En primer lugar vamos a proceder a  configurar el Router Cisco para autenticación AAA basada en servidor:

Comenzamos por las configuraciónes básicas, contraseña del modo enable y la ip del Router:

R1(config)# enable secret ciscoR1(config)# interface fastethernet 1/0R1(config-if)# ip address 10.1.1.254 255.255.255.0R1(config-if)# no shutdownR1(config-if)# exit

Ahora habilitamos AAA en el Router, para ello:

1. Primero creamos un usuario y contreseña.2. Activamos AAA con el comando aaa new-model.3. Establecemos los metodos de autenticación, en este caso

establecemos que se autentique mediante el servidor RADIUS y en caso de que no se pueda establecer conexión con el servidor, establecemos como metodo secundario la base de datos local del Router.

4. Le indicamos la interface a la que esta conectado el servidor RADIUS.5. Por último, agregamos el servidor RADIUS, indicando la ip, el puerto

de autenticación y la key (clave secreta compartida con el servidor).

R1(config)# username local password localR1(config)# aaa new-modelR1(config)# aaa authentication login default group radius localR1(config)# ip radius source-interface fastethernet 1/0R1(config)# radius-server host 10.1.1.5 auth-port 1812 key radius

Ahora procedemos a configurar las lineas vty, para establecer las conexiones remotas, en el ejemplo le indicamos que el método de autenticación será la lista por defecto que hemos creado en el apartado anterior:

R1(config)# line vty 0 4R1(config-line)# login authentication defaultR1(config-line)# exit

Y con esto hemos completado la configuración en el Router.

Ahora accedemos al servidor FreeRADIUS e introducimos los datos del Router Cisco:

Para ello accedemos a la base de datos radius:

# mysql -u root -p radius

Insertamos los datos del Router:

mysql > INSERT INTO nas (nasname, shortname, type, secret)VALUES (’10.1.1.254′, ‘R1′, ‘cisco’, ‘radius’);

Lo vemos en la imagen:

(En la entrada anterior tenéis una breve explicación de cada campo que acabamos de insertar).

Reiniciamos el servidor FreeRADIUS:

# service freeradius restart

Y ya tenemos todo listo así que desde un pc intentamos acceder al router por telnet y nos logueamos con un usuario y contraseña que hayamos introducido en la base de datos del servidor Radius

# telnet 10.1.1.254

Si todo va bien podremos loguearnos sin problemas como vemos en la imagen:

Si queremos comprobar las sesiones que hay iniciadas en el router podemos usar el siguiente comando:

R1# show aaa sessions

Y nos mostrara una salida similar a la imagen, en la que nos muestra entre otros datos, los usuarios que tienen iniciada sesion y la ip desde donde

conectan:

Configure

Configure a Switch for Authentication and Authorization

1. In order to create a local user on the switch with full privileges for fallback access, enter: 

Switch(config)#username admin privilege 15 password 0 cisco123!

2. In order to enable AAA, enter:

switch(config)# aaa new-model

3. In order to provide the IP address of the RADIUS server as well as the key, enter:

switch# configure terminalswitch(config)#radius-server host 172.16.71.146 auth-port 1645 acct-port 1646switch(config)#radius-server key hello123

Note: The key must match the shared secret configured on the RADIUS server for the switch.

4. In order to test RADIUS server availability, enter the test aaa command:

switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH

The test authentication fails with a Rejection from the server because it is not yet configured, but it will confirm that the server itself is reachable.

5. In order to configure login authentications to fall back to local users if RADIUS is unreachable, enter:

switch(config)#aaa authentication login default group radius local

6. In order to configure authorization for a privilege level of 15, as long as a user is authenticated, enter:

switch(config)#aaa authorization exec default group radius if-authenticated

FreeRADIUS Configuration

Define the Client on the FreeRADIUS Server

1. In order to navigate to the configuration directory, enter:

# cd /etc/freeradius

2. In order to edit the clients.conf file, enter:

# sudo nano clients.conf

3. In order to add each device (router/switch) identified by hostname and include the correct shared secret, enter:

client 192.168.1.1 {secret = secretkeynastype = ciscoshortname = switch}

4. In order to edit the users file, enter:

# sudo nano users

5. Add each user allowed to access the device. This example demonstrates how to set a Cisco IOS privilege level of 15 for the user "cisco."

