This document provides an example of configuring Radius Authentication on Cisco IOS switch by using a third party Radius server FreeRadius. By default, if you configure the authenticate through Radius, You will login to user mode (switch< ) and by using local enable password, you can login to the enable mode (switch#)
By adding authorization exec, we can bypass enable authentication and directly land the user to privilege 15 mode.
Ensure that you have your Cisco switch defined as a client in free radius with the ip address and same shared secret key defined on the free radius and switch
Cisco IOS 12.2 switch.
Switch Configuration - Authentication and Authorization
1. Create a local user on the switch with full privileges for fallback with the username command as shown here
The key must match the Shared Secret configured on the free radius for this switch
4.Test the RADIUS server availability with the test aaa command as shown.
switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH
Test authentication will fail with a Reject from the server since it is not configured, However, it will confirms that server is reachable.
5.Configure login authentications as shown here:
command configures the switch to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database.
switch(config)#aaa authentication login default group radius local
Note: The Local keyword is used for fallback if the Radius server is unreachable
6. Configure authorization for privilege level 15:
command queries the RADIUS database for information that is used during EXEC authorization, such as autocommands and privilege levels, but only provides authorization if the user has successfully authenticated.
switch(config)#aaa authorization exec default group radius if-authenticated
Configuration on FreeRadius Server
Defining Client on the Free Radius server:
Move to the config directory
Edit the clients.conf file
sudo nano clients.conf
Add each device (router or switch), which is identified by its hostname and requires secret key
Push the below role, The user in the IOS will get the level 15 Privilege.This would be applicable for all the users who are member of group cisco-rw
DEFAULT Group == cisco-rw, Auth-Type = System, Service-Type = NAS-Prompt-User,
After pushing the shell lvl 15, The user will get the privi level 15 access.
User Based Privilege:If you want that user in the FreeRadius server should login and get level 3 privilege:
Create new User with Privilege level 3
Edit /etc/freeradius/users file:
Add another user "Life" with a privilege level of 3
Life Cleartext-Password := "testing" Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=3"
Restart the Radius service, Now when you login to the device, User will get the level 3 privilege.
Restart the FreeRADIUS service
sudo /etc/init.d/freeradius restart
Note: The configuration of Free Radius is done on Ubuntu(Linux) Server. The commands may differ in any other Linux OS.
To verify the configuration on switch use the following commands:
1. switch# show run | in radius (Shows the radius configuration)
2. switch# show run | in aaa (Show AAA configuration)
3. switch# show startup-config Radius (Show AAA configuration in start-up configuration)
Please post comments if there are any queries and rate if useful
Hello All, We are in the process of evaluating Cisco ISE as our AAA Server. Our IA Department is wanting to know what Web Server (Apachee...???) or Services or Application Server does Cisco ISE use? The information is not jumping out at us. ...
I see there's a OVA for ISE, but not for ISE-PIC? Any specific configurations I need to make the virtual for smaller environments, i.e. under 200 device on the network per step1? Step 2, again not sure where to find a OVA unless I'm not understanding some...