Configure TACACS +, RADIUS, and Kerberos on the Catalyst Switch

Source: Internet
Author: User
Tags bug id

Catalyst 4000 and Catalyst 5000 of the Catalyst Switch series (Catalyst 6000, running CatcOs) support some form of authentication, starting with code 2.2. Added the latest version. TACACS + (TCP port 49, not xtacacs udp port 49), remote access dial-in user service (RADIUS), or Kerberos server users set to authentication, authorization, and accounting (AAA) is the same as a router user. This article contains examples of the smallest commands that must be enabled. Other options are available in the switch description file for version consideration.
Background information
Because the latest encoding version supports other options, you must confirm the encoding version on the switch by issuing the show version command. Once the encoding version used on the switch is determined, use the following table to determine which options are available on your device and which options you want to configure.
Generally, it is always maintained when the vswitch is added for authentication and authorization. Test configuration in another window to avoid accidental locking.


Procedure
Step A-TACACS + Authentication
With the initial encoding version, the command is not as complex as in some latest versions. Other options may be available on your vswitch in the latest version.
If the server fails, run the following command: set authentication login local enable
To enable TACACS + authentication, run the following command: set authentication login tacacs enable
Define the server to send the following command: set tacacs server #.#.#.#
Defines the server key (this is optional with TACACS +, because the exchange machine is encrypted on the server data. If used, it must be consistent with the server) by issuing the following command: Set the tacacs key your_key
Step B-RADIUS Authentication
With the initial encoding version, the command is not as complex as in some latest versions. Other options may be available on your vswitch in the latest version.
Confirm that there is a backdoor to the switch. If the server fails, run the following command: set authentication login local enable.
To enable RADIUS authentication, run the following command: set authentication login radius enable
Define the server. On other Cisco devices, the default RADIUS port is 1645/1646 (authentication/accounting ).
On the Catalyst, the default port is 1812/1813. If you use CiscoSecure or a server that is in contact with another Cisco device, port 1645/1646 is used. Run the following command to define the server: set radius server #. # auth-port 1645 acct-port 1646 primary
Define the server key.
Because it causes the switch to comment the RFC on the server password according to the RADIUS request), encryption is required. If used, it must be consistent with the server. Run the following command: Set the radius key your_key.
Step C-Local User Name verification/authorization
Local user authentication is possible at the beginning of CATOS version 7.5.1 (for example, you may use a Catalyst user name and password for authentication/authorization storage, rather than passing a local password for authentication ).
There are only two permission levels for local user authentication, 0 or 15. Level 0 is an unprivileged exec level. Level 15th is the level of license activation.
By using the following commands added in this example, the user "poweruser" arrives in Telnet activation mode or the console to switch and the user "nonenable" arrives at the switch in Telnet EXEC mode or console.
Set localuser user poweruser password powerpass privilege 15
Set localuser user nonenable password nonenable
Note: If the user "nonenable" knows enable password, the user can continue to the activation mode.
After configuration, the password is stored and encrypted.
Local User Name authentication can be used with remote TACACS + exec, command accounting, or remote RADIUS exec accounting. It may be used together with remote TACACS + exec or command authorization, but it does not make sense to execute this operation because the user name will need to store two TACACS + server and local switches.
Step D-TACACS + command authorization
In our example, we notify the switch to authorize the use of TACACS + for command-only configuration. In the case of TACACS + Server failure, authentication will be unavailable. This applies to Console ports and Telnet sessions. Run the following command:
Set authorization command enable config tacacs none both
In this example, you may configure TACACS + server by setting the following parameters:
Command = set
Arguments (permit) = port 2/12
The set port enable 2/12 command will be sent to the TACACS + server for verification.
Note: Because the command authorization is enabled, unlike the vro in which no command is considered to be enabled, the vswitch will send a command to the server to start the attempt. Remember to configure the server to allow command enabling.
Step E-TACACS + EXEC authorization
In our example, we notify the switch to require the permission to use TACACS + for EXEC sessions. In the case of TACACS + Server failure, authorization is not required. This applies to Console ports and Telnet sessions. Run the following command:
Set authorization exec enable tacacs + none both
In addition to authentication requests, this results in separate authorization requests to the TACACS + server from the vswitch. If the user configuration file is configured for shell/exec on the TACACS server, the user can access the switch.
This prevents the shell/exec service (for example, point-to-point (PPP) Users) not configured on the server from logging to the switch. They will receive a message about the read EXEC mode Authorization failure. Except for permitting/denying EXEC mode, the user can be far-fetched to the exciting mode when entering the Code with the permission level specified by 15 on the server (you must run the Bug ID CSCdr51314 is fixed.
Bug Toolkit (registered user)-use this tool to search for known bugs based on software versions, feature sets, and keywords.
Step F-RADIUS authorization