cisco Cleartext-Password := "password" Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"

6. In order to restart FreeRADIUS, enter:

# sudo /etc/init.d/freeradius restart

7. In order to change the DEFAULT user group in the user's file in order to give all users who are members of cisco-rw a privilege level of 15, enter:

DEFAULT Group == cisco-rw, Auth-Type = System Service-Type = NAS-Prompt-User, cisco-avpair :="shell:priv-lvl=15"

8. You can add other users at different privilege levels as needed in the FreeRADIUS users file. For example, this user (life) is given a level of 3 (system maintenance):

sudo nano/etc/freeradius/users

life Cleartext-Password := "testing" Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=3"

Restart the FreeRADIUS service:sudo /etc/init.d/freeradius restart

Verify

In order to verify the configuration on the switch, use these commands:

switch# show run | in radius (Show the radius configuration)switch# show run | in aaa (Show the running AAA configuration)switch# show startup-config Radius (Show the startup AAA configuration instart-up configuration)

For this demonstration, I’m installing a new CentOS 5.2 virtual machine on my

MacBook under VMware Fusion. Installing the operating system, however, is

beyond the scope of this document. Also, we’ll just be using the local system

database for now — we’ll save SQL and LDAP (perhaps even Active Directory)

authentication for later. After we get FreeRADIUS up and running, we’ll set up

a user account and then configure a Cisco router to use RADIUS for

authentication.

Let’s begin with installing FreeRADIUS by running (as root) the following

command:

[root@bertram ~]# yum -y install freeradius

...

Complete!

[root@bertram ~]#

“yum” should have went out, grabbed the appropriates packages and

dependencies, and installed them.

Because FreeRADIUS will need to use the local system database for

authentication, we need to set ‘user = root’ and ‘group = root’ in radiusd.conf.

This is easy enough, just open up /etc/raddb/radiusd.conf, and change the lines

that reads “user = radiusd” and “group = radiusd” to “user = root” and “group

= root”, respectively. Note that this (running our daemons as root) is almost

always something we want to avoid. Using other authentication backends, such

as SQL or LDAP, would not require this change and would allow the

FreeRADIUS service to run under the default “radiusd” unprivileged account.

Next, we need to let FreeRADIUS know about our NAS — in this case, our

Cisco router. For the sake of this demonstration, our router (R1) will have IP

address 192.168.1.201. We’ll also need a shared secret that the router and

RADIUS server use. Let’s use the ever popular “SECRET_KEY”. Add the

following to the end of /etc/raddb/clients.conf:

client 192.168.1.201 {

secret = SECRET_KEY

shortname = R1

nastype = cisco

}

Then, on the FreeRADIUS side, we need to create a user account in the local

user database that we’ll use for actually authenticating to R1. Nothing special

here, just creating a new user account and setting the password. I’ve passed

the plain-text password into “passwd” via stdin so that you can see it.

Normally, we wouldn’t do that — just run “passwd cisco” and enter the

password when prompted:

[root@bertram ~]# /usr/sbin/useradd cisco

[root@bertram ~]# echo secret | passwd --stdin cisco

Changing password for user cisco.

passwd: all authentication tokens updated successfully.

[root@bertram ~]#

We now have a local user named “cisco” with a password of “secret” that we’ll

use when it comes time to authenticate to R1. Before we can do that, however,

we must let FreeRADIUS know about the user. Append the following to

/etc/raddb/users:

cisco Auth-Type := System

Service-Type = NAS-Prompt-User,

cisco-avpair = "shell:priv-lvl=15"

This notifies FreeRADIUS of a local user account named “cisco”. Using the

“cisco-avpair” attribute in this manner allows us to automatically assign

privilege level 15 to the user, removing the requirement for the user to issue

“enable” (and the enable secret) in order to gain elevated access.

