Written by Rafael Silva

Cisco WLC 9800 – AAA RADIUS Configuration for Device Administration (CLI)

Cisco WLC 9800 – AAA RADIUS Configuration for Device Administration (CLI)

https://ift.tt/OUoZytb

In this article, we take a look at the configuration for setting up RADIUS authentication, authorization, and accounting for Device Administration of Cisco 9800 WLC to cover the login process for SSH, Console port, web GUI, and NETCONF sessions.

For the TACACS+ version of this article, please check out the link below:

Cisco WLC 9800 – AAA TACACS+ Configuration for Device Administration (CLI)

Introduction

While TACACS+ is considered the golden standard for authenticating network administrators and network management systems when they need to log into network devices, you also achieve similar results using the RADIUS protocol, if you are willing to give up centralized management of per-command authorization.

Configuring RADIUS authentication for the Cisco WLC 9800 is very similar to how it’s done on Cisco switches, but there are some things to consider which we will go through in the configuration down below.

In this article, the following hardware and software was used:

  • Cisco Catalyst WLC C9800-80-K9 running IOS-XE 17.9.5

  • Cisco Catalyst vWLC C9800-CL running IOS-XE 17.9.5


Do note that the configuration below does not perform per-command authorization, we are simply assigning a privilege level to an authenticated administrator.

Configuring RADIUS Server

Configuration of the RADIUS server will not be covered in this article, but you can take a look at this link to see how RADIUS can be configured in Cisco ISE to provide different levels of permission, for example, allowing full access to all commands for administrators, or limiting available commands to helpdesk personnel.

Pay extra attention to the updated section in the article linked below on how to configure your ISE Policy Set to enable for not just SSH and Console port access, but for Web GUI and NETCONF access as well.

Cisco ISE – Configuring RADIUS Authentication for Device Administration

If necessary, create specific Device Administration Policy Sets or rules by matching on parameters such as Device Type = WLC (for example) to customize authentication and authorization according to your needs.

Make sure you are assigning privilege level 15 as the result. For example, NETCONF connections for DNA Center to WLC 9800 require the privilege level to be set to 15, otherwise it won’t work.

Configuring AAA on Cisco WLC 9800

! Create local fallback account:
username netadmin privilege 15 algorithm-type sha256 secret ciscodisco123!
enable algorithm-type sha256 secret DISCO123!

! Create non-usable account for RADIUS server probing:
username SW-RAD-TEST privilege 0 algorithm-type sha256 secret ciscodisco123!
username SW-RAD-TEST autocommand exit

! Enable AAA services:
aaa new-model

! Configure RADIUS servers:
radius server RAD-ISE-PSN-1
address ipv4 10.10.10.101 auth-port 1812 acct-port 1813
timeout 2
retransmit 2
automate-tester username SW-RAD-TEST probe-on
key IS3R4DIUSK3Y!!

radius server RAD-ISE-PSN-2
address ipv4 10.10.10.102 auth-port 1812 acct-port 1813
timeout 2
retransmit 2
automate-tester username SW-RAD-TEST probe-on
key IS3R4DIUSK3Y!!

! Configure RADIUS Server Group:
aaa group server radius SG-ADMIN-RAD-SERVERS
server name RAD-ISE-PSN-1
server name RAD-ISE-PSN-2
deadtime 15

If your WLC has multiple L3 interfaces and/or VRFs, you may need to use the additional commands below inside "aaa group server radius SG-ADMIN-RAD-SERVERS":


aaa group server radius SG-ADMIN-RAD-SERVERS
    ip vrf forwarding MGMT
    ip radius source-interface Vlan X

radius-server load-balance method least-outstanding
radius-server dead-criteria time 5 tries 3

You should now choose the order of your authentication process which determines how to handle RADIUS server failure and Local User Accounts on the WLC.

There are two alternatives presented below and Alternative 1 is generally considered the better way to handle authentication to counter abuse of Local User Accounts, which can be harder to audit the usage of.


! Alternative 1:

! Create Method List to use RADIUS logins primarly.
! Fallback to Local User Accounts ONLY if all RADIUS servers fail.
aaa authentication login ML-RAD-ADMIN-AUTHC group SG-ADMIN-RAD-SERVERS local
aaa authorization exec ML-RAD-AMIN-AUTHZ group SG-ADMIN-RAD-SERVERS local if-authenticated
aaa authorization console

! Alternative 2:

! Create Method List to always try Local User Accounts first.
! If login does not match a Local User Account, send it to RADIUS server.
aaa authentication login ML-RAD-ADMIN-AUTHC local group SG-ADMIN-RAD-SERVERS
aaa authorization exec ML-RAD-ADMIN-AUTHZ local group SG-ADMIN-RAD-SERVERS if-authenticated
aaa authorization console

! Configure Accounting regardless of which alternative above was used.
! Use the "default" configuration to include any connection type (SSH, HTTPS, NETCONF).
aaa accounting exec default start-stop group SG-ADMIN-RAD-SERVERS

! At this point, we are going to start activating RADIUS for different services.

! Activate AAA RADIUS for HTTPS Web GUI:
ip http authentication aaa login-authentication ML-RAD-ADMIN-AUTHC
ip http authentication aaa exec-authorization ML-RAD-ADMIN-AUTHZ

! Activate AAA RADIUS for NETCONF/RESTCONF authentication (17.9.1+)
! Without this config, the WLC will use the global default authentication method.
! There is no way to specify Accounting for YANG, which is why "default" was used earlier.
yang-interfaces aaa authentication method-list ML-RAD-ADMIN-AUTHC
yang-interfaces aaa authorization method-list ML-RAD-ADMIN-AUTHZ

! Restart HTTP/HTTPS services:
no ip http server
no ip http secure-server
ip http server
ip http secure-server

! Activate AAA RADIUS authentication for SSH sessions:
line vty 0 97
    exec-timeout 30 0
    login authentication ML-RAD-ADMIN-AUTHC
    authorization exec ML-RAD-ADMIN-AUTHZ
    transport preferred none
    transport input ssh
    transport output none

! Activate AAA RADIUS authentication for the Console port:
line con 0
    exec-timeout 15 0
    transport preferred none
    login authentication ML-RAD-ADMIN-AUTHC
    authorization exec ML-RAD-ADMIN-AUTHZ
 

Verification

Try authenticating to the WLC using RADIUS credentials and verify that the authentication is successful. Use the command “show privilege” to confirm that the correct Privilege Level (should be 15) is assigned.

To test the local user account used for fallback login, break the network path between the WLC and the RADIUS server, and then make sure you can use the local user account to log in to the WLC.

BEWARE: If you are using the same RADIUS servers for Device Administration as you are for Network Authentication (802.1x, MAB, guest access) then this test will impact your network, so plan accordingly!

networks

via Blog – WIRES AND WI.FI https://ift.tt/WMifqNP

June 1, 2024 at 10:03AM
Jacob Fredriksson