Security

Reply
Contributor II
Posts: 46
Registered: ‎06-19-2015

Cisco Wired Switch with RADIUS Auth / Admin Access

Hello, 

I am beating my head on the wall trying to get a Cisco switch to authenticate admins via CPPM instead of NPS, and I have looked at multiple guides and canned solutions, but nothing seems to work. 
Basically, our Cisco switches would work fine when using NPS, but now that I point them at CPPM, I am not able to log on. 
I have done the following config on the Cisco, and attached are my CPPM configs:

aaa new-model
aaa group server radius NAP
 server 10.X.X.X auth-port 1812 acct-port 1813
!
aaa authentication login userAuthentication local group NAP
aaa authorization exec userAuthorization local group NAP if-authenticated
aaa authorization network userAuthorization local group NAP
aaa accounting exec default start-stop group NAP
aaa accounting system default start-stop group NAP
!
ip radius source-interface Vlan140
!
radius-server host 10.X.X.X auth-port 1812 acct-port 1813 key XXXXX
radius-server attribute 32 include-in-access-req format %h {SwitchName}

When I attempt to log in, CPPM shows a ACCEPT for the request, but the Cisco switch says Authorization Failed and kicks me out. I know it is hitting on the correct Enforcement Profile because it passes the following attribute back to the Cisco:

Radius:CiscoCisco-AVPair=shell:priv-lvl=15

I got this attribute from our NPS server, and verfied it against a couple guides so I am thinking that this is the correct attribue to pass back to the Cisco, but it is not working. 
The switch in question is a Cisco 6509 switch.

 

On the CPPM, we are looking to make sure the switch is in the proper device group and that is how it hits on the Enforcement Profile. Attached is a sample request that comes back.

 

Any ideas on how I can get this to work? I really need to get this up and running before we decom out NPS servers. Thanks. 

 

MVP
Posts: 4,228
Registered: ‎07-20-2011

Re: Cisco Wired Switch with RADIUS Auth / Admin Access

[ Edited ]

Why don't you try using TACACS+ instead?

https://ase.arubanetworks.com/solutions/id/80 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 46
Registered: ‎06-19-2015

Re: Cisco Wired Switch with RADIUS Auth / Admin Access

We are using RADIUS for everything in our organization, we migrated from a TACACS once before....what would be the benefits of doing TACACS just for our Cisco devices and RADIUS for everything else? Is there not a way to make RADIUS on CPPM work?

Contributor II
Posts: 46
Registered: ‎06-19-2015

Re: Cisco Wired Switch with RADIUS Auth / Admin Access

Any other ideas besides reverting to TACACS?

Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: Cisco Wired Switch with RADIUS Auth / Admin Access

You can open a case with TAC in parallel, so they can see what is wrong with your configuration.  Others may  be able to guess, but without seeing the Cisco logs to determine what is going wrong, we don't know.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 46
Registered: ‎06-19-2015

Re: Cisco Wired Switch with RADIUS Auth / Admin Access

[ Edited ]

Colin, I have a case open with TAC as well, and they are looking into it. I was hoping that someone here also ran into this and was able to figure it out. I have also tried to look at the Cisco logs, but nothing is showing up on there. Let me see if I can turn on debugging. 

Contributor II
Posts: 46
Registered: ‎06-19-2015

Re: Cisco Wired Switch with RADIUS Auth / Admin Access

Here is the debug from the Cisco switch:

 

Mar 16 08:45:30.584 CST: RADIUS: ustruct sharecount=1
Mar 16 08:45:30.584 CST: Radius: radius_port_info() success=1 radius_nas_port=1
Mar 16 08:45:30.584 CST: RADIUS: Initial Transmit tty2 id 161 10.72.16.113:1812, Access-Request, len 116
Mar 16 08:45:30.584 CST:         Attribute 4 6 A3C18C05
Mar 16 08:45:30.584 CST:         Attribute 5 6 00000002
Mar 16 08:45:30.584 CST:         Attribute 61 6 00000005
Mar 16 08:45:30.584 CST:         Attribute 1 8 6A6C656D
Mar 16 08:45:30.584 CST:         Attribute 31 13 31302E37
Mar 16 08:45:30.584 CST:         Attribute 2 18 D95EBC4E
Mar 16 08:45:30.584 CST:         Attribute 32 39 4B494148
Mar 16 08:45:30.656 CST: RADIUS: Received from id 161 10.72.16.113:1812, Access-Accept, len 122
Mar 16 08:45:30.656 CST:         Attribute 26 25 0000000901137368
Mar 16 08:45:30.656 CST:         Attribute 26 19 00000A4C010D4A75
Mar 16 08:45:30.656 CST:         Attribute 25 58 67ABA98A
Mar 16 08:45:30.656 CST: RADIUS: saved authorization data for user 517C5144 at 517F9824
Mar 16 08:45:30.656 CST: RADIUS: cisco AVPair "shell:priv-lvl=15"
Mar 16 08:45:30.656 CST: RADIUS: unrecognized Vendor code 2636
Mar 16 08:45:30.656 CST: RADIUS: no appropriate authorization type for user.
Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: Cisco Wired Switch with RADIUS Auth / Admin Access

