Cisco Community
English
Register
Join the Webex special event conversation for a chance to win NEW Webex swag!
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco IOS integration with FreeRadius for admin access

Labels:
720
Views
0
Helpful
0
Comments
minkumar
Beginner
‎04-20-2013 12:43 PM
edited on: ‎02-21-2020 ‎09:59 PM

 

Introduction

 

This  document provides an example of configuring  Radius Authentication on  Cisco IOS switch by using a third party Radius server FreeRadius. By  default, if you configure the  authenticate through Radius, You will  login to user mode (switch< ) and by using local enable password, you  can login to the enable mode (switch#)

By adding authorization exec, we can bypass enable authentication and directly land the user to privilege 15 mode.

 

Prerequisites

 

Ensure that you  have your Cisco switch defined as a client in free radius with the ip  address and same shared secret key defined on the free radius and switch

 

 

 

Components Used

 

1. Free Radius

2. Cisco IOS 12.2 switch.

 

 

Configure Switch Device for Authentication and Authorization:

 

  1. Create a local user on the switch with full privileges for fallback with the username command as shown here:

    Switch(config)#username admin privilege 15 password 0 cisco123!

2.  Enabling AAA- By default aaa is disabled on the IOS.

 

switch(config)# aaa new-model

 

3. provide the IP address of the Radius server (Free Radius) and key

switch# configure terminal
switch(config)#radius-server host 172.16.71.146 auth-port 1645 acct-port 1646
switch(config)#radius-server key hello123

Note: The key must match the Shared Secret configured on the free radius for this switch

 

4.Test the RADIUS server availability with the test aaa command as shown.

 

switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH

 

Test authentication will fail  with a Reject from the server since it is not configured, However, it  will confirms that  server is reachable.

 

5.Configure login authentications as shown here:

 

command configures the switch  to use RADIUS for authentication at the login prompt. If RADIUS returns  an error, the user is authenticated using the local database.

switch(config)#aaa authentication login default group radius local

 

Note: The Local keyword is used for fallback if the Radius server is unreachable

 

6. Configure authorization for privilege level 15:

 

command queries the RADIUS  database for information that is used during EXEC authorization, such as  autocommands and privilege levels, but only provides authorization if  the user has successfully authenticated.

 

 

switch(config)#aaa authorization exec default group radius if-authenticated

 

Configuration on FreeRadius Server:

 

Defining Client on the Free Radius server:

 

Move to the config directory:

 

cd /etc/freeradius

Edit the clients.conf file:

sudo nano clients.conf

Add each device (router or switch), which is identified by its hostname and requires secret key:

client 192.168.1.1 {secret = secretkeynastype = ciscoshortname = switch}

Add each user inside the users file,that is allowed to access the device:

sudo nano users

Creating user on FreeRadius:  we are adding user cisco with a privilege level of 15:

cisco Cleartext-Password := "password"       Service-Type = NAS-Prompt-User,       Cisco-AVPair = "shell:priv-lvl=15"

 

Restart the FreeRADIUS service:

sudo /etc/init.d/freeradius restart

push  the below role, The user in the IOS will get the level 15  Privilege.This would be applicable for all the users who are member of  group cisco-rw.

 

DEFAULT Group == cisco-rw, Auth-Type = System
        Service-Type = NAS-Prompt-User,
        cisco-avpair :="shell:priv-lvl=15"

 

After pushing the shell lvl 15, The user  will get the privi level 15 access.

 

User Based Privilege:If you want that user in the FreeRadius server should login and get level 3 privilege:

Create new User with Privilege level 3:

Edit /etc/freeradius/users file:

 

sudo nano/etc/freeradius/users

 

add another user "Life" with a privilege level of 3:

Life  Cleartext-Password := "testing"     Service-Type = NAS-Prompt-User,     Cisco-AVPair = "shell:priv-lvl=3"

Restart the Radius service, Now when you login to the device, User will get the level 3 privilege.

 

Restart the FreeRADIUS service:

sudo /etc/init.d/freeradius restart

 

 

 

Note:The configuration of Free Radius is done  on Ubuntu(Linux) Server. The commands may differ in any other Linux OS.

 

Verifcation

 

To verify the configuration on switch use the following commands:

 

1.    switch# show  run | in radius                           (shows the radius configuration)

 

2.    switch# show run | in aaa                               (Show AAA configuration)

 

3.    switch# show startup-config Radius             (Show AAA configuration in start-up configuration)  

 

#Please post comments if there are any queries and rate if useful
            

 

 

 

 

0 Helpful
Latest Contents
dACL not shown under the interface
Created by SMD28316 on 06-13-2021 04:33 PM
0
10
0
10
When ISE dACL is applied correctly and is visible in the authenticated session: SW1-2960#show authentication sessions int g2/0/2 det Interface: GigabitEthernet2/0/2 MAC Address: 0050.5600.0141 IPv6 Address: Unknown ... view more
Cisco ASA- Updated Firmware and AnyConnect Packages
Created by LovejitSingh130013 on 06-13-2021 11:50 AM
4
0
4
0
Hello Experts @balaji.bandi  @Rob Ingram  @Richard Burts @Marius Gunnerud   @Leo Laohoo  I updated Cisco ASA Fimware and VPN packages.  The VPN Packages updated from 4.8 to 4.10. Is there anyway ... view more
ISW CWA & PROFILING
Created by Rami Ibrahim on 06-13-2021 05:01 AM
0
0
0
0
Hi Guys, Just reading about ISE profiling I got a little bit confused , I can imagine a case where CWA is configured on ISE along with Profiling (whatever probes enabled).  I know that CWA consist of two phases and phase 1 main goal is to r... view more
Cannot establish OSPF neighbor with loopback 3.3.3.3 in ASAv
Created by Charlie1010 on 06-13-2021 12:45 AM
14
0
14
0
I have established OSPF neighbors with ASAv and routers Outside, dmz_b, inside_1 and inside2.Each router has its own loopback interface from 1.1.1.1 to 4.4.4.4 as below showed.  But 3.3.3.3 cannot establish OSPF neighbor of ASAv. But I have adve... view more
Cisco Anyconnect Secure Mobility Client Popups
Created by fkuhle on 06-13-2021 12:27 AM
5
0
5
0
Hi, I am getting a pop up from 'Cisco Anyconnect Secure Mobility Client' on my Mac which says "The VPN client agent was unable to create the client DNS plugin manager.".  I have uninstalled Cisco Anyconnect Secure Mobility Client but I'm still g... view more
Content for Community-Ad