AW: Authenticating SSH login on a Cisco IOS switch to AD

[Brian Candler]

On Wed, Feb 09, 2011 at 09:35:35AM -0800, Brett Littrell wrote:
>        I think it is always a good idea to keep the switch management on a
>    separate management vlan, regardless of wether you encrypt the info or
>    not.  Between Cisco and Radius servers it does encrypt the password but
>    I don't think it does much else.

For regular logins, you will get User-Password attribute which is encrypted
with the RADIUS shared secret. I'm pretty sure the Cisco won't do CHAP.

The response attributes will be signed using the shared secret, so they
cannot be tampered with.

So, the important thing is to choose strong shared secrets, and to limit
access to any places where your switch configs are stored.

Someone sniffing the RADIUS traffic will be able to see (a) who is logging
in, and (b) what privilege level they have been given.  If they are able to
sniff your network then you probably have worse problems to worry about.

Incidentally, it's quite reasonable to use RADIUS for authentication and
authorization, and TACACS for accounting (e.g.  point your aaa accounting at
an instance of tac_plus).  Then you have a real-time log of individual
commands run.

Having a management network is a good idea too though.

>        Having a separate vlan for switch management is a lot like a hidden
>    SSID, it is by no means the most secure way to protect a network but it
>    keeps the rif-raf from trying to hack your network.  People who know
>    how to flood the arp tables can bypass vlans if need be

It sounds like you have pretty broken switches then. VLANs are always
separate, floods or no floods.

Also, true switches don't care about ARP at all (as opposed to "layer 3
switches").

Regards,

Brian.