[Enterprise Switch] AAA introduce and exec authorization testing with Radius server Follow
AAA ( Authentication Authorization and Accounting , authentication, authorization and accounting) is a mechanism for managing network security, which can provide three basic services of authentication, authorization and accounting (billing) for users accessing the network. The details are as follows:
Authentication service: identify users before they access the network to verify whether users have access rights.
Authorization service: classify user rights and provide different access rights for different users.
Accounting service: record the use of network resources by users, and the statistical data can be used for analysis and billing.
AAA has the advantages of flexibility and controllability, scalability, standardized certification, and allows to have multiple backup systems. Compared with the simple access control functions such as local user name authentication and line password authentication provided by the device, AAA can provide a higher level of security protection, and thus becomes the most important access control method.
General Radius authorization behavior :
During the process where the user requests access to the RADIUS server , RADIUS authorization and authentication possibly executed simultaneously.
An “authentication request” occurs when the Network Access Server (NAS) sends a request to the RADIUS server.
If the server’s request for authentication is accepted, the RADIUS server sends a series of configuration information to the Network Access Server in order to grant the user access.
This configuration information is comprised of various “authorizations”.
The exact type of authorization differs depending on the RADIUS configuration,the overall network, and the user .
Three types of Radius authorization : exec / command / network :
Edgecore device support exec type and partial of network authorization type (e.g. vlan assign )
Exec & command authorization are two types of authorization , our device support exec type.
Here are detail description about the three types:
* Exec authorization
When users log in to the CLI interface of the NAS , grant users different permission levels ( 0~15 ).
Exec authorization is usually used in conjunction with Login authentication.
Configure Login authentication and Exec authorization on the same line.
If Exec authorization fails, you cannot enter the CLI interface even if you have passed Login authentication.
Example : account: alex (it's define on Radius server and be assign level=8) ,
This account can execute some commands that level<=8 , cannot execute some commands that level>8.
User can define each command specific level via CLI on switch.
* Command authorization
After a user logs in to the CLI interface on the NAS, he executes authorization for specific commands,
also known as command authorization.
When a user has logined and attempts to execute a command, AAA sends the command authorization to the secure server verify.
If the security server allows the execution of the command, the command is accepted to execute; otherwise, the command will not be allowed, and a prompt for refusing to execute the command is given.
* Network authorization
Granting network services available to users, such as VLAN, bandwidth, timeouts, etc., is also known as network authorization.
Network authorization is based on authentication, and only users who pass the authentication are allowed to perform network authorization. The RADIUS or TACACS+ server completes the authorization of the authenticated user by returning a series of attributes.
You can see this diagram to realize this topic clearly and simply :
NOTE : Usually AAA means user privilege to access or management the device , not network or data forwarding , so that's why dotted line to show “network Authorization” .
Support models
ECS4120 seriesECS4620 series, etc.
Application
Different users can get different level from Radius server .
Topology
Key Configurations on switch :
dot1x system-auth-control
!
interface vlan 1
ip address 192.168.0.10 255.255.255.0
!
radius-server 1 host 192.168.0.11 auth-port 1812 acct-port 1813 timeout 5 retransmit 2 key testing
!
authentication login radius
!
aaa authorization exec alextest group radius
!
end
!
Console#
Key Configurations on Radius server :
Execute : sudo nano /etc/freeradius/3.0/clients.conf
client localhost {
ipaddr = *
secret = testing
}
Execute : sudo nano /etc/freeradius/3.0/users
alex Cleartext-Password := "alex"
Service-Type = Login-User,
cisco-avpair = "shell:priv-lvl=15"
test Cleartext-Password :="test"
Service-Type = Login-User,
cisco-avpair = "shell:priv-lvl=0"
enable or disable Radius server commands :
sudo service freeradius start
sudo service freeradius stop
testing process and result :
1. Login from web :
User alex belong to high privilege account, and can execute any command on this unit:
Example : create vlan 2
Check result
But If user : test login , he cannot modify anything , because he belong to low privilege account:
Example : create vlan 3
Setup fail :
If login via CLI , here are different between alex & test :
alex : can see and execute all commands
Console#?
EXEC commands:
auto-traffic-control Auto traffic control configuration
calendar Date and time information
clear Resets functions
configure Enters configuration mode
copy Copies from one file to another
debug Debugging functions
delete Deletes a file
dir Lists files on the file system
disable Returns to normal mode from privileged mode
disconnect Terminates an SSH, Telnet, or a console connection
dot1x Configures 802.1X port-based access control
efm Ethernet First Mile feature
enable Turns on privileged commands
erps Ethernet Ring Protection Switching
ethernet Metro Ethernet
exit Exits from privileged EXEC mode
hardware Hardware ralated functions
help Description of the interactive help system
ip Internet protocol
ipv6 IPv6 configuration commands
light Light LEDs to show unit information
loopback-detection Performs loopback detection privileged operations
no Negates a command or sets its defaults
ping Sends ICMP echo request packets to another host
ping6 Sends ICMPv6 echo request packets to another host
port Configures the characteristics of the port
quit Exits a CLI session
rcommand telnet to member
reload Halts and performs a warm restart
show Shows information
smart-pair Specifies a smart pair
spanning-tree Specifies spanning-tree configuration
switch Stacking switch
telnet Telnet to a specified host
terminal Terminal setting
test Tests subsystem
traceroute Traces routing path
traceroute6 Traces routing path
transceiver-eeprom Access transceiver EEPROM data
watchdog Configures watchdog setting
web-auth Configures web authentication parameters
whichboot Shows which files booted on system power up
Console#
Test : only can see & execute limited commands :
Console>?
EXEC commands:
disable Returns to normal mode from privileged mode
disconnect Terminates an SSH, Telnet, or a console connection
enable Turns on privileged commands
exit Exits from privileged EXEC mode
help Description of the interactive help system
ping Sends ICMP echo request packets to another host
ping6 Sends ICMPv6 echo request packets to another host
quit Exits a CLI session
show Shows information
terminal Terminal setting
traceroute Traces routing path
traceroute6 Traces routing path
Console>
Comments
0 comments
Please sign in to leave a comment.