RADIUS Authentication

Mettete al sicuro la vostra rete!

Moderators: Federico.Lagni, TheIrish, Wizard, andrewp

RADIUS Authentication

Postby therider1290 » Tue 05 Jun , 2012 2:54 pm

Buongiorno,
ho implementato su tutta la mia rete l'autenticazione RADIUS tramite il ruolo NPS di Windows Server 2008 R2.
Fin qui tutto bene, entro in EXEC con gli utenti AD designati, MA su uno switch catalyst 2960 nonostante la console vada correttamente in RADIUS sull'interfaccia web mi tocca ancora loggarmi con un vecchio utente locale che tralatro non esiste più!!
Come se l'interfaccia web ignorasse i cambiamenti di aaa!!!

Qualcuno di voi sa come risolvere?
P.S. un aironet anche lui con interfaccia web invece funziona che è una meraviglia in RADIUS e col vecchio utente non mi autentico più!
therider1290
Cisco fan
 
Posts: 27
Joined: Wed 14 Mar , 2012 10:53 pm

Re: RADIUS Authentication

Postby paolomat75 » Tue 05 Jun , 2012 3:15 pm

therider1290 wrote:Buongiorno,
ho implementato su tutta la mia rete l'autenticazione RADIUS tramite il ruolo NPS di Windows Server 2008 R2.
Fin qui tutto bene, entro in EXEC con gli utenti AD designati, MA su uno switch catalyst 2960 nonostante la console vada correttamente in RADIUS sull'interfaccia web mi tocca ancora loggarmi con un vecchio utente locale che tralatro non esiste più!!
Come se l'interfaccia web ignorasse i cambiamenti di aaa!!!

Qualcuno di voi sa come risolvere?
P.S. un aironet anche lui con interfaccia web invece funziona che è una meraviglia in RADIUS e col vecchio utente non mi autentico più!

Ciao
probabilmente il 2960 ha una configurazione aaa diversa. sul VTY usa il radius e in HTTP no.
Controlla le righe aaa, se non trovi niente di strano prova a postare la configurazione.

Paolo
CCNA R&S and CCNP Route Pass - Studing....
Non cade foglia che l'inconscio non voglia (S.B.)
paolomat75
Messianic Network master
 
Posts: 2892
Joined: Fri 29 Jan , 2010 10:25 am
Location: Prov di GE

Re: RADIUS Authentication

Postby therider1290 » Tue 05 Jun , 2012 4:05 pm

Questa la configurazione

Switch01#sh run
Building configuration...

Current configuration : 9212 bytes
!
! Last configuration change at 15:31:21 CET Tue Jun 5 2012 by luca
!
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Switch01
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 %OMISSIS%
!
username localadmin privilege 15 secret 5 %OMISSIS%
!
!
macro global description cisco-global
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
!
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
!
ip domain-name CavanaSystems.local
ip name-server 172.28.0.254
udld aggressive

!
mls qos map policed-dscp 0 10 18 to 8
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
crypto pki trustpoint TP-self-signed-1535726336
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1535726336
revocation-check none
rsakeypair TP-self-signed-1535726336
!
!
crypto pki certificate chain TP-self-signed-1535726336
certificate self-signed 01
%OMISSIS%
quit
archive
log config
hidekeys
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
auto qos srnd4
!
!
!
errdisable recovery cause link-flap
errdisable recovery interval 60
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-all AUTOQOS_VOIP_DATA_CLASS
match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
match ip dscp cs3
!
!
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
class AUTOQOS_VOIP_DATA_CLASS
set dscp ef
police 128000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_VOIP_SIGNAL_CLASS
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_DEFAULT_CLASS
set dscp default
police 10000000 8000 exceed-action policed-dscp-transmit
!
!
!
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/4
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/5
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/6
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust cos
macro description cisco-wireless
auto qos trust
spanning-tree bpduguard enable
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface Vlan1
description Management Interface
ip address 172.28.0.3 255.255.0.0
!
ip default-gateway 172.28.0.254
ip http server
ip http secure-server
!
ip access-list extended AUTOQOS-ACL-DEFAULT
permit ip any any
ip sla enable reaction-alerts
snmp-server community public RO
snmp-server location Home
snmp-server contact Luca Cavana
radius-server host 172.28.0.254 auth-port 1645 acct-port 1646
radius-server key 7 %Omissis%
!
line con 0
logging synchronous
transport output telnet
line vty 0 4
logging synchronous
length 0
transport input telnet ssh
line vty 5 15
logging synchronous
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
ntp clock-period 22518860
ntp server 193.204.114.232 source Vlan1 prefer
ntp server 193.204.114.233 source Vlan1
end

localadmin è un utente locale che uso se il server RADIUS muore, tantè che se è vivo non mi posso loggare con quello.
La cosa strana è che mi posso ancora loggare in http con un utente NON più esistente
therider1290
Cisco fan
 
Posts: 27
Joined: Wed 14 Mar , 2012 10:53 pm

Re: RADIUS Authentication

Postby Luciano82 » Wed 24 Apr , 2013 9:25 am

aggiungi le seguenti righe se l IOS te lo consente :

ip http authentication aaa login-authentication radius
ip http authentication aaa exec-authorization radius

e vedrai che vinci
Luciano82
Cisco fan
 
Posts: 26
Joined: Fri 08 May , 2009 10:38 am


Return to Sicurezza

Who is online

Users browsing this forum: No registered users and 2 guests

cron