improved Server Access

Configuring a Gateway of Last Resort Using IP Commands

isco Connecting Routers Back to Back Through the AUX P

Catalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example

Firewall Authentication Proxy for FTP and Telnet Sessions

Connecting to the Firewall Services Module and Managing the Configuration

RADIUS Authentication and Accounting

Lab 2.5.2a Configure SSH

Lab - Using IOS CLI with Switch MAC Address Tables

Secure Shell (SSH) FAQ

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

Table of Contents. Configuring IP Access Lists

Password Recovery Procedure for the Cisco 3600 and 3800 Series Routers

Tech Note Cisco IOS SNMP Traps Supported and How to Conf

Unity Error Message: Your voic box is almost full

PIX/ASA 7.x with Syslog Configuration Example

Remote PC Guide for Standalone PC Implementation

Configuring a Leased Line

Lab 8.3.3b Configuring a Remote Router Using SSH

Configuring Timeout, Retransmission, and Key Values Per RADIUS Server

Configuring System Message Logging

co Sample Configurations for Cisco 7200 Broadband Aggreg

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

Configuring Static and Dynamic NAT Simultaneously

Tech Art: TA0001-Windows 2008 RADIUS for CISCO Device Authentication by John McManus

Password Recovery Procedure for the Cisco 806, 826, 827, 828, 831, 836, 837 and 881 Series Routers

Lab Creating a Logical Network Diagram

Configuring Secure Shell on Routers and Switches Running Cisco IOS

Lab 2 - Basic Router Configuration

1. Introduction What is Axis Camera Station? What is Viewer for Axis Camera Station? AXIS Camera Station Service Control 5

This techno knowledge paper can help you if: You need to setup a WAN connection between a Patton Router and a NetGuardian.

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

7750 SR OS System Management Guide

CCT vs. CCENT Skill Set Comparison

Cisco Configuring Commonly Used IP ACLs

HTTP 1.1 Web Server and Client

CCNA Security. Chapter Three Authentication, Authorization, and Accounting Cisco Learning Institute.

How To Configure L2TP VPN Connection for MAC OS X client

ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

Router Lab Reference Guide

Cisco Which VPN Solution is Right for You?

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

GLBP - Gateway Load Balancing Protocol

Table of Contents. Cisco Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Prestige 310. Cable/xDSL Modem Sharing Router. User's Guide Supplement

DHCP Server Port-Based Address Allocation

Checking SQL Server or MSDE Version and Service Pack Level

How To - Implement Clientless Single Sign On Authentication with Active Directory

ASA 8.x: VPN Access with the AnyConnect VPN Client Using Self Signed Certificate Configuration Example

Configuring DNS on Cisco Routers

H3C SSL VPN RADIUS Authentication Configuration Example

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW)

Configuring Cisco CallManager IP Phones to Work With IP Phone Agent

Virtual Fragmentation Reassembly

- The PIX OS Command-Line Interface -

Configuring System Message Logging

Configuration Management: Best Practices White Paper

Troubleshooting the Firewall Services Module

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

Encrypted Preshared Key

Management, Logging and Troubleshooting

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Encrypted Preshared Key

Networking Guide Redwood Manager 3.0 August 2013

Cisco Secure PIX Firewall with Two Routers Configuration Example

Historical Reporting Client (HRC) User Login Fails

Securing Networks with PIX and ASA

Configure ISDN Backup and VPN Connection

Half Bridge mode }These options are all found under Misc Configuration


P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Signaling trace on E1/T1 gateway

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

File Transfers. Contents

The Purpose and Use of the Configuration Register on All Cisco Routers

Transcription:

