cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco IOS integration with FreeRadius for Administrator Access

8484
Views
9
Helpful
3
Comments

     

     

    Introduction

    This  document provides an example of configuring  Radius Authentication on  Cisco IOS switch by using a third party Radius server FreeRadius. By  default, if you configure the  authenticate through Radius, You will  login to user mode (switch< ) and by using local enable password, you  can login to the enable mode (switch#)

    By adding authorization exec, we can bypass enable authentication and directly land the user to privilege 15 mode.

    Prerequisites

    Ensure that you  have your Cisco switch defined as a client in free radius with the ip  address and same shared secret key defined on the free radius and switch

    Components Used

    1. Free Radius
    2. Cisco IOS 12.2 switch.

    Switch Configuration - Authentication and Authorization

    1. Create a local user on the switch with full privileges for fallback with the username command as shown here

    Switch(config)#username admin privilege 15 password 0 cisco123!

    2.  Enabling AAA- By default aaa is disabled on the IOS.

    switch(config)# aaa new-model

    3. Provide the IP address of the Radius server (Free Radius) and key

    switch# configure terminalswitch(config)#radius-server host 172.16.71.146 auth-port 1645 acct-port 1646
    switch(config)#radius-server key hello123

    Note

    The key must match the Shared Secret configured on the free radius for this switch

    4.Test the RADIUS server availability with the test aaa command as shown.

    switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH

    Test authentication will fail  with a Reject from the server since it is not configured, However, it  will confirms that  server is reachable.

    5.Configure login authentications as shown here:

    command configures the switch  to use RADIUS for authentication at the login prompt. If RADIUS returns  an error, the user is authenticated using the local database.

    switch(config)#aaa authentication login default group radius local

    Note: The Local keyword is used for fallback if the Radius server is unreachable

    6. Configure authorization for privilege level 15:

    command queries the RADIUS  database for information that is used during EXEC authorization, such as  autocommands and privilege levels, but only provides authorization if  the user has successfully authenticated.

    switch(config)#aaa authorization exec default group radius if-authenticated

    Configuration on FreeRadius Server

    Defining Client on the Free Radius server:

    Move to the config directory

    cd /etc/freeradius

    Edit the clients.conf file

    sudo nano clients.conf

    Add each device (router or switch), which is identified by its hostname and requires secret key

    client 192.168.1.1 {secret = secretkeynastype = ciscoshortname = switch}

    Add each user inside the users file,that is allowed to access the device

    sudo nano users

    Creating user on FreeRadius:  we are adding user cisco with a privilege level of 15

    cisco Cleartext-Password := "password", Service-Type = NAS-Prompt-User, 
    Cisco-AVPair = "shell:priv-lvl=15"

    Restart the FreeRADIUS service

    sudo /etc/init.d/freeradius restart

    Push  the below role, The user in the IOS will get the level 15  Privilege.This would be applicable for all the users who are member of  group cisco-rw

    DEFAULT Group == cisco-rw, Auth-Type = System, Service-Type = NAS-Prompt-User,
    cisco-avpair :="shell:priv-lvl=15"

    After pushing the shell lvl 15, The user  will get the privi level 15 access.

    User Based Privilege:If you want that user in the FreeRadius server should login and get level 3 privilege:

    Create new User with Privilege level 3

    Edit /etc/freeradius/users file:

    sudo nano/etc/freeradius/users

    Add another user "Life" with a privilege level of 3

    Life  Cleartext-Password := "testing"     Service-Type = NAS-Prompt-User,
    Cisco-AVPair = "shell:priv-lvl=3"

    Restart the Radius service, Now when you login to the device, User will get the level 3 privilege.

    Restart the FreeRADIUS service

    sudo /etc/init.d/freeradius restart
    

    Note: The configuration of Free Radius is done  on Ubuntu(Linux) Server. The commands may differ in any other Linux OS.

    Verification

    To verify the configuration on switch use the following commands:

    1.    switch# show  run | in radius                           (Shows the radius configuration)
    2.    switch# show run | in aaa                                (Show AAA configuration)
    3.    switch# show startup-config Radius                 (Show AAA configuration in start-up configuration)  

    Please post comments if there are any queries and rate if useful

    Comments
    Beginner

    Sorry, I don´t know mucho more about Linux.

