Thursday, September 3, 2009

Privilege command for Cisco IOS CAT 3750/3560/3550

Recently, I showed you how to enable radius authentication using Microsoft Server 2003 IAS. Today I will show you how to control access to the switch and show logs of changes by user associated with the users name. Authorization and Accounting is important especially if you have multiple users do changes on your network switches. Instead of playing the guessing game of who made the boo boo in your network, you can actually pin point and show them all the commands they have entered before the issue. Not only that you can pin point who did it, you can also go back and undo the changes since you know what was done. This can also be done using a Cisco ACS server but if you don't have it in place, this is the cheap way to do it.

Below is the command sample for privilege commands.

enable secret level 2 poweruser -> Creates enable password "poweruser" as the enable 2 password
privilege exec level 2 config t -> Allows the use of "config t" for level 2 user
privilege exec level 2 show run -> Allows the use of "show run" for level 2 user
privilege exec level 2 write mem -> Allows the use of "write mem" for level 2 user saving changes
privilege configure level 2 interface -> Allows the use of "interface command" for level 2 user in config mode
privilege interface level 2 description -> Allows the use of "description command" for level 2 user in config mode

The commands below allows the user to change speed and duplex of an interface in config mode
privilege interface level 2 speed 10
privilege interface level 2 speed 100
privilege interface level 2 speed auto
privilege interface level 2 duplex half
privilege interface level 2 duplex full
privilege interface level 2 duplex auto

The commands below allows the user to change VLANs of an interface in config mode
privilege interface level 2 switchport access vlan

The command below allows the user to shutdown an interface in config mode
privilege interface level 2 shutdown

The commands below allows the user to set the portfast to an interface in config mode
privilege interface level 2 spanning-tree portfast

You can pretty much add the commands that you would like them to be able to access.

All we did was to create another enable password level 2. So when you login to the switch instead of using just enable, you will type " enable 2" and the password will be "poweruser"

After you enable the privilege commands you can also enable Archive this will allow you to see changes made on the switch by a user.

log config
logging enable
logging size 200
notify syslog contenttype plaintext

- To show the arcvhive list
show archive log config all

- To clear the archive list
clear archive log config

Now let check the configuration

rbautista_adm know the regular enable password and rbautista only knows the enable 2 password

Below I can change the hostname since I have the access to everything.

Below rbautista logs in using enable 2 password

The user that uses enable 2 password cannot change the hostname of the switch because hostname command is not listed on his access.

He also have no access to show archive. Now lets login using the regular enable with rbautista_adm.

As you can see the changes I made was listed above. You can also clear the archive logs if it gets full. We set it up to have 200 queue length default is 100 maximum queue length is 1000.

Note: Don't get confuse with rbautista_adm and rbautista. I can log in as rbautista_adm but if I use the enable 2 password I still have only access to commands we made available.

Our network closets.

I just wanted to share this network closets that we built in the past year. All our network closet does NOT look like this. We have plans to clean it up, it's just very overwhelming and with all the other projects we have we couldn't do it. We are actually outsourcing the closet clean up.

This closet was one of the first closet I ever built with 3 3750G all stacked together.

Before closet cleanup

After. We upgraded our 3500XL end of life switches with CAT 3560G's.

We plugged in everything from patch panel port to switch ports hoping that we can control it not having other people plugging anything to our switches.

Below are other network closets that we setup.

2 CAT3750 G switches stacked together.

Please feel free to add any comments or suggestions on how you do your network closets.

Enabling Radius authentication with Cisco IOS switches (3750/3560/3550/3500XL) using IAS on Microsoft 2003 server.

This documentation assumes that Internet Authentication Service or IAS on Microsoft Server 2003 is working properly. It's best practice to do this on a test environment and not in your live network. The configuration below is the actual configuration we use in our network switches

In Windows Server under administration tools click on Internet Authentication Service.

Right click on RADIUS Clients and click on “new RADIUS client” enter a friendly name and Client address. Click Next.

Type the shared secret password. You will need this later when you configure the Cisco switch. I used cisco as the shared secret for this example. Click finish and you should have this client added to your radius clients.

Login to which is the IP address you added in IAS

from the Cisco switch configuration terminal enter the command below

aaa new-model

aaa authentication login RADIUS group radius line

radius-server host auth-port 1645 acct-port 1646 key cisco

(Note: host is the ip address of your radius server and key is the shared secret key we entered from the Radius server when we created the client) If you have multiple radius servers you can add another one as a back up. Make sure that all the Radius servers are configured to accept request from all the radius clients.

line vty 0 4

login authentication RADIUS

line vty 5 15

password cisco

(Note: if for some reason the switch cannot get to the radius server you will be ask for the telnet password)

Log out and telnet to the switch you should get prompted for a username and password.

Next time I will show you how to add privilege commands to allow power users certain commands without the use of Cisco ACS.