Configuring TACACS+, RADIUS, and Kerberos on Cisco alyst Switches Document ID: 13847 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Configuration Steps Step A TACACS+ Authentication Step B RADIUS Authentication Step C Local Username Authentication/ Step D TACACS+ Command Step E TACACS+ Exec Step F RADIUS Exec Step G Accounting TACACS+ or RADIUS Step H TACACS+ Enable Authentication Step I RADIUS Enable Authentication Step J TACACS+ Enable Step K Kerberos Authentication Password Recovery ip permit Commands for Additional Security Debug on the alyst Related Information Introduction The Cisco alyst family of switches (alyst 4000, alyst 5000, and alyst 6000 that run OS) has supported some form of authentication, which begins in the 2.2 code. Enhancements have been added with later versions. The TACACS+ TCP port 49, not XTACACS User Datagram Protocol (UDP) port 49), RADIUS, or Kerberos server user setup for authentication, authorization, and accounting (AAA) is the same as for router users. This document contains examples of the minimal commands necessary in order to enable these functions. Additional options are available in the switch documentation for the version in question. Prerequisites Requirements There are no specific requirements for this document. Components Used This document is not restricted to specific software and hardware versions.

Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions. Background Information Since later versions of code support additional options, you need to issue the show version command in order to determine the version of code on the switch. Once you have determined the version of code that is used on the switch, use this table in order to determine what options are available on your equipment, and which options you wish to configure. Always remain in the switch when you add authentication and authorization. Test the configuration in another window in order to avoid being accidentally locked out. Method (minimum) TACACS+ Authentication OR 2.2 to 5.1 5.1 to 5.4.1 5.4.1 to 7.5.1 7.5.1 and later Step A Step A Step A Step A RADIUS Authentication OR N/A Step B Step B Step B Kerberos Authentication OR N/A N/A Step K Step K Local Username Authentication/ N/A N/A N/A Step C Plus (options) TACACS+ Command TACACS+ Exec N/A N/A Step D Step D N/A N/A Step E Step E RADIUS Exec N/A N/A Step F Step F Accounting TACACS+ or RADIUS TACACS+ Enable RADIUS Enable TACACS+ Enable Configuration Steps N/A N/A Step G Step G Step H Step H Step H Step H N/A Step I Step I Step I N/A N/A Step J Step J Step A TACACS+ Authentication With earlier versions of code, commands are not as complex as with some later versions. Additional options in later versions can be available on your switch.

1. Issue the set authentication login local enable command in order to make sure there is a back door into the switch if the server is down. 2. Issue the set authentication login tacacs enable command in order to enable TACACS+ authentication. 3. Issue the set tacacs server #.#.#.# command in order to define the server. 4. Issue the set tacacs key your_key command in order to define the server key, which is optional with TACACS+, as it causes switch to server data to be encrypted. If used, it must agree with the server. Note: Cisco alyst OS software does not accept the question mark (?) to be part of any keys or passwords. The question mark is explicitly used for help on the command syntax. Step B RADIUS Authentication With earlier versions of code, commands are not as complex as with some later versions. Additional options in later versions can be available on your switch. 1. Issue the set authentication login local enable command in order to make sure there is a back door into the switch if the server is down. 2. Issue the set authentication login radius enable command in order to enable RADIUS authentication. 3. Define the server. On all other Cisco equipment, the default RADIUS ports are 1645/1646 (authentication/accounting). On the alyst, the default port is 1812/1813. If you use Cisco Secure or a server that communicates with other Cisco equipment, use the 1645/1646 port. Issue the set radius server #.#.#.# auth port 1645 acct port 1646 primary command in order to define the server and the equivalent command in the Cisco IOS as radius server source ports 1645 1646. 4. Define the server key. This is mandatory, as it causes the switch to server password to be encrypted as in the RADIUS Authentication/ RFC 2865 and RADIUS Accounting RFC 2866. If used, it must agree with the server. Issue the set radius key your_key command. Step C Local Username Authentication/ Starting in OS version 7.5.1, local user authentication is possible. For example, you can achieve authentication/authorization with the use of a username and password stored on the alyst, instead of authentication with a local password. There are only two privilege levels for local user authentication, 0 or 15. Level 0 is the non privileged exec level. Level 15 is the privileged enable level. If you add these commands in this example, the user poweruser arrives in enable mode on a Telnet or console to the switch and the user nonenable arrives in exec mode on a Telnet or console to the switch. set localuser user poweruser password powerpass privilege 15 set localuser user nonenable password nonenable Note: If the user nonenable knows the set enable password, that user can continue to enable mode. After the configuration, the passwords are stored encrypted. Local username authentication can be used in conjunction with remote TACACS+ exec, command accounting, or remote RADIUS exec accounting. It can also be used in conjunction with remote TACACS+

exec or command authorization, but it does not make sense to use it this way because the username needs to be stored both on the TACACS+ server as well as locally on the switch. Step D TACACS+ Command In this example, the switch is told to require authorization for only configuration commands with TACACS+. In the event that the TACACS+ server is down, authentication is none. This applies to both the console port and Telnet session. Issue this command: set authorization commands enable config tacacs none both In this example, you can configure the TACACS+ server to permit when you set these parameters: command=set arguments (permit)=port 2/12 The set port enable 2/12 command is sent to the TACACS+ server for verification. Note: With command authorization enabled, unlike in the router where enable is not considered a command, the switch sends the enable command to the server when an enable is attempted. Make sure that the server is also configured to allow the enable command. Step E TACACS+ Exec In this example, the switch is told to require authorization for an exec session with TACACS+. In the event that the TACACS+ server is down, authorization is none. This applies to both the console port and the Telnet session. Issue the set authorization exec enable tacacs+ none both command In addition to the authentication request, this sends a separate authorization request to the TACACS+ server from the switch. If the user profile is configured for shell/exec on the TACACS+ server, that user is able to access the switch. This prevents users without shell/exec service configured on the server, such as PPP users, from logging into the switch. You get a message that reads Exec mode authorization failed. In addition to permitting/denying exec mode for users, you can be forced into enable mode when you enter with the privilege level 15 assigned on the server. It must runcode in which Cisco bug ID CSCdr51314 (registered customers only) is fixed. Step F RADIUS Exec There is no command to enable RADIUS exec authorization. The alternative is to set the Service Type (RADIUS attribute 6) to Administrative (a value of 6) in the RADIUS server to launch the user into enable mode in the RADIUS server. If the service type is set for anything other than 6 administrative, for example, 1 login, 7 shell, or 2 framed, the user arrives at the switch exec prompt, but not the enable prompt. Add these commands in the switch for authentication and authorization: aaa authorization exec TEST group radius line vty 0 4 authorization exec TEST login authentication TEST

Step G Accounting TACACS+ or RADIUS In order to enable TACACS+ accounting for: 1. If you get the switch prompt, issue the set accounting exec enable start stop tacacs+ command. 2. Users that Telnet out of the switch issue the set accounting connect enable start stop tacacs+ command. 3. If you reboot the switch, issue the set accounting system enable start stop tacacs+ command. 4. Users that perform commands, issue the set accounting commands enable all start stop tacacs+ command. 5. Reminders to the server, for example, to update records once a minute in order to show that the user is still logged in, issue the set accounting update periodic 1 command. In order to enable RADIUS accounting for: 1. Users that get the switch prompt, issue the set accounting exec enable start stop radius command. 2. Users that Telnet out of the switch, issue the set accounting connect enable start stop radius command. 3. When you reboot the switch, issue the set accounting system enable start stop radius command. 4. Reminders to the server, for example, to update records once a minute in order to show that the user is still logged in, issue the set accounting update periodic 1 command. TACACS+ Freeware Records This output is an example of how the records can appear on the server: Fri Mar 24 13:22:41 2000 10.31.1.151 pinecone telnet85 171.68.118.100 stop task_id=5 start_time=953936729 timezone=utc service=shell disc cause=2 elapsed_time=236 Fri Mar 24 13:22:50 2000 10.31.1.151 pinecone telnet85 171.68.118.100 stop task_id=15 start_time=953936975 timezone=utc service=shell priv lvl=0 cmd=enable Fri Mar 24 13:22:54 2000 10.31.1.151 pinecone telnet85 171.68.118.100 stop task_id=16 start_time=953936979 timezone=utc service=shell priv lvl=15 cmd=write terminal Fri Mar 24 13:22:59 2000 10.31.1.151 pinecone telnet85 171.68.118.100 stop task_id=17 start_time=953936984 timezone=utc service=shell priv lvl=15 cmd=show version Fri Mar 24 13:23:19 2000 10.31.1.151 pinecone telnet85 171.68.118.100 update task_id=14 start_time=953936974 timezone=utc service=shell RADIUS on UNIX Record Output This output is an example of how the records can appear on the server: Acct Status Type = Start Acct Authentic = RADIUS User Service Type = 7 Acct Session Id = "0000002b" Calling Station Id = "171.68.118.100"

