3

Have quite a few questions for Implementing Radius for my network devices :

  1. How to safely implement aaa Radius authentication to make sure users have login using LOCAL database incase the Radius fails.

  2. How to provide only read access for few users and full access to Adminstrators.

  3. Incase if I save the config ..will it be possible to login to devices ( assuming both the radius and Local credentials both are not working).

  4. How to recover the password for devices especially firewalls.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
gHP
  • 39
  • 2

1 Answers1

3

How to safely implement aaa Radius authentication to make sure users have login using LOCAL database incase the Radius fails.

Sounds like you're already on the right track; you want to have local as the fall-back mechanism in your authentication command. Set a low-ish timeout (I tend to go with 2 or 3 seconds) on the authentication server's config to make sure you're not waiting forever on the fall-back.

For an IOS router, that looks like this:

aaa authentication login default group radius local

And for an ASA firewall:

aaa authentication http console radius-server-group-name LOCAL
aaa authentication ssh console radius-server-group-name LOCAL

This will cause authentication to occur locally in cases where the RADIUS server doesn't respond. An additional measure that you can consider if desired would be to unconditionally use local authentication at the serial console of the device:

IOS:

aaa authentication login consoleport local
line con 0
  login authentication consoleport

ASA: 

aaa authentication enable console LOCAL
aaa authentication serial console LOCAL

But don't take my word for it. Get your configuration ironed out, then test the heck out of it on a device of each type. Disconnect it from the network, mess with the RADIUS server, cause every type of interesting failure that you can imagine and make sure that you can still get into the device.

How to provide only read access for few users and full access to Adminstrators.

Have the RADIUS server handle authorization.

IOS:

aaa authorization exec default group radius if-authenticated

ASA:

aaa authorization exec authentication-server

Set the read-only users to privilege level 1, while setting the admins to 15. See here for how to configure this in your RADIUS server. Alternately, if you were to use TACACS+ instead of RADIUS, you could assign what commands each user was capable of running in a fine-grained manner (for example, if they need access to a very limited set of admin-only commands).

Incase if I save the config ..will it be possible to login to devices ( assuming both the radius and Local credentials both are not working).

If none of the credentials work, then you'll need to move on to resetting passwords..

How to recover the password for devices especially firewalls.

The procedure for both device types is very similar, and involves booting the device without letting the system load the saved config. See here for the ASA and here for IOS routers.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Thanks alot. But the topic of granting privileges is not clear Shane. Could you give a briefing on the config to implement – gHP Jul 15 '12 at 06:21
  • @gHP The linked article covers what attributes need to be sent by the RADIUS server. What RADIUS software are you using? – Shane Madden Jul 15 '12 at 06:24