[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 700
  • Last Modified:

aaa - on cisco switch query

hi i am running the following:

master dc/ad/dns/dhcp/gpmc win 2003 platform domain server
host xp clients
exchange 2003
isa 2006 firewall - connected to local netgear vmdg480 box direct to isp
cisco 2950 switch - stp 802.1d - single switch

note: rras is not being used although i have opened up ras & can see isa2006firewall
note: users have internet access - successful
note: users can send/receive email externally - successful
note: i have set the basics on my cisco switch:

config t
banner motd "only authourized access to allowed users" - for eg
hostname lan-a - for eg
enable password cisco1 - for eg
line con 0
password cisco - for eg

line vty 0 4
password cisco - for eg

note: i can telnet successfully into cisco switch

qns1.  my understanding is if my internal network is already part of a domain, then would i even want to consider using 'aaa' but if i did what would i need ?

note: the below commands im aware of and assuming can use on my cisco switch, but they are both different, but dont have enough knowledge to know the difference or if different from what i require above in qns1..!!! uuumm

aaa

username michael password 8d88d88dd
aaa new-model
radius-server host 10.2.2.2 key rad123
aaa authentication login default group radius line
exit
line vty 0 15
login authentication default
password cisco

----------------------------------------------------------
aaa

username micheal password dkg8aaS54fg
aaa new-model
radius-server host 10.2.3.4 key rad123
aaa authentication default group radius
dot1x system-auth-control
exit

int fa0/1
switchport mode access
dot1x port-control auto
0
mikey250
Asked:
mikey250
  • 4
  • 3
3 Solutions
 
mikebernhardtCommented:
Let's start with the 2 configs you posted:
The first one will use radius to authenticate access to the switch itself, i.e. when you telnet to it. "radius line" means that if the radius server isn't reachable, the switch will use the line password you configured under line vty.

The 2nd one enables 802.1x control of port usage. When a computer plugs into the port, they have to authenticate with radius before they can pass any traffic or even receive an IP address via DHCP. Although it also uses radius, it is obviously an entirely different function than the first.

So now to answer your question:
The first configuration controls switch management access which has nothing to do with your domain. Whether you use it or not depends on whether you want to centrally manage access to your network equipment.

The 2nd controls access to your network, not to switch management. You may feel that you don't need 802.1x access control to your network since everyone needs domain authentication anyway. However, non-domain users can still access your networks or even attempt to break into computers they have no right being in. They could unplug a domain computer and plug in their own laptop, for instance. Is this a problem? Maybe, maybe not. Only you know your network. 802.1x adds security but it also adds another layer of hassle for users. They have to authenticate to the port before they can even authenticate to the domain.  I always recommend at the very least that you disable unused ports.
0
 
mikey250Author Commented:
hi mike,

ive also added on my used ports:

int fa0/4 - for eg
switchport mode access
switchport port-security - this stops non-domain users
spanning-tree portfast
switchport bpduguard enable

note: i would create a non-useable vlan and allocate all unused ports in this vlan!!

qns1. 'radius line' - means if radius for some reason does not allow or is switched off/faulty then the logon below would still work, but what about the user account, does this still work ?

line vty 0 4
password cisco

qns2.  just to clarify then, if all users are already within a domain, then presumably the normal telnet is ok then : ?

enable password cisco1 - for eg
line con 0
password cisco - for eg

line vty 0 4
password cisco - for eg

qns3. so only if a (physical user) set their pc/laptop to 'auto detect dns' & plugged directly into one of the switch ports then the below is ok to set ?

"physical user would be allowed permission at the configured 802.1x port & then be authenticated via 'radius' then being allocated a dhcp address for telnet to work".

qn4.  so presumably if i wished to used 'radius' i would then have to enable 'radius' behind my isa firewall & premably allow access to those users who are in a remote destination & those users who physically plug into my cisco switch ?

note:  i have in the passed allowed remote vpn users via 'radius' although i did not need to use it in the end at that specific time, but confirmed i could logon from a remote location that had internet access!!
0
 
mikebernhardtCommented:
1. If radius rejects the user's telnet request, then the switch will reject the user. It will not try line password. If the switch gets no response at all from the server THEN it will try the line password, by requesting only a password after the server request times out. You can try this by just configuring a bad radius IP in a test configuration. If you want it to try the local user you configured (username michael password 8d88d88dd) during a radius failure, then instead of "radius line" you would use "radius local."

2. Again, telnet access has nothing to do with domain or no domain. It is only for switch management purposes.

3. I don't know where that quote came from but it is correct. But then they would still have to log into the domain. Whether you want to do this or not is a security policy issue as I mentioned. Since you have enabled port security, only the first connected workstation on a port will be able to connect thereafter unless the port is cleared by someone with management access to the switch (telnet or console). this may be enough. I still recommend turning all unused ports off. Why leave them on at all? If you are going to use 802.1x, then you can configure all ports to be on but in a different VLAN as you suggested. Being authenticated gets them the production the vlan. You do not have this configured in the above examples, however.

4. Only the switch talks to the radius server, not the user. The switch sends a login request to the user and passes the response to the server. For 802.1X access control, the user has to have a client on their computer that can read the request. But this is only if they are connecting to a physical port. Also, I would never allow telnet access to a network device from the internet except through a vpn.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
mikey250Author Commented:
1. ok so only if radius does not reply in time for whatever reason then it allows the local telnet username & password for eg!!

2.  what i meant was if users are already all authenticated by being part of a domain then 'telnet', can be set without 'radius'.

3. ok. although if i wish to add a random user to physically access the port i would enable that port to be part of a vlan or not and configure as my normal configurations mentioned and 802.1x, but yes as you suggest i would have to pre-allow the user domain access as physically plugged in or radius if remotely connected & ensuring all unused ports are turned off ie in an unused vlan!!:)

3. "you do not have this configured in the above examples, however". - what do you mean by this comment ?

4. ok & ok to vpn - yes i have previously configured a remote vpn and was successful in logging into my switch as i configured 'radius', but what i did not use was 802.1x

thanks for the extra advice!!:)  appreciated
0
 
mikebernhardtCommented:
1. correct.

2. Again, the 2 means of authentication have nothing to do with each other. Your AAA authentication is method to RADIUS is for switch management only. No one needs domain authentication to try to log into your switch as long as they have a valid IP address. 802.1X prevents them from even passing IP traffic until they've authenticated, also using RADIUS.

3. You can skip 802.1x if you feel that you can manage the switch ports as you described. Turning on port security as you indicate
"switchport port-security - this stops non-domain users"
 would mean that if someone tries to unplug a computer that's normally connected and plug their own device in, it won't work. But it doesn't matter if the user is in the domain or not, it's only looking at the MAC address of the user. Note that port security only allows a single MAC address, so don't put anything but an end user on that port.

To enable a particular port with 802.1X, you have to add "dot1x port-control auto" to the interface. You cannot use this AND port-security. You have to choose one.

4. VPN access does not use 802.1X. 802.1X is only for controlling access to a switch port that you plug into and has nothing to do with VPN or switch management authentication.
0
 
mikey250Author Commented:
1. thanks!!!

2.  ok.

3. ok.

4. i did not use 802.1x but yes i understand!!!

thanks for the advice.  appreciated!!
0
 
mikey250Author Commented:
sound advice!!!!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now