Let’s get started configuring R1. I’m going to assume that you’re starting from

a default configuration. The first thing we want to do is create a “fallback” user

account (on the router itself) that we can use to authenticate if, for some

reason, connectivity to the RADIUS server is lost. Let’s create a user named

“admin” with a password of “letmein”:

R1(config)#username admin privilege 15 secret letmein

Under normal circumstances, we’ll never use this local account — only when

the RADIUS server is unavailable.

The first thing I need to do is configure my interface on R1 and verify we can

ping the RADIUS server. Assuming you already have your router up and

running, you can likely skip this step:

R1(config)# interface fastethernet 3/0

R1(config-if)# ip address 192.168.1.201 255.255.255.0

R1(config-if)# no shutdown

R1(config-if)#

*Mar 1 00:10:14.635: %LINK-3-UPDOWN: Interface FastEthernet3/0,

changed state to up

*Mar 1 00:10:15.635: %LINEPROTO-5-UPDOWN: Line protocol on

Interface FastEthernet3/0, changed state to up

R1(config-if)# do ping 192.168.1.51

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.51, timeout is 2

seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 4/11/24

ms

R1(config-if)#

Excellent, all set! Let’s start configuring R1 for AAA:

R1(config)# aaa new-model

R1(config)# radius-server host 192.168.1.51 auth-port 1812 acct-

port 1813 key SECRET_KEY

AAA should now be enabled on R1. Note that we provided the IP address of the

RADIUS server as well as the shared secret we configured in FreeRADIUS

earlier. In addition, we must specify the “auth-port” and “acct-port” used by

FreeRADIUS, as these are different from Cisco’s defaults (1645 and 1646).

Let’s configure authentication:

R1(config)# aaa authentication login default group radius local

R1(config)# line vty 0 4

R1(config-line)# login authentication default

R1(config-line)# line con 0

R1(config-line)# login authentication default

Here, we’ve told R1 to use RADIUS for authentication and to fall back to the

local user database if the RADIUS server is not available. We don’t want to

DoS ourselves!

The following command will allow the user to run an “exec” shell when logging

into the router:

R1(config)# aaa authorization exec default group radius if-

authenticated

Last, but not least, we want accounting (the final “A” in “AAA”):

R1(config)# aaa accounting exec default start-stop group radius

R1(config)# aaa accounting system default start-stop group radius

That should be enough to allow us to login with our local (Linux) system

account “cisco” that we created earlier. Let’s give it a shot:

macbook:~ jlgaddis$ telnet 192.168.1.201

Trying 192.168.1.201...

Connected to 192.168.1.201.

Escape character is '^]'.

User Access Verification

Username: cisco

Password:

R1# show ip interface brief

Interface IP-Address OK? Method Status

Protocol

Ethernet0/0 unassigned YES unset

administratively down down

Ethernet0/1 unassigned YES unset

administratively down down

Ethernet0/2 unassigned YES unset

administratively down down

Ethernet0/3 unassigned YES unset

administratively down down

Serial1/0 unassigned YES unset

administratively down down

Serial1/1 unassigned YES unset

administratively down down

Serial1/2 unassigned YES unset

administratively down down

Serial1/3 unassigned YES unset

administratively down down

FastEthernet3/0 192.168.1.201 YES manual up

up

R1# exit

Connection closed by foreign host.

macbook:~ jlgaddis$

Success! We’ve installed FreeRADIUS, added a local user account, set up the

NAS client (R1) and configured it to authenticate against the RADIUS server.

Let’s take a look at what was logged by FreeRADIUS:

[root@bertram ~]# cat /var/log/radius/radacct/192.168.1.201/detail-

20081119

Wed Nov 19 00:24:47 2008

Acct-Session-Id = "00000005"

User-Name = "cisco"

Acct-Authentic = RADIUS

Acct-Status-Type = Start

NAS-Port = 130

NAS-Port-Id = "tty130"

NAS-Port-Type = Virtual

Calling-Station-Id = "192.168.1.49"

Service-Type = NAS-Prompt-User

NAS-IP-Address = 192.168.1.201

Acct-Delay-Time = 0

Client-IP-Address = 192.168.1.201

Acct-Unique-Session-Id = "31b757fca2145e79"