No command to enable RADIUS authorization. Set the server type (RADIUS attribute 6) to Admistrative (that is, value 6). On the RADIUS server, enable the user to activate in the radius server. If the service type is set to anything except 6 management (for example, 1 login, 7 shell, or 2 constructed), the user will prompt on the switch EXEC, but not the enable prompt.
Step G-accounting-TACACS + or RADIUS
Enable TACACS + accounting:
Run the following command: set accounting exec enable start-stop tacacs +
Remotely log on to a user outside the vswitch and issue the following command: set accounting connect enable start-stop tacacs +
Restart the switch and run the following command: set accounting system enable start-stop tacacs +
Run the following command: set accounting Command enable all start-stop tacacs +
If you are prompted to log on to the server once every minute for an update record, run the following command: set accounting update periodic 1
Enable RADIUS accounting:
If you receive a prompt from the vswitch, run the following command: set accounting exec enable start-stop radius
Remotely log on to a user outside the vswitch and issue the following command: set accounting connect enable start-stop radius
Restart the vswitch and run the following command: set accounting system enable start-stop radius
If you are prompted to log on to the server once every minute for an update record, run the following command: set accounting update periodic 1
TACACS + free software record
The following is an example to record how the server may appear:
Fri Mar 24 13:22:41 2000 10.31.1.151 pinecone telnet85
171.68.118.100 stop task_id = 5 start_time = 953936729 timezone = UTC
Service = shell disc-cause = 2 elapsed_time = 236
Fri Mar 24 13:22:50 2000 10.31.1.151 pinecone telnet85
171.68.118.100 stop task_id = 15 start_time = 953936975 timezone = UTC
Service = shell priv-lvl = 0 cmd = enable
Fri Mar 24 13:22:54 2000 10.31.1.151 pinecone telnet85
171.68.118.100 stop task_id = 16 start_time = 953936979 timezone = UTC
Service = shell priv-lvl = 15 cmd = write terminal
Fri Mar 24 13:22:59 2000 10.31.1.151 pinecone telnet85
171.68.118.100 stop task_id = 17 start_time = 953936984 timezone = UTC
Service = shell priv-lvl = 15 cmd = show version
Fri Mar 24 13:23:19 2000 10.31.1.151 pinecone telnet85
171.68.118.100 update task_id = 14 start_time = 953936974 timezone = UTC
Service = shell
RADIUS output in UNIX records
The following is an example to record how the server may appear:
Client-Id = 10.31.1.151
NAS-Port-Type = 0
User-Name = "login"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Service-Type = 7
Acct-Session-Id = "0000002b"
Acct-Delay-Time = 0
Client-Id = 10.31.1.151
NAS-Port-Type = 0
User-Name = "login"
Calling-Station-Id = "171.68.118.100"
Acct-Status-Type = Start
User-Service-Type = Login-User
Acct-Session-Id = "0000002c"
Login-Service = Telnet
Login-Host = 171.68.118.100
Acct-Delay-Time = 0
Client-Id = 10.31.1.151
NAS-Port-Type = 0
User-Name = "login"
Calling-Station-Id = "171.68.118.100"
Acct-Status-Type = Stop
User-Service-Type = Login-User
Acct-Session-Id = "0000002c"
Login-Service = Telnet
Login-Host = 171.68.118.100
Acct-Session-Time = 9
Acct-Delay-Time = 0
Client-Id = 10.31.1.151
NAS-Port-Type = 0
User-Name = "login"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
User-Service-Type = 7
Acct-Session-Id = "0000002b"
Inclued unknown attribute 49
Acct-Session-Time = 30
Acct-Delay-Time = 0
Step H-TACACS + Enable authentication
Follow the instructions below:
Make sure there are backdoors. If the server fails, run the following command: set authentication enable local enable.
Notifies the switch to send a request to the server by issuing the following command: set authentication enable tacacs enable
Add the following command to send the vswitch with the username $ enab15 $ to the radius server. Not all RADIUS servers support this type of user name. For more information, see Step E )).
If the server fails, run the following command: set authentication enable local enable
Notifies the switch to send available requests to the server. If your RADIUS server supports $ enab15 $ username: set authentication enable radius enable by issuing the following command:
Step I-RADIUS activation Authentication
Add the following command to send the vswitch with the username $ enab15 $ to the radius server. Not all RADIUS servers support such user names. See Step E for an alternative option to enable an individual user to the activation mode (for example, set the service type (RADIUS attribute 6-to manage )).
If the server fails, run the following command: set authentication enable local enable
Notifies the switch to send available requests to the server. If your RADIUS server supports $ enab15 $ username: set authentication enable radius enable by issuing the following command:
Step 1: J-TACACS + enable authorization
When the user tries to enable it, the following command will cause sending the enabled host to the server. The server must have allowed enable commands. In the following example, we have an event of failover to a server failure:
Set author enable tacacs + none both
Step K-Kerberos Authentication
For more information about how to install Kerberos to a vswitch, find the following file:
Control and monitor access and use of vswitches for verification, authorization, and accounting
Password Recovery
For more information about the password recovery program, see the following files:
Password Recovery Program
This page is the Cisco product Password Recovery Program index.
Ip permit command for additional security
For additional security, the Catalyst can be configured to control Telnet access through the ip permit command:
Set ip permit enable telnet
Sets the ip permit range mask | host
This allows Telnet to the vswitch only by specifying the range or host.
Debug on the Catalyst
Check the cause of server log failure on the Catalyst Before enabling debugging. This is easy and not broken to the switch. In the initial vswitch version, debugging is performed in the engineering mode. It is not necessary to access the project mode to execute the debug command in the latest encoding version:
Set the tracking tacacs | radius | Kerberos 4
Note: Set Tracking tacacs | radius | Kerberos 0 command returns the Catalyst to no trace mode.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.