Acct Status Type = Start User Service Type = Login User Acct Session Id = "0000002c" Login Service = Telnet Login Host = 171.68.118.100 Calling Station Id = "171.68.118.100" Acct Status Type = Stop User Service Type = Login User Acct Session Id = "0000002c" Login Service = Telnet Login Host = 171.68.118.100 Acct Session Time = 9 Acct Status Type = Stop Acct Authentic = RADIUS User Service Type = 7 Acct Session Id = "0000002b" Received unknown attribute 49 Acct Session Time = 30 Step H TACACS+ Enable Authentication Complete these steps: 1. Issue the set authentication enable local enable command in order to make sure that there is a back door in if the server is down. 2. Issue the set authentication enable tacacs enable command in order to tell the switch to send enable requests to the server. Step I RADIUS Enable Authentication Add these commands in order to get the switch to send the username $enab15$ to the RADIUS server. Not all RADIUS servers support this kind of a username. See Step E for another alternative, for example, if you set a service type [RADIUS attribute 6 to Administrative], which launches individual users into enable mode. 1. Issue the set authentication enable local enable command in order to make sure there is a back door in if the server is down. 2. Issue the set authentication enable radius enable command in order to tell the switch to send enable requests to the server if your RADIUS server supports the $enab15$ username. Step J TACACS+ Enable The addition of this command results in the switch sending enable to the server when the user tries to enable. The server needs to have the enable command permitted. In this example, there is a failover to none in the event the server is down: set author enable enable tacacs+ none both

Step K Kerberos Authentication Refer to Controlling and Monitoring Access to the Switch Using Authentication,, and Accounting for more information on how to set up Kerberos to the switch. Password Recovery Refer to Password Recovery Procedures for more information on Password Recovery procedures. This page is the index of password recovery procedures for Cisco products. ip permit Commands for Additional Security For additional security, the alyst can be configured to control Telnet access through the ip permit commands: set ip permit enable telnet set ip permit range mask host This allows only the range or hosts specified to Telnet into the switch. Debug on the alyst Prior to enabling debugging on the alyst, check the server logs for reasons for failure. This is easier and less disruptive to the switch. On earlier switch versions, the debug was performed in engineering mode. It is not necessary to access engineering mode in order to execute debug commands in later versions of code: set trace tacacs radius kerberos 4 Note: The set trace tacacs radius kerberos 0 command returns the alyst to the no tracing mode. Refer to Switches Product Support Page for more information on multilayer LAN Switches. Related Information TACACS+ and RADIUS Comparison RADIUS, TACACS+, and Kerberos in Cisco IOS Documentation RADIUS Support Page TACACS/TACACS+ Support Page Kerberos Support Page Requests for Comments (RFCs) Technical Support & Documentation Cisco Systems Contacts & Feedback Help Site Map 2014 2015 Cisco Systems, Inc. All rights reserved. Terms & Conditions Privacy Statement Cookie Policy Trademarks of Cisco Systems, Inc. Updated: Dec 27, 2007 Document ID: 13847

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information