Timestamp = 1227072287

Wed Nov 19 00:25:14 2008

Acct-Session-Id = "00000005"

User-Name = "cisco"

Acct-Authentic = RADIUS

Acct-Terminate-Cause = User-Request

Acct-Session-Time = 27

Acct-Status-Type = Stop

NAS-Port = 130

NAS-Port-Id = "tty130"

NAS-Port-Type = Virtual

Calling-Station-Id = "192.168.1.49"

Service-Type = NAS-Prompt-User

NAS-IP-Address = 192.168.1.201

Acct-Delay-Time = 0

Client-IP-Address = 192.168.1.201

Acct-Unique-Session-Id = "31b757fca2145e79"

Timestamp = 1227072314

[root@bertram ~]#

Switch Configuration - Authentication and Authorization

1. Create a local user on the switch with full privileges for fallback with the username

command as shown here

Switch(config)#username admin privilege 15 password 0 cisco123!

2.  Enabling AAA- By default aaa is disabled on the IOS.

switch(config)# aaa new-model

3. Provide the IP address of the Radius server (Free Radius) and key

switch# configure terminal

switch(config)#radius-server host 172.16.71.146 auth-port 1645 acct-port 1646

switch(config)#radius-server key hello123

Note

The key must match the Shared Secret configured on the free radius for this switch

4.Test the RADIUS server availability with the test aaa command as shown.

switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH

Test authentication will fail  with a Reject from the server since it is not configured,

However, it  will confirms that  server is reachable.

5.Configure login authentications as shown here:

command configures the switch  to use RADIUS for authentication at the login prompt. If

RADIUS returns  an error, the user is authenticated using the local database.

switch(config)#aaa authentication login default group radius local

Note: The Local keyword is used for fallback if the Radius server is unreachable

6. Configure authorization for privilege level 15:

command queries the RADIUS  database for information that is used during EXEC

authorization, such as  autocommands and privilege levels, but only provides authorization

if  the user has successfully authenticated.

switch(config)#aaa authorization exec default group radius if-

authenticated

Configuration on FreeRadius Server

Defining Client on the Free Radius server:

Move to the config directory

cd /etc/freeradius

Edit the clients.conf file

sudo nano clients.conf

Add each device (router or switch), which is identified by its hostname and requires

secret key

client 192.168.1.1 {secret = secretkeynastype = ciscoshortname = switch}

Add each user inside the users file,that is allowed to access the device

sudo nano users

Creating user on FreeRadius:  we are adding user cisco with a privilege level of 15

cisco Cleartext-Password := "password", Service-Type = NAS-Prompt-User,

Cisco-AVPair = "shell:priv-lvl=15"

Restart the FreeRADIUS service

sudo /etc/init.d/freeradius restart

Push  the below role, The user in the IOS will get the level 15  Privilege.This would be

applicable for all the users who are member of  group cisco-rw

DEFAULT Group == cisco-rw, Auth-Type = System, Service-Type = NAS-Prompt-User,

cisco-avpair :="shell:priv-lvl=15"

After pushing the shell lvl 15, The user  will get the privi level 15 access.

User Based Privilege:If you want that user in the FreeRadius server should login and

get level 3 privilege:

Create new User with Privilege level 3

Edit /etc/freeradius/users file:

sudo nano/etc/freeradius/users

Add another user "Life" with a privilege level of 3

Life  Cleartext-Password := "testing"     Service-Type = NAS-Prompt-User,

Cisco-AVPair = "shell:priv-lvl=3"

Restart the Radius service, Now when you login to the device, User will get the level 3

privilege.

Restart the FreeRADIUS service

sudo /etc/init.d/freeradius restart

Note: The configuration of Free Radius is done  on Ubuntu(Linux) Server. The commands

may differ in any other Linux OS.

Verification

To verify the configuration on switch use the following commands:

1. switch# show run | in radius (Shows the radius configuration)

2. switch# show run | in aaa (Show AAA configuration)

3. switch# show startup-config Radius (Show AAA configuration in start-up configuration)

Please post comments if there are any queries and rate if useful