HP Networking - 2008 R2 NPS Radius for Management Login 895

advertisement
HP Networking
Switch Authentication with Microsoft
Windows Server 2008 R2 NPS Radius
Overview
This document provides an overview of how to configure the Windows Server 2008 R2 NPS Radius server
for Radius login authentication with HP Networking ProCurve switches.
Additional sections describe the configuration of manager and operator logins, command authorization and
command accounting.
Document Version
1.0
Author
Peter Debruyne
peter.debruyne@belpro.be
+32 474 95 25 46
Page 1 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Contents
Overview............................................................................................................................................................ 1
Installing NPS ..................................................................................................................................................... 2
Configuring NPS ............................................................................................................................................. 3
NPS Domain access .................................................................................................................................... 3
Configure NPS Accounting (Logging) ......................................................................................................... 4
Define Radius client ................................................................................................................................... 7
Define Network Policies ............................................................................................................................ 8
Configure the ProCurve device .................................................................................................................... 17
Define radius server................................................................................................................................. 17
Configure aaa authentication .................................................................................................................. 17
Configure aaa accounting ........................................................................................................................ 19
Restricted Managers – Command Authorization ........................................................................................ 20
Network Policy for Restricted Managers................................................................................................. 20
Update existing policies for Manager and Operator ............................................................................... 23
Configure aaa command authorization for Restricted Manager ............................................................ 23
Installing NPS
On the Windows 2008 R2 Server, launch the Server Manager.
Under Roles, select Add role
Page 2 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Check the Network Policy and Access Services
Only the Network Policy Server is required for the Radius server to be installed.
Other components are the Microsoft dial/vpn server and the Microsoft NAP/NAC client health solution,
which are not required for this guide.
Configuring NPS
NPS Domain access
After installation, verify that the NPS server has the permission to access user and group account
information on the domain.
When installed on a Domain Controller, the NPS role has this access by default.
When installed on a Domain member server, grant access with this procedure:
Use the administrative tools to launch the Network Policy Server console:
Page 3 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
When available, click the “start NPS service”option to start the service.
Register the NPS server, so it will be allowed to read user and group information from the domain:
Configure NPS Accounting (Logging)
Open the account folder and select configure accounting:
Page 4 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Based on your requirements, configure the local log file or SQL server accounting. This example shows the
local log file only:
Leave all logging active and note the folder for the logfiles.
Consider the fail option, which means that in case the NPS cannot log the request, it will not allow logins
(authentication or 802.1x). Set this options based on the business requirement.
Page 5 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Under accounting folder, select the logfile properties:
Configure the log file format, if you have existing IAS log file viewers (e.g.
http://www.deepsoftware.ru/iasviewer/ ) it may be required to configure the legacy log file format.
Configure the log file rotation (e.g. Daily):
When the switch is configured for aaa accounting commands radius, it will send all the executed commands
on the switch as vendor-specific radius accounting to the NPS server.
Page 6 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
These commands are ASCII encoded in the NPS log file, so barely readable, it is recommended to acquire a
commerical log parser, such as e.g. IAS log viewer. This is the result when configured with IAS Log Viewer
(trial), when the user “pm”connects to Switch1 and executes some commands:
Define Radius client
The NPS Radius server requires the network device to be registered as radius client.
In the NPS console, select RADIUS clients and create new client:
Enter a friendly name (typically includes the hostname) and the source IP address of the switch.
For layer3 switches with multiple IP addresses, create multiple radius clients for each possible source IP or
configure the device to use a loopback IP address for RADIUS.
With the Enterprise Edition, a single Radius client record can be used for multiple devices by typing a
subnet in the IP field, e.g. 10.100.10.0/24 instead of 10.100.10.1. This does require all devices to have the
same radius shared secret.
Configure the shared secret, in this example “procurve”.
Page 7 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Define Network Policies
This section describes the creation of several Network policies for various levels of access.
Manager and Operator are the full access and restricted access methods. Restricted manager shows the
command authorization. For the Restricted Manager to fuction, additional switch configuration is required,
which is explained in the “configure the ProCurve device”section.
User and Group Requirements
This procedure assumes that some Windows users and groups have been created.
The following groups should have been created before starting this procedure:

P_Managers



in this example, a user name “pm” has been created and is member of this group
P_Operators

e.g. Full network admin
e.g. First line, view only
in this example, a user name “po” has been created and is member of this group
P_Managers_Restricted
e.g. Second line, assign ports to vlans
Page 8 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0

in this example, a user name “pml2” has been created and is member of this group
Manager
Create a new network policy:
Type a name for the policy name, e.g.
name HP ProCurve Management – Manager
type
unspecified
Conditions
Add the conditions to filter the manager user logins. Only members of the windows group P_Managers will
be allowed login to the management level:
Page 9 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
This only applies to management logins (not 802.1x wired or wireless), so the additional condition is NAS
Port type = Virtual:
Page 10 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
The result of this condition screen is:
In the next screen, leave the Access Permission to
Access Granted
In the next screen, Configure Authentication Methods, configure the auth types.
For the management login on most ProCurve switches, the old encryption types should be configured:
Page 11 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
On the 5400 series (as of K_13_51) supports peap-mschapv2 as authentication protocol between switch
and radius server for telnet and ssh login requests.
The only requirement on the NPS server is to have a certificate (self signed, created by in house CA or an
external, public certificate) and to configure EAP PEAP MSCHAPv2 as auth method on the existing Network
Policy:
Page 12 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
In case both old and new auth types must be supported, due to e.g. Various switch types / models, several
Network Policies can be created and the conditions section can be updated for the PEAP policy and the PAP
policy.
Several Network Policies:
Each auth type is covered as a condition in each policy:
Page 13 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Configure Constraints
no changes / restrictions
Configure Settings
remove the Framed-Protocol
Change the Service-Type to Administrative
This indicates that this login profile will be granted manager (read/write) access
Page 14 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Operator
This step will mainly repeat the section of Manager, so only changes are described with screenshots.
Create a new Policy
Name
HP ProCurve Management – Operator
Type
unspecified
Conditions
Windows Group
P_Operators
Nas-Port-Type
Virtual
Access Permission
Access Granted
Authentication Methods
Configure identical to Manager profile
This example:
CHAP
Constraints
no changes
Configure Settings
Page 15 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Remove Framed-Protocol
Change Service-Type to NAS-Prompt
This indicates that this login will be granted Operator (read only) access.
Finish wizard
Other Logins to Virtual Port – Deny
To prevent other policies to accidently allow access to your switch management interfaces, add an
additional policy with
Condition
NAS-Port-Type
Access Level
Deny access
Virtual
Put this policy directly under the Manager and Operator policies, which should be placed at the top of the
policy hierarchy (before 802.1x or MAC login policies).
The only exception would be a VPN Server / Concentrator policy, which will require the virtual port, but
that policy can get the additional condition based on the NAS IP address and be placed in front of the deny
all virtual policy.
Network Policy Order
Verify the order of the policy and adjust to the requirements:
The order is important, since NPS will process the login request top-down. So if there is a login request for a
user which connects through a virtual port and who is member of the group P_Managers (the policy
conditions), then the manager profile will be sent to the switch, so the user will login as service-type
“administrative”,which is a manager.
The same logic applies to the Operator policy.
Page 16 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
The order is important to resolve conflicts. If a user would be member of both the P_Managers and
P_Operators groups, then the order will decide which profile will be sent to the switch.
In this example, a user who is member of both groups will become a Manager on the switch, since the
Manager policy is processed first.
In case the security policy dictates that a user should get the least configured priviledge, then the order
should be reversed.
Configure the ProCurve device
This section describes the configuration of the network device.
Define radius server
In configuration mode on the switch, configure the radius server (NPS IP)and the secret:
radius-server host 10.100.10.10 key "procurve"
Configure aaa authentication
Configure a test login profile for e.g. SSH. This will not impact the telnet login methods:
aaa authentication ssh login radius
aaa authentication ssh enable radius
login describes the initial login to the switch (as operator, so readonly)
enable describes the move from operator mode (readonly) to manager (readwrite) with the enable
command
When the 5400 series is used with recent firmware, and the NPS Server is configured with PEAP MSCHAPv2
authentication as descibed in the NPS section, use these commands:
aaa authentication telnet login peap-mschapv2
aaa authentication telnet enable peap-mschapv2
With only these commands, a manager would always login as operator first, then have to type “enable”to
get the manager login prompt.
The switch can be configured to immediatly respect the login level with this command:
Page 17 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
aaa authentication login privilege-mode
Test the login with an ssh client with a P_Manager user and P_Operator user.
Manager user:
Login with operator user:
Page 18 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Configure aaa accounting
To support command logging to the NPS server, activate aaa accounting:
aaa accounting commands interim-update radius
To get switch reload information, 802.1x or MAC auth session info and interim updates every 10 mintues,
configure these commands as well:
aaa accounting exec start-stop radius
aaa accounting network start-stop radius
aaa accounting system start-stop radius
aaa accounting update periodic 600
Page 19 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Restricted Managers – Command Authorization
This section describes how to configure command authorization. This must be configured on Radius and on
the switch, so if existing Manager and Operator policies have been created, these must be updated as well
or they will not function anymore.
Network Policy for Restricted Managers
In NPS, create a new policy. See the previous Manager policy for detailed steps.
This step will mainly repeat the section of Manager, so only changes are described with screenshots.
Create a new Policy
Name
HP ProCurve Management – Managers Restricted
Type
unspecified
Conditions
Windows Group
P_Managers_Restricted
Nas-Port-Type
Virtual
optionally filter on the Authentication type if PEAP/PAP must be choosen
Access Permission
Access Granted
Authentication Methods
Configure identical to Manager profile (PAP or PEAP)
Constraints
no changes
Configure Settings
Remove Framed-Protocol
Change Service-Type to Administrative
This indicates that this login will be granted Manager (readwrite) access.
Select the Vendor-Specific list and add the Vendor specific attribute:
Page 20 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Add a VSA (Vendor Specific Attribute):
Number
2
Type
String
Value
Specify the list of commands, semi-colon separated. Regular expressions are
supported and can be used to force begin of line (^), end of line ($) etc.
This can be usefull, since the ProCurve cli allows continuation of typing from global
config. E.g. A user can do:

conf
int a1
disable
or on 1 line:

conf
int a1 disable
In the example below, the vlan and int commands are restricted, with the $ sign, so the user must enter the
vlan or interface context, where they can then type the context commands:
Value
^conf.;^show.;speed-duplex.;^ping;^traceroute.;^vlan [1-9][09]*$;^untag.;^wr.;^en.;^int.*[1-9][0-9]*$;^name.;clear st.;^dis.;^ena.;^reload
Page 21 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Add another VSA, to indicate if this list should be allowed or denied:
Number
3
Type
Decimal (not string !)
Value
0 (allow only list of attribute 2) or 1 (deny list of attribute 2)
Finish wizard
Page 22 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Update existing policies for Manager and Operator
When the switch is configured to check for these attributes, all management logins have to be configured
with these attributes, even when no restrictions should apply to the login.
Otherwise, this error will show for the existing managers:
Open the existing Managers and Operator network policy in NPS.
Under the Vendor Specific, add the 2 VSA:
Vendor Code
11
Conforms
yes
Attribute number
2
Type
string
Value
.
Vendor Code
11
Conforms
yes
Attribute number
3
Type
decimal
Value
0
(. represents any character)
(allow the above list)
This will allow these profiles to type all commands which are normally allowed for manager or operator
access.
Configure aaa command authorization for Restricted Manager
On the Switch, configure the command authorization:
aaa authorization commands radius
Login with a user which is member of the P_Managers_Restricted group:
Page 23 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Verify that the attribute command list is applied to this session.
Also note that thanks to the $ sign in the attribute command list, it is no longer supported to type
continuing commands from global config:
End of document
Page 24 of 24
HP Networking
Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0
Download