Admin Auth – Cisco IOS devices

Overview

Mist Access Assurance supports management user authentication into Cisco IOS devices by leveraging a Mist Auth Proxy application running on a Mist Edge platform.

Mist Edge is managed by the Mist Cloud and servers as a “gateway” for any non-Mist managed device that needs to perform authentication of end-clients connecting to it (a 3rd party switch, wireless LAN controller or an Access Point), or management user authentication to the network device, such as admin login to a firewall or switch CLI management interface.

3rd party Devices need to be added as RADIUS Clients at the Mist Edge Cluster, from where all the authentication traffic will be wrapped into secured RadSec tunnel and sent over to the Mist Access Assurance cloud.

Please refer to the Mist Edge configuration to support 3rd party devices with Mist Access Assurance here:

3rd Party Device Support – Mist Edge Auth Proxy

Auth Policy Configuration

Navigate to Organization > Auth Policies 

Create a new Auth Policy label to assign RW shell access privileges via a Custom Vendor Specific Attribute:

Create a new Auth rule that would match on Admin Auth, NAS Vendor: Cisco-Wired and optionally a group from your IdP (for example IT-admin etc) to restrict which groups or users from the organization can access switch CLI. On the right hand side select newly created Cisco CLI Superuser label to send correct shell privelege level in the response.

Cisco IOS Device Configuration

Below is a required configuration that needs to be added to a Cisco device in order to perform a RADIUS authentication for CLI based login:

Verification

When trying to login to Cisco device always add domain name of the user, example:

ssh vdementyev@juniper.net@10.7.50.25

All login attempts are logged in the NAC Events page and/or NAC Client pages: