Security

Hello, 

I am beating my head on the wall trying to get a Cisco switch to authenticate admins via CPPM instead of NPS, and I have looked at multiple guides and canned solutions, but nothing seems to work. 
Basically, our Cisco switches would work fine when using NPS, but now that I point them at CPPM, I am not able to log on. 
I have done the following config on the Cisco, and attached are my CPPM configs:

aaa new-model
aaa group server radius NAP
 server 10.X.X.X auth-port 1812 acct-port 1813
!
aaa authentication login userAuthentication local group NAP
aaa authorization exec userAuthorization local group NAP if-authenticated
aaa authorization network userAuthorization local group NAP
aaa accounting exec default start-stop group NAP
aaa accounting system default start-stop group NAP
!
ip radius source-interface Vlan140
!
radius-server host 10.X.X.X auth-port 1812 acct-port 1813 key XXXXX
radius-server attribute 32 include-in-access-req format %h {SwitchName}

When I attempt to log in, CPPM shows a ACCEPT for the request, but the Cisco switch says Authorization Failed and kicks me out. I know it is hitting on the correct Enforcement Profile because it passes the following attribute back to the Cisco:

Radius:Cisco

Cisco-AVPair

=

shell:priv-lvl=15

I got this attribute from our NPS server, and verfied it against a couple guides so I am thinking that this is the correct attribue to pass back to the Cisco, but it is not working. 
The switch in question is a Cisco 6509 switch.

 

On the CPPM, we are looking to make sure the switch is in the proper device group and that is how it hits on the Enforcement Profile. Attached is a sample request that comes back.

 

Any ideas on how I can get this to work? I really need to get this up and running before we decom out NPS servers. Thanks. 

 

Why don't you try using TACACS+ instead?

https://ase.arubanetworks.com/solutions/id/80 

We are using RADIUS for everything in our organization, we migrated from a TACACS once before....what would be the benefits of doing TACACS just for our Cisco devices and RADIUS for everything else? Is there not a way to make RADIUS on CPPM work?

Any other ideas besides reverting to TACACS?

You can open a case with TAC in parallel, so they can see what is wrong with your configuration.  Others may  be able to guess, but without seeing the Cisco logs to determine what is going wrong, we don't know.

Colin, I have a case open with TAC as well, and they are looking into it. I was hoping that someone here also ran into this and was able to figure it out. I have also tried to look at the Cisco logs, but nothing is showing up on there. Let me see if I can turn on debugging. 

Here is the debug from the Cisco switch:

 

Mar 16 08:45:30.584 CST: RADIUS: ustruct sharecount=1
Mar 16 08:45:30.584 CST: Radius: radius_port_info() success=1 radius_nas_port=1
Mar 16 08:45:30.584 CST: RADIUS: Initial Transmit tty2 id 161 10.72.16.113:1812, Access-Request, len 116
Mar 16 08:45:30.584 CST:         Attribute 4 6 A3C18C05
Mar 16 08:45:30.584 CST:         Attribute 5 6 00000002
Mar 16 08:45:30.584 CST:         Attribute 61 6 00000005
Mar 16 08:45:30.584 CST:         Attribute 1 8 6A6C656D
Mar 16 08:45:30.584 CST:         Attribute 31 13 31302E37
Mar 16 08:45:30.584 CST:         Attribute 2 18 D95EBC4E
Mar 16 08:45:30.584 CST:         Attribute 32 39 4B494148
Mar 16 08:45:30.656 CST: RADIUS: Received from id 161 10.72.16.113:1812, Access-Accept, len 122
Mar 16 08:45:30.656 CST:         Attribute 26 25 0000000901137368
Mar 16 08:45:30.656 CST:         Attribute 26 19 00000A4C010D4A75
Mar 16 08:45:30.656 CST:         Attribute 25 58 67ABA98A
Mar 16 08:45:30.656 CST: RADIUS: saved authorization data for user 517C5144 at 517F9824
Mar 16 08:45:30.656 CST: RADIUS: cisco AVPair "shell:priv-lvl=15"
Mar 16 08:45:30.656 CST: RADIUS: unrecognized Vendor code 2636
Mar 16 08:45:30.656 CST: RADIUS: no appropriate authorization type for user.

Vendor Code 2636 is juniper.  Can we see your entire Enforcement Profile?

Yes, I see the Juniper vendor code, and that is because my Policy is used on both Cisco and Juniper, so it hands out both. Even when I took out the Juniper part of that Policy and only handed out Cisco, it still would not work. Attached are the Policy and the two Profiles. 

Hey, so a little progress. I found this article and they said to disable AUTHORIZATION in the AAA.....so i did that, and I can now log in, but it's still not giving me Priv Level 15, so I have to still type in the Enable password.....getting closer, but not quite there. 

