Cisco ISE AAA configuration for VTY logins
Switch configuration ( 3750X – IOS 15.0(1)SE3 )
! username admin secret pa55w0rd ! aaa new-model ! aaa group server radius radius-ise-group server name radius-ise ! aaa authentication login default none aaa authentication login VTY_authen group radius-ise-group local aaa authorization exec default none aaa authorization exec VTY_author group radius-ise-group local aaa accounting exec default start-stop group radius-ise-group ! radius server radius-ise address ipv4 18.104.22.168 auth-port 1812 acct-port 1813 key Rad1u5 ! line vty 0 15 authorization exec VTY_author login authentication VTY_authen !
- username admin secret pa55w0rd – fall back user account in the event of RADIUS failing
- aaa new-model – enables the AAA command options
- aaa authentication login default none – Configures the default login method to ‘none’ (no authentication). This method applies to the console by default
- aaa authentication login VTY_authen group radius-ise-group local – Creates authentication list ‘VTY_authen’ to RADIUS group ‘radius-ise-group’ and ‘local’ (see first username command) as a secondary fallback
Cisco ISE – create the various smaller objects
Administration -> Network Resources -> Network Device Groups: Groups -> All Device Types
Create a network device group for participating switches.
Administration -> Network Resources -> Network Devices
Each device which needs to use ISE for AAA needs to be defined here. The password entered under ‘Authentication Settings’ needs to be that same radius key that was used in the switch configuration.
Policy -> Policy Elements -> Results : Authorization -> Authorization Profiles
Define RADIUS AV-pair attributes that will be sent to AAA client initiating the request authorization request. We will define the standard ‘Radius:Service-Type’ attribute and also the Cisco specific ‘Cisco:cisco-av-pair’ attribute which will determine the privilege level granted to the user.
Create two authorization profiles ‘Shell_priv_15’ and ‘Shell_priv_7’, with the specific cisco-av-pair attribute of ‘shell:priv-lvl=15′ and shell:priv-lvl7’ respectively.
Policy -> Policy Elements -> Results : Authentication -> Allowed Protocols
When using RADIUS the NAS will send the Access-Request packet with a PAP encoded password by default when connection originate from the Console, VTY and AUX devices. There is no command in IOS to change this challenge-response protocol.
We can use this fact to create a protocol filter ‘PAP-only’ which will accept only PAP/ASCII packets.
Administration -> Identity Management -> Groups
Create two user groups ‘CLI-users-15’ and ‘CLI-users-7’.
Administration -> Identity Management -> Identities : Users
Create user accounts for individuals requiring VTY access to the ‘Cisco managed-switches’ group. Ensure that each user is a member of the correct user group.
Cisco ISE – Creating the AAA polices
Policy -> Authorization
Create two polices (‘CLI-access-15’ and ‘CLI-access-7’) which tie together User Groups and Authorization Profiles.
Policy → Authentication
Finally create an authentication policy which pulls together all the policies and objects we have created. The conditions specified are self-explanatory, but it is worth noting the use of ‘Internal users’. This directs the policy to use the internal ISE database instead of other external identity sources such as Active Directory.