cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1778
Views
1
Helpful
0
Comments
minkumar
Level 1
Level 1

 

Introduction

 

This  document provides an example of configuring  Radius Authentication on  Cisco IOS switch by using a third party Radius server FreeRadius. By  default, if you configure the  authenticate through Radius, You will  login to user mode (switch< ) and by using local enable password, you  can login to the enable mode (switch#)

By adding authorization exec, we can bypass enable authentication and directly land the user to privilege 15 mode.

 

Prerequisites

 

Ensure that you  have your Cisco switch defined as a client in free radius with the ip  address and same shared secret key defined on the free radius and switch

 

 

 

Components Used

 

1. Free Radius

2. Cisco IOS 12.2 switch.

 

 

Configure Switch Device for Authentication and Authorization:

 

  1. Create a local user on the switch with full privileges for fallback with the username command as shown here:

    Switch(config)#username admin privilege 15 password 0 cisco123!

2.  Enabling AAA- By default aaa is disabled on the IOS.

 

switch(config)# aaa new-model

 

3. provide the IP address of the Radius server (Free Radius) and key

switch# configure terminal
switch(config)#radius-server host 172.16.71.146 auth-port 1645 acct-port 1646
switch(config)#radius-server key hello123

Note: The key must match the Shared Secret configured on the free radius for this switch

 

4.Test the RADIUS server availability with the test aaa command as shown.

 

switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH

 

Test authentication will fail  with a Reject from the server since it is not configured, However, it  will confirms that  server is reachable.

 

5.Configure login authentications as shown here:

 

command configures the switch  to use RADIUS for authentication at the login prompt. If RADIUS returns  an error, the user is authenticated using the local database.

switch(config)#aaa authentication login default group radius local

 

Note: The Local keyword is used for fallback if the Radius server is unreachable

 

6. Configure authorization for privilege level 15:

 

command queries the RADIUS  database for information that is used during EXEC authorization, such as  autocommands and privilege levels, but only provides authorization if  the user has successfully authenticated.

 

 

switch(config)#aaa authorization exec default group radius if-authenticated

 

Configuration on FreeRadius Server:

 

Defining Client on the Free Radius server:

 

Move to the config directory:

 

cd /etc/freeradius

Edit the clients.conf file:

sudo nano clients.conf

Add each device (router or switch), which is identified by its hostname and requires secret key:

client 192.168.1.1 {secret = secretkeynastype = ciscoshortname = switch}

Add each user inside the users file,that is allowed to access the device:

sudo nano users

Creating user on FreeRadius:  we are adding user cisco with a privilege level of 15:

cisco Cleartext-Password := "password"       Service-Type = NAS-Prompt-User,       Cisco-AVPair = "shell:priv-lvl=15"

 

Restart the FreeRADIUS service:

sudo /etc/init.d/freeradius restart

push  the below role, The user in the IOS will get the level 15  Privilege.This would be applicable for all the users who are member of  group cisco-rw.

 

DEFAULT Group == cisco-rw, Auth-Type = System
        Service-Type = NAS-Prompt-User,
        cisco-avpair :="shell:priv-lvl=15"

 

After pushing the shell lvl 15, The user  will get the privi level 15 access.

 

User Based Privilege:If you want that user in the FreeRadius server should login and get level 3 privilege:

Create new User with Privilege level 3:

Edit /etc/freeradius/users file:

 

sudo nano/etc/freeradius/users

 

add another user "Life" with a privilege level of 3:

Life  Cleartext-Password := "testing"     Service-Type = NAS-Prompt-User,     Cisco-AVPair = "shell:priv-lvl=3"

Restart the Radius service, Now when you login to the device, User will get the level 3 privilege.

 

Restart the FreeRADIUS service:

sudo /etc/init.d/freeradius restart

 

 

 

Note:The configuration of Free Radius is done  on Ubuntu(Linux) Server. The commands may differ in any other Linux OS.

 

Verifcation

 

To verify the configuration on switch use the following commands:

 

1.    switch# show  run | in radius                           (shows the radius configuration)

 

2.    switch# show run | in aaa                               (Show AAA configuration)

 

3.    switch# show startup-config Radius             (Show AAA configuration in start-up configuration)  

 

#Please post comments if there are any queries and rate if useful
            

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: