This document provides an example of configuring Radius Authentication on Cisco IOS switch by using a third party Radius server FreeRadius. By default, if you configure the authenticate through Radius, You will login to user mode (switch< ) and by using local enable password, you can login to the enable mode (switch#)
By adding authorization exec, we can bypass enable authentication and directly land the user to privilege 15 mode.
Ensure that you have your Cisco switch defined as a client in free radius with the ip address and same shared secret key defined on the free radius and switch
Cisco IOS 12.2 switch.
Switch Configuration - Authentication and Authorization
1. Create a local user on the switch with full privileges for fallback with the username command as shown here
The key must match the Shared Secret configured on the free radius for this switch
4.Test the RADIUS server availability with the test aaa command as shown.
switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH
Test authentication will fail with a Reject from the server since it is not configured, However, it will confirms that server is reachable.
5.Configure login authentications as shown here:
command configures the switch to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database.
switch(config)#aaa authentication login default group radius local
Note: The Local keyword is used for fallback if the Radius server is unreachable
6. Configure authorization for privilege level 15:
command queries the RADIUS database for information that is used during EXEC authorization, such as autocommands and privilege levels, but only provides authorization if the user has successfully authenticated.
switch(config)#aaa authorization exec default group radius if-authenticated
Configuration on FreeRadius Server
Defining Client on the Free Radius server:
Move to the config directory
Edit the clients.conf file
sudo nano clients.conf
Add each device (router or switch), which is identified by its hostname and requires secret key
Push the below role, The user in the IOS will get the level 15 Privilege.This would be applicable for all the users who are member of group cisco-rw
DEFAULT Group == cisco-rw, Auth-Type = System, Service-Type = NAS-Prompt-User,
After pushing the shell lvl 15, The user will get the privi level 15 access.
User Based Privilege:If you want that user in the FreeRadius server should login and get level 3 privilege:
Create new User with Privilege level 3
Edit /etc/freeradius/users file:
Add another user "Life" with a privilege level of 3
Life Cleartext-Password := "testing" Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=3"
Restart the Radius service, Now when you login to the device, User will get the level 3 privilege.
Restart the FreeRADIUS service
sudo /etc/init.d/freeradius restart
Note: The configuration of Free Radius is done on Ubuntu(Linux) Server. The commands may differ in any other Linux OS.
To verify the configuration on switch use the following commands:
1. switch# show run | in radius (Shows the radius configuration)
2. switch# show run | in aaa (Show AAA configuration)
3. switch# show startup-config Radius (Show AAA configuration in start-up configuration)
Please post comments if there are any queries and rate if useful
Hi,I prepared a switch 2960 version 15.0(2) SE6 and a phone 7940 connected to this switch, and all work fine with MAB ,after that I connect a win 10 pc to the phone using 802.1x and the switch complain about security violation and automatically shutdown t...
I have a new deployment of FMC managed FTD and have a question regarding Native vs Container instances on the 4100The documentation says "Native instances cannot use VLAN subinterfaces or shared interfaces."I plan on trunking multiple vlans into the firew...
Dear All , I am sorry if this was asked before. I have an ASA 5505 currently running an EASYVPN tunnel behind a dynamic IP service with double NAT ( and having the ASA at the ISP router is not possible BUT they added the ASA on DMZ s...
Hi, i am using this FlexVPN "Hub to Spoke" configuration for my home lab hub router its using Keyring pre-shared key, and AAA is done locally. This work fine when the client is a router. However I want to modify this so that remote clients ...