 

Here is the site that talked about this: 
https://supportforums.cisco.com/discussion/10264276/aaa-wrsa-no-appropriate-authorization-type

 

Here is the debug:

Mar 16 08:57:43.025 CST: RADIUS: ustruct sharecount=1
Mar 16 08:57:43.025 CST: Radius: radius_port_info() success=1 radius_nas_port=1
Mar 16 08:57:43.025 CST: RADIUS: Initial Transmit tty3 id 164 10.72.16.113:1812, Access-Request, len 116
Mar 16 08:57:43.025 CST:         Attribute 4 6 A3C18C05
Mar 16 08:57:43.025 CST:         Attribute 5 6 00000003
Mar 16 08:57:43.025 CST:         Attribute 61 6 00000005
Mar 16 08:57:43.025 CST:         Attribute 1 8 6A6C656D
Mar 16 08:57:43.025 CST:         Attribute 31 13 31302E37
Mar 16 08:57:43.025 CST:         Attribute 2 18 B38C3CAE
Mar 16 08:57:43.025 CST:         Attribute 32 39 4B494148
Mar 16 08:57:43.085 CST: RADIUS: Received from id 164 10.72.16.113:1812, Access-Accept, len 122
Mar 16 08:57:43.085 CST:         Attribute 26 25 0000000901137368
Mar 16 08:57:43.085 CST:         Attribute 26 19 00000A4C010D4A75
Mar 16 08:57:43.085 CST:         Attribute 25 58 67ABA98A
Mar 16 08:57:43.085 CST: RADIUS: saved authorization data for user 4443CCCC at 4452CF2C
Mar 16 08:57:43.085 CST: RADIUS: ustruct sharecount=3
Mar 16 08:57:43.085 CST: Radius: radius_port_info() success=1 radius_nas_port=1
Mar 16 08:57:43.085 CST: RADIUS: Sent class "g+)
>&Jw:N1dSL^KJC^K                                      " at 4452CF6C from user 4443CCCC
Mar 16 08:57:43.085 CST: RADIUS: Initial Transmit tty3 id 165 10.72.16.113:1813, Accounting-Request, len 151
Mar 16 08:57:43.085 CST:         Attribute 4 6 A3C18C05
Mar 16 08:57:43.085 CST:         Attribute 5 6 00000003
Mar 16 08:57:43.085 CST:         Attribute 61 6 00000005
Mar 16 08:57:43.085 CST:         Attribute 1 8 6A6C656D
Mar 16 08:57:43.085 CST:         Attribute 31 13 31302E37
Mar 16 08:57:43.085 CST:         Attribute 40 6 00000001
Mar 16 08:57:43.085 CST:         Attribute 25 58 67ABA98A
Mar 16 08:57:43.085 CST:         Attribute 45 6 00000001
Mar 16 08:57:43.085 CST:         Attribute 6 6 00000007
Mar 16 08:57:43.085 CST:         Attribute 44 10 00003A14
Mar 16 08:57:43.085 CST:         Attribute 41 6 00000000
Mar 16 08:57:43.121 CST: RADIUS: Received from id 165 10.72.16.113:1813, Accounting-response, len 20

OK, So I have figured out a few more details. According to Cisco forums, getting Privilege Level 15 via a RADIUS auth requires an "authorization" command to be configured in the "aaa" portion of the config. 

When I disable the "aaa authorization exec" in the Cisco and remove "authorization exec NAP" from the Line VTY, it doesnt work for getting into exec mode, but RADIUS still allows me into the switch, but at user exec mode. 

 

When I put it back in there, I am given that same error that I mentioned in the first part of this post. So, the question is....how can I get the RADIUS Authorization portion to work. If you have any ideas, that would be great. I might also need to speak to some Cisco gurus, as I do not have a Cisco Support Contract. 

Got it! Its working now.  The part that fixed it was setting a different attribute in the CPPM to pass the proper authorization. Check out the image attached for the proper Enforcement Profile settings. 

Here is the full config that is required to make this work on the Cisco switch, for anyone who runs into this same problem. 

 

aaa new-model
aaa group server radius NAP {**This is just the name we chose for our RADIUS group**}
 server 10.X.X.X auth-port 1812 acct-port 1813
!
aaa authentication login userAuthentication local group NAP
aaa authorization exec userAuthorization group NAP
aaa accounting exec default start-stop group NAP
aaa accounting system default start-stop group NAP
!
!
ip radius source-interface Vlan140
!
radius-server host 10.X.X.X auth-port 1812 acct-port 1813 key XXXXXX
radius-server attribute 32 include-in-access-req format %h {SwitchName}
!
line vty 0 4
 authorization exec userAuthorization
 login authentication userAuthentication

Hope this helps everyone else! 

Hi guys,

I am currently evaluating CPPM ; I went over TechNotes on CPPM Documentation and also couple hours over this forum.

I read/got guides on either TACACS or MAB/802.1x but couldn't find an end to end guide for setting up Radius Auth on Cisco Devices.

Any idea/hint/document you might know?

Thanks in advance,
Florin.