Cisco Switch RADIUS Integration

Testing integration of Cisco switches with PrivacyIDEA. So far, initial authentication to switch works using server-private <SERVERIP> auth-port 1812 acct-port 1813, but when issuing the enable command, an access denied message appears. On the PrivacyIDEA server, I have an auth policy setup with passthru=userstore. Anybody have experience configuring switch admin access with PrivacyIDEA?

Figured out the issue. When using RADIUS authentication and a user issues the enable command, a Cisco device sends a generic user named $enab15$ in the authentication request…insanity.

To get this to work, either create a user with that name and assign a token to this user or configure an authentication policy with a condition that targets the generic user, setting passOnNoUser to true.

There’s actually a bit more work I had to do to get this working specifically and securely while allowing only user store credentials until we enforce MFA on these admins.

1 Like

Great that you figured this out and share the answer!