This document provides an example of configuring Radius Authentication on Cisco IOS switch by using a third party Radius server FreeRadius. By default, if you configure the authenticate through Radius, You will login to user mode (switch< ) and by using local enable password, you can login to the enable mode (switch#)
By adding authorization exec, we can bypass enable authentication and directly land the user to privilege 15 mode.
Ensure that you have your Cisco switch defined as a client in free radius with the ip address and same shared secret key defined on the free radius and switch
Cisco IOS 12.2 switch.
Switch Configuration - Authentication and Authorization
1. Create a local user on the switch with full privileges for fallback with the username command as shown here
The key must match the Shared Secret configured on the free radius for this switch
4.Test the RADIUS server availability with the test aaa command as shown.
switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH
Test authentication will fail with a Reject from the server since it is not configured, However, it will confirms that server is reachable.
5.Configure login authentications as shown here:
command configures the switch to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database.
switch(config)#aaa authentication login default group radius local
Note: The Local keyword is used for fallback if the Radius server is unreachable
6. Configure authorization for privilege level 15:
command queries the RADIUS database for information that is used during EXEC authorization, such as autocommands and privilege levels, but only provides authorization if the user has successfully authenticated.
switch(config)#aaa authorization exec default group radius if-authenticated
Configuration on FreeRadius Server
Defining Client on the Free Radius server:
Move to the config directory
Edit the clients.conf file
sudo nano clients.conf
Add each device (router or switch), which is identified by its hostname and requires secret key
Push the below role, The user in the IOS will get the level 15 Privilege.This would be applicable for all the users who are member of group cisco-rw
DEFAULT Group == cisco-rw, Auth-Type = System, Service-Type = NAS-Prompt-User,
After pushing the shell lvl 15, The user will get the privi level 15 access.
User Based Privilege:If you want that user in the FreeRadius server should login and get level 3 privilege:
Create new User with Privilege level 3
Edit /etc/freeradius/users file:
Add another user "Life" with a privilege level of 3
Life Cleartext-Password := "testing" Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=3"
Restart the Radius service, Now when you login to the device, User will get the level 3 privilege.
Restart the FreeRADIUS service
sudo /etc/init.d/freeradius restart
Note: The configuration of Free Radius is done on Ubuntu(Linux) Server. The commands may differ in any other Linux OS.
To verify the configuration on switch use the following commands:
1. switch# show run | in radius (Shows the radius configuration)
2. switch# show run | in aaa (Show AAA configuration)
3. switch# show startup-config Radius (Show AAA configuration in start-up configuration)
Please post comments if there are any queries and rate if useful
Hi, How we can setup rules on FMC to allow users to access social media sites like facebook.com and block access to public drives like onedrive and drop box. Is there any way FMC allow access on user group base through Active Directory (AD). How...
I am building an ISE lab cluster for testing BYOD. This setup will mirror our production cluster. The ISE deployment is 4 x Internal ISE servers (2 x PAN nodes PRI and SEC plus 2 x PSN nodes PRI and SEC) and 2 x DMZ ISE servers (PSN PRI and SEC...
Good afternoon, I'm experiencing a problem with my branch offices (with LANLite catalyst SW) when ISE (located on our DC) is not reachable due to a WAN failure. People on branch office cannot access local resources when the ISE is marked as dead from...
Hi community,Is there an API and code sample to connect to VPN from .Net app?The idea is to be able to connect to VPN from application and not to ask user to do so as credentials need to be stored from, this as a security request.Thanks in advance.
Hi.I would like to know if it is possible to implement ISE 2.2 on a WS-C2950G-48-EI,because it does not appear in the compatibility matrix of the respective version.https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/compatibility/ise_sdt.html#24274Reg...