    When you create:

    cisco Cleartext-Password := "password", Service-Type = NAS-Prompt-User, 
    Cisco-AVPair = "shell:priv-lvl=15"

    and

    DEFAULT Group == cisco-rw, Auth-Type = System, Service-Type = NAS-Prompt-User,
    cisco-avpair :="shell:priv-lvl=15"

    where do you type this? it´s  a .conf file?

    Thanks.

    Beginner

    Hi

    Yes, This is available in .conf file.

    Minakshi

    Beginner

    Cant understand why its not working :(

    *Oct 16 10:13:36.563: RADIUS/ENCODE(0000000C): ask "Username: "
    *Oct 16 10:13:36.563: RADIUS/ENCODE(0000000C): send packet; GET_USER
    *Oct 16 10:13:39.639: RADIUS/ENCODE(0000000C): ask "Password: "
    *Oct 16 10:13:39.639: RADIUS/ENCODE(0000000C): send packet; GET_PASSWORD
    *Oct 16 10:13:41.175: RADIUS/ENCODE(0000000C):Orig. component type = EXEC
    *Oct 16 10:13:41.175: RADIUS:  AAA Unsupported Attr: interface         [158] 4   
    *Oct 16 10:13:41.175: RADIUS:   74 74                                            [tt]
    *Oct 16 10:13:41.175: RADIUS/ENCODE(0000000C): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
    *Oct 16 10:13:41.175: RADIUS(0000000C): Config NAS IP: 0.0.0.0
    *Oct 16 10:13:41.175: RADIUS/ENCODE(0000000C): acct_session_id: 10
    *Oct 16 10:13:41.175: RADIUS(0000000C): sending
    *Oct 16 10:13:41.175: RADIUS/ENCODE: Best Local IP-Address 192.168.1.254 for Radius-Server 192.168.1.2
    *Oct 16 10:13:41.179: RADIUS(0000000C): Send Access-Request to 192.168.1.2:18120 id 1645/14, len 82
    *Oct 16 10:13:41.179: RADIUS:  authenticator 7D C8 32 5E 46 3E 06 00 - A5 E5 26 00 BC 11 36 31
    *Oct 16 10:13:41.179: RADIUS:  User-Name           [1]   7   "steve"
    *Oct 16 10:13:41.179: RADIUS:  User-Password       [2]   18  *
    *Oct 16 10:13:41.179: RADIUS:  NAS-Port            [5]   6   2                         
    *Oct 16 10:13:41.179: RADIUS:  NAS-Port-Id         [87]  6   "tty2"
    *Oct 16 10:13:41.179: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
    *Oct 16 10:13:41.179: RADIUS:  Calling-Station-Id  [31]  13  "192.168.1.2"
    *Oct 16 10:13:41.179: RADIUS:  NAS-IP-Address      [4]   6   192.168.1.254             
    *Oct 16 10:13:46.619: RADIUS: no sg in radius-timers: ctx 0x83D9CA9C sg 0x0000
    *Oct 16 10:13:46.619: RADIUS: Retransmit to (192.168.1.2:18120,18120) for id 1645/14
    *Oct 16 10:13:51.843: RADIUS: no sg in radius-timers: ctx 0x83D9CA9C sg 0x0000
    *Oct 16 10:13:51.843: RADIUS: Retransmit to (192.168.1.2:18120,18120) for id 1645/14
    *Oct 16 10:13:57.155: RADIUS: no sg in radius-timers: ctx 0x83D9CA9C sg 0x0000
    *Oct 16 10:13:57.155: RADIUS: Retransmit to (192.168.1.2:18120,18120) for id 1645/14
    *Oct 16 10:14:02.275: RADIUS: no sg in radius-timers: ctx 0x83D9CA9C sg 0x0000
    *Oct 16 10:14:02.275: RADIUS: No response from (192.168.1.2:18120,18120) for id 1645/14
    *Oct 16 10:14:02.275: RADIUS/DECODE: No response from radius-server; parse response; FAIL
    *Oct 16 10:14:02.275: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
    *Oct 16 10:14:04.275: RADIUS/ENCODE(0000000C): ask "Username: "
    *Oct 16 10:14:04.275: RADIUS/ENCODE(0000000C): send packet; GET_USER