Cisco Switch Web Interface

ddobbins1 · ‎03-05-2023

I’ve setup the switch CLI using the standard RADUIS. Works great if you can run the duo mobile with “push” authentication. If you can’t run the App, you first have to logon appending “sms” to your password. Your logon will initially fail, but DUO will send you a code to append to your password for the next logon which will be successful.

I’ve tried to use this same setup for web interrace on the same switch and everything works to a point, I can even get it to send me the sms code, but login always fails. In the auth proxy log it says the logon attempt was sucessful.

any ideas?
Dan

raphka · ‎03-05-2023

Hi ddobbins,

If the proxy logs say RADIUS: AccessAccept was sent for that authentication, you then know that the authentication has succeeded including 2FA and this information was transmitted to the switch.

It therefore follows that either the switch did not get this information, which is unlikely as it works for CLI.
Or, that the switch is rejecting the authentication regardless of the AccessAccept RADIUS response, which is likely your issue.

Only the Switch Authentication logs would tell you why the authentication was rejected even though it succeeded.

I will note that i have seen this before, and usually the switch will require some Vendor Specific RADIUS attribute to be sent in order to actually authenticate you.

You will likely need to review your Switch RADIUS docs to see what attributes are required to be sent to set permissions or define some access group.

The Duo Auth Proxy is a proxy, the vendor specific RADIUS attributes themselves will need to be passed to the proxy by your primary authentication RADIUS server.
Meaning you will need to add the RADIUS attributes to NPS so the proxy can pass them through.

The proxy can be configured in the proxy to pass all parameters.
This will be required for both the RADIUS_server_auto section as well as the radius_client section.

You can find the optional parameters for both in the documentations below:

Your final configuration should look something like the below, with the optional parameters in bold.

[radius_client]
host=1.2.3.4
secret=radiusclientsecret
pass_through_all=true

[radius_server_auto]
ikey=■■■■■■■■■■■■■■■■■■■■
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=5.6.7.8
radius_secret_1=radiussecret1
client=radius_client
port=1812
failmode=safe
pass_through_all=true

Please see the article below for further details on configuring the proxy as a client of NPS which can be used to set Vendor Specific RADIUS attributes:
https://help.duo.com/s/article/4785

jospehmack · ‎03-06-2023

Amazing Information!

ddobbins1 · ‎03-06-2023

Thanks for the quick response, btw, I’m using the ad_Client for the primary.

Your right, I need to look at the witch logs, which I’ll now. I was thinking I need to pass a custom attribute.

fyi, I use the same config on the web interface on the Cisco FMC and its works fine …?

ddobbins1 · ‎03-06-2023

From Switch log.

Mar 6 21:38:00.820: %WEBSERVER-5-LOGIN_FAILED: Switch 1 R0/0: nginx: Login Un-Successful from host 192.168.2.22 using crypto cipher ‘ECDHE-RSA-AES128-GCM-SHA256’
SW-C3850-SB-WC21#

ddobbins1 · ‎03-16-2023

Thank you, this was the solution I had to pass Cisco Specific Attribute : Cisco-AV-Pair "shell:priv-lvl=15’ and Service-Type “Login”

ddobbins1 · ‎07-06-2023

We decided to replace the Cisco 3850 where we had the web interface working perfectly since we added the two custom radius attributes, with the newer Cisco 9407 which has the same web interface, but, this version doesn’t work with these attributes. All logs say logon was succesful,but, web interface is never logged on. I’m thinking that they changed to required radius attributes in this version. Does anyone know what thern new attributes should be. I haven’t found anything online yet.

Thanks,
Dan