Different policies in Cisco RADIUS AAA

These days I had to implement centralized terminal authentication on a few Cisco routers using aaa new-model and RADIUS.

The solution in its own was pretty simple: it was based on the usual Microsoft IAS (Internet Authentication Service) which was integrated in an Active Directory domain.

The interesting aspect is that those routers were under different administrative controls, so some users had to be granted access on a part of them and denied on other. Let’s say Group1 had to be enabled on routers RA, RB and RC, while Group2 on routers RD, RE and RF.

Solution adopted

In order to achieve this goal we may use a lot of solutions, but most of them are quite unscalable, because we have to map each router to the specific policy.

To obtain a good degree of scalability we may use the radius-server attribute 32 include-in-access-req command. This command tells IOS to append the NAS-Identifier attribute in the RADIUS authentication request message, and let us to set a format for its value:

RA(config)#radius-server attribute 32 include-in-access-req format ?
  LINE  A string where %i = IP address and %h = hostname, %d = domain name

For example, we can prepend the router’s hostname with a “tag” to distinguish the owner group:

Group1 routers:

RA(config)#radius-server attribute 32 include-in-access-req format Group1-%h
RB(config)#radius-server attribute 32 include-in-access-req format Group1-%h
RC(config)#radius-server attribute 32 include-in-access-req format Group1-%h

Group2 routers:

RD(config)#radius-server attribute 32 include-in-access-req format Group2-%h
RE(config)#radius-server attribute 32 include-in-access-req format Group2-%h
RF(config)#radius-server attribute 32 include-in-access-req format Group2-%h

IAS policy filtered by NAS-Identifier attributeFinally we can create two policies in IAS to handle the incoming authentication requests, by filtering them on the basis of NAS-Identifier attribute.
On the NAS-Identifier filter, we can use a star (“*”) to match any character which follows the router’s “tag”. Once we matched the router’s tag, we bind it to the right Active Directory group. Please take a look at the picture for details.

References

Cisco.com: Cisco IOS Security Command Reference, Release 12.3 T

Cisco.com: Command Lookup Tool

PacketLife.net Blog: Seven free ways to improve your network’s security

Kpjungle’s Weblog: Authentication by Radius on a Cisco device

The following two tabs change content below.
Italian, born in 1980, I started working in the IT area in the late '90s; I'm now a system and network administrator with a deep knowledge of the global Internet and its core architectures.

Leave a Reply