This document provides an example of configuring Radius Authentication on Cisco IOS switch by using a third party Radius server FreeRadius. By default, if you configure the authenticate through Radius, You will login to user mode (switch< ) and by using local enable password, you can login to the enable mode (switch#)
By adding authorization exec, we can bypass enable authentication and directly land the user to privilege 15 mode.
Ensure that you have your Cisco switch defined as a client in free radius with the ip address and same shared secret key defined on the free radius and switch
Cisco IOS 12.2 switch.
Switch Configuration - Authentication and Authorization
1. Create a local user on the switch with full privileges for fallback with the username command as shown here
The key must match the Shared Secret configured on the free radius for this switch
4.Test the RADIUS server availability with the test aaa command as shown.
switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH
Test authentication will fail with a Reject from the server since it is not configured, However, it will confirms that server is reachable.
5.Configure login authentications as shown here:
command configures the switch to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database.
switch(config)#aaa authentication login default group radius local
Note: The Local keyword is used for fallback if the Radius server is unreachable
6. Configure authorization for privilege level 15:
command queries the RADIUS database for information that is used during EXEC authorization, such as autocommands and privilege levels, but only provides authorization if the user has successfully authenticated.
switch(config)#aaa authorization exec default group radius if-authenticated
Configuration on FreeRadius Server
Defining Client on the Free Radius server:
Move to the config directory
Edit the clients.conf file
sudo nano clients.conf
Add each device (router or switch), which is identified by its hostname and requires secret key
Push the below role, The user in the IOS will get the level 15 Privilege.This would be applicable for all the users who are member of group cisco-rw
DEFAULT Group == cisco-rw, Auth-Type = System, Service-Type = NAS-Prompt-User,
After pushing the shell lvl 15, The user will get the privi level 15 access.
User Based Privilege:If you want that user in the FreeRadius server should login and get level 3 privilege:
Create new User with Privilege level 3
Edit /etc/freeradius/users file:
Add another user "Life" with a privilege level of 3
Life Cleartext-Password := "testing" Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=3"
Restart the Radius service, Now when you login to the device, User will get the level 3 privilege.
Restart the FreeRADIUS service
sudo /etc/init.d/freeradius restart
Note: The configuration of Free Radius is done on Ubuntu(Linux) Server. The commands may differ in any other Linux OS.
To verify the configuration on switch use the following commands:
1. switch# show run | in radius (Shows the radius configuration)
2. switch# show run | in aaa (Show AAA configuration)
3. switch# show startup-config Radius (Show AAA configuration in start-up configuration)
Please post comments if there are any queries and rate if useful
Do Cisco IronPorts start with an MID of 0 (zero) or 1 (one)? I have only seen MID 0 for "Message size exceeds limit". Is 0 reserved for this notice or is it ALSO a valid MID when a system restarts/rolls over. Thank you
I have a pair of 3850's, between them is a 5 member Etherchannel, on each Port there is a Pair of Microwave Radios, 10 in all, that have specific IP addresses for management, in a specific in band management Vlan100, it is not native and not Vlan 1, all t...
Hi, I've been trying to configure some custom NMAP scans for device profiling. From looking at some debug output, it looks as though the nmap command (created by ISE, and passed to the NMAP process) has an incorrect syntax, so NMAP quits withou...
HiI'm new to these devices and am wondering do rule updates happen automatically e.g VDB, GEODB, SRU, I recently ugraded from 6.4 to 6.5 and just wondered if i had to set up scheduling for these updates. also are they pushed out to Sensors automatically??...
Hello ISE Expert,
I have a customer Who is doing Remote access with F5 APM today (SSL Web VPN).
They want to use ASAv avec VPN gateway with ISE as Radius server with Posture and want to still use their
F5 APM for Web SSL VPN Gateway, do we have a w...