Part 1. Configure the Dell N-series for RADIUS at the CLI
1. Configure a local user named user1 with password user1 and level 15 privilege:
- console(config)# username user1 password user1 level 15
2. Define the RADIUS server and specify the shared secret key “mysecretkey”
For authenticating users, the RADIUS standard has become the protocol of choice by administrators of large networks. To accomplish the authentication in a secure manner, the RADIUS client and RADIUS server must both be configured with the same shared password or “secret”. This “secret” is used to generate one-way encrypted authenticators that are present in all RADIUS packets. The “secret” is never transmitted over the network.
- console(config)# radius-server host 192.168.0.105
- console(config)# radius-server key mysecretkey
3. Create an authentication method called local_radius that will attempt to authenticate via local DB, then use the RADIUS (you can chage sequences):
- console(config)# aaa authentication login local_radius local radius
4. Bind this authentication method list to the telnet/ssh line and https (there are five access lines: console, Telnet, SSH, HTTP, and HTTPS):
- (config)# line telnet
- (config-line)# login authentication local_radius
- (config)# line ssh
- (config-line)# login authentication local_radius
- (config)#ip https authentication local radius
Part 2. Installing and Configuring the RADIUS server for Windows Server 2008R2
As a best practice, use a dedicated server to handle device authentication.
1. Install Network Policy And Access Windows Server Role.
2. Go to NPS, expand on RADIUS Clients and Servers, right-click on RADIUS clients and choose new.
3. FRIENDLY NAME = whatever you like. Probably the hostname.
ADDRESS is the IP Address or DNS name of the device – your choice.
Select MANUAL for the Shared Secret and type in your <SHARED_SECRET>. This is the same shared secret you entered on the Switch CLI in stage 1.
Notice that we're using "RADIUS Standard" in advance tab. There's no option for "Dell" and that's fine. Click OK.
4. Create a new Connection Request Policy and name it something like Network Switches with AAA. Select next and add a new condition. Scroll down to RADIUS Client Properites and select Client IPv4 address. Enter switch IP address. Continue through the wizard by accepting the default settings.
5. Create a new NPS Network Policy.
Right click on POLICIES -> NETWORK POLICY and click NEW. Give your policy a useful name. Click NEXT
ADD a Condition: Our condition is going to be WINDOWS GROUP. Click ADD.
On the WINDOWS GROUPS screen, click ADD GROUPS
Enter the name of your group and click check names, then ADD.
Your group might be Domain Admins. It might be a separate group. I’ve chosen “RADIUS – DellSwitch” so I can have different levels of RADIUS authentication based on switches, core switching if I had them.
6. Let’s add another condition. Click ADD. Select the condition “CLIENT FRIENDLY NAME” and click ADD.
Enter the client friendly name. I use the HOSTNAME of the device. Click OK
With our group and our device, we can click NEXT
Choose "access grant". Click NEXT.
The only one that matters, is to ensure that PAP is checked. Click NEXT.
Yup, that’s very bad, we get it. Click NO.
No constraints, we’re good. Click NEXT.
Select each of the FRAMED-PROTOCOL and SERVICE-TYPE and click REMOVE.
Now click ADD:
Choose SERVICE-TYPE and click ADD:
Change OTHERS to ADMINISTRATIVE and click OK:
Click on VENDOR SPECIFIC. Then click ADD:
Choose NAME=CISCO-AV-PAIR and VENDOR=CISCO. Click ADD.
The ATTRIBUTE INFORMATION window will pop up. Click ADD.
Enter the string “shell:priv-lvl=15” to give Administrator level permissions.
For read-only access you should be able to specify priv-lvl=7 if you need to.
Click OK.
Click OK, Click OK, Click CLOSE.
Click NEXT to get to the COMPLETING screen:
Click FINISH.
At this point, you should be able to login to the Dell N-series Switch using your domain credentials.
Part 3. Security Analysing
Radius ports: 1645,1646,1700,1812,1813,3799
NOTE: Only consern here is useing PAP (Password Authentification Protocol) authentication scheme, which is not acceptable from security perspectives.
PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure.
The shared key is used for the client (say a switch, wireless access point) to be able to authenticate the and trust the RADIUS server it is sending requests to.
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
You can decrypt password useing packet capture like Wireshark. For this you also need Secred Key.
I decrypt the password sent from a Dell device to a RADIUS server. I know the shared-secret key and have entered it in Preferences-->Protocols-->Radius-->Shared Key of the Wireshark settings.
Part 4. Troubleshooting
Here are some commands that show information about RADIUS.
Show authentication methods - Displays authentication configuration
Show radius statistics - Displays radius authentication attempts, failures, and basic statistics.
Show aaa servers - Shows all configured aaa servers and statistics
Show log - Shows system logs and messages. Informs if Radius authentication attempts have been rejected by a server, and other useful information.
Part 5. Logging
I should have started with the windows server 2008 r2 "NPS accounting" logs (at ...\\\\system32\\\\LogFiles by default).