Vendor Code 2636 is juniper.  Can we see your entire Enforcement Profile?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 46
Registered: ‎06-19-2015

Re: Cisco Wired Switch with RADIUS Auth / Admin Access

Yes, I see the Juniper vendor code, and that is because my Policy is used on both Cisco and Juniper, so it hands out both. Even when I took out the Juniper part of that Policy and only handed out Cisco, it still would not work. Attached are the Policy and the two Profiles. 

Contributor II
Posts: 46
Registered: ‎06-19-2015

Re: Cisco Wired Switch with RADIUS Auth / Admin Access

Hey, so a little progress. I found this article and they said to disable AUTHORIZATION in the AAA.....so i did that, and I can now log in, but it's still not giving me Priv Level 15, so I have to still type in the Enable password.....getting closer, but not quite there. 

 

Here is the site that talked about this: 
https://supportforums.cisco.com/discussion/10264276/aaa-wrsa-no-appropriate-authorization-type

 

Here is the debug:

Mar 16 08:57:43.025 CST: RADIUS: ustruct sharecount=1
Mar 16 08:57:43.025 CST: Radius: radius_port_info() success=1 radius_nas_port=1
Mar 16 08:57:43.025 CST: RADIUS: Initial Transmit tty3 id 164 10.72.16.113:1812, Access-Request, len 116
Mar 16 08:57:43.025 CST:         Attribute 4 6 A3C18C05
Mar 16 08:57:43.025 CST:         Attribute 5 6 00000003
Mar 16 08:57:43.025 CST:         Attribute 61 6 00000005
Mar 16 08:57:43.025 CST:         Attribute 1 8 6A6C656D
Mar 16 08:57:43.025 CST:         Attribute 31 13 31302E37
Mar 16 08:57:43.025 CST:         Attribute 2 18 B38C3CAE
Mar 16 08:57:43.025 CST:         Attribute 32 39 4B494148
Mar 16 08:57:43.085 CST: RADIUS: Received from id 164 10.72.16.113:1812, Access-Accept, len 122
Mar 16 08:57:43.085 CST:         Attribute 26 25 0000000901137368
Mar 16 08:57:43.085 CST:         Attribute 26 19 00000A4C010D4A75
Mar 16 08:57:43.085 CST:         Attribute 25 58 67ABA98A
Mar 16 08:57:43.085 CST: RADIUS: saved authorization data for user 4443CCCC at 4452CF2C
Mar 16 08:57:43.085 CST: RADIUS: ustruct sharecount=3
Mar 16 08:57:43.085 CST: Radius: radius_port_info() success=1 radius_nas_port=1
Mar 16 08:57:43.085 CST: RADIUS: Sent class "g+)
>&Jw:N1dSL^KJC^K                                      " at 4452CF6C from user 4443CCCC
Mar 16 08:57:43.085 CST: RADIUS: Initial Transmit tty3 id 165 10.72.16.113:1813, Accounting-Request, len 151
Mar 16 08:57:43.085 CST:         Attribute 4 6 A3C18C05
Mar 16 08:57:43.085 CST:         Attribute 5 6 00000003
Mar 16 08:57:43.085 CST:         Attribute 61 6 00000005
Mar 16 08:57:43.085 CST:         Attribute 1 8 6A6C656D
Mar 16 08:57:43.085 CST:         Attribute 31 13 31302E37
Mar 16 08:57:43.085 CST:         Attribute 40 6 00000001
Mar 16 08:57:43.085 CST:         Attribute 25 58 67ABA98A
Mar 16 08:57:43.085 CST:         Attribute 45 6 00000001
Mar 16 08:57:43.085 CST:         Attribute 6 6 00000007
Mar 16 08:57:43.085 CST:         Attribute 44 10 00003A14
Mar 16 08:57:43.085 CST:         Attribute 41 6 00000000
Mar 16 08:57:43.121 CST: RADIUS: Received from id 165 10.72.16.113:1813, Accounting-response, len 20
Search Airheads
Showing results for 
Search instead for 
Did you mean: