Ethernet Switches & Routers

Reply
Highlighted
New Contributor
Posts: 3
Registered: ‎02-23-2012

FWS 2k8 NPS RADIUS

I have been looking through the site at different discussions about getting fws switches working with the NPS server in 2k8 R2. I have tried the steps other users were able to follow to get the correct access and have been unable to get the same results. Following are my setup parameters in the server and the switch. I would like to have any user in the user level run any of the commands and any user in the privelege mode run all commands and config mode commands. Any help would be appreciated.

Server radius settings:

     user level network policy

          "conditions" tab:

               windows groups set to group of users to have read only priveleges

          "settings" tab:

               standard attributes -- "framed-protocol = PPP"  "Service-type=Framed"

               Vendor Specific:

                    1991 -- Decimal -- 5

                    1991 -- String -- *

                    1991 -- Decimal -- 0

     privelege level network policy

          "conditions" tab:

               windows groups set to group of users to have privelege mode and conf mode priveleges

          "settings" tab:

                standard attributes -- "framed-protocol = PPP"  "Service-type=Framed"

                Vendor Specific:

                     1991 -- Decimal -- 0

                     1991 -- String -- *

                     1991 -- Decimal -- 0

FWS648G setup:

OS: 07.3.00T7e1

! I've left the secondary login option off on purpose for testing.

aaa authentication enable default radius
aaa authentication login default radius
aaa authorization exec default  radius

radius-server host xxx.xx.xxx.xx

radius-server host xxx.xx.xxx.xx

radius-server key 1 *******************

radius-server retransmit 2

radius-server timeout 5

Logging in with a user in the user privelge mode, I get a successful auth and am dumped at the user prompt:

   user@cs-test>

Logging in with a user in the higher privelege mode, I get the same prompt:

  user_admin@cs-test>

It should be:

  user_admin@cs-test#

If I read the FastIron_07300_Guide correctly, all of those should add up to my basic user and super user dumping into their respective roles. Am I missing something or doing something wrong? I've run packet captures to see the values being sent and returned and everything looks right but I'm not an expert at aaa by any means.

Thank you,

Ben

New Contributor
Posts: 2
Registered: ‎03-26-2012

Re: FWS 2k8 NPS RADIUS

It looks like I may have this working by following the information you have and what's in this article; http://www.brocade.com/support/Product_Manuals/ServerIron_AdminGuide/security.3.7.html

When I assigned the Vendor-Specific attributes, I specified the Vendor Code: 1991, Vendor-Type - 1 and attribute value of 0 (super user) or 5 (read only) for each network policy.  I didn't use the string "*" or the second decimal "0".  I also didn't notice a difference the the prompts between the users (both ended with a #) - this may be due to to our config (aaa authenctication login privilege-mode) but the "read only" user cannot execute a "conf t" command.  Hope this helps....

NPS-image1.jpg

NPS-image2.jpg

NPS-image3.jpg

NPS-image4.jpg

New Contributor
Posts: 3
Registered: ‎02-23-2012

Re: FWS 2k8 NPS RADIUS

That definitely is what I was looking for.

"I also didn't notice a difference the the prompts between the users (both ended with a #)". That statement is the key I think to what I was hvaing issues with. I was under the impression users would dump into the > prompt instead of the # prompt. I tested what you did with the instructions from that link and replicated the non-uber user having basic commands and no conf mode. I then tested with my setup for uber user and had all commands available and conf mode. Thank you so much for your help.

New Contributor
Posts: 2
Registered: ‎03-26-2012

Re: FWS 2k8 NPS RADIUS

No problem.     What I'm stuck on now is trying to use an "Encrypted Authencation" (CHAP/MS-CHAP/MS-CHAP v2) instead of unencrpyted (PAP, SPAP)...

New Contributor
Posts: 3
Registered: ‎02-23-2012

Re: FWS 2k8 NPS RADIUS

Good luck with that! I read a bit into the fips and getting CHAP working and decided we didn't need it that badly.

New Contributor
Posts: 2
Registered: ‎12-30-2014

Re: FWS 2k8 NPS RADIUS

Has someone had success in changing the default "PAP" protocol to an encrypted one like "CHAP" ?
Would be interested in that, too.

Thanks!

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.