config freeradius
TRANSCRIPT
En primer lugar vamos a proceder a configurar el Router Cisco para autenticación AAA basada en servidor:
Comenzamos por las configuraciónes básicas, contraseña del modo enable y la ip del Router:
R1(config)# enable secret ciscoR1(config)# interface fastethernet 1/0R1(config-if)# ip address 10.1.1.254 255.255.255.0R1(config-if)# no shutdownR1(config-if)# exit
Ahora habilitamos AAA en el Router, para ello:
1. Primero creamos un usuario y contreseña.2. Activamos AAA con el comando aaa new-model.3. Establecemos los metodos de autenticación, en este caso
establecemos que se autentique mediante el servidor RADIUS y en caso de que no se pueda establecer conexión con el servidor, establecemos como metodo secundario la base de datos local del Router.
4. Le indicamos la interface a la que esta conectado el servidor RADIUS.5. Por último, agregamos el servidor RADIUS, indicando la ip, el puerto
de autenticación y la key (clave secreta compartida con el servidor).
R1(config)# username local password localR1(config)# aaa new-modelR1(config)# aaa authentication login default group radius localR1(config)# ip radius source-interface fastethernet 1/0R1(config)# radius-server host 10.1.1.5 auth-port 1812 key radius
Ahora procedemos a configurar las lineas vty, para establecer las conexiones remotas, en el ejemplo le indicamos que el método de autenticación será la lista por defecto que hemos creado en el apartado anterior:
R1(config)# line vty 0 4R1(config-line)# login authentication defaultR1(config-line)# exit
Y con esto hemos completado la configuración en el Router.
Ahora accedemos al servidor FreeRADIUS e introducimos los datos del Router Cisco:
Para ello accedemos a la base de datos radius:
# mysql -u root -p radius
Insertamos los datos del Router:
mysql > INSERT INTO nas (nasname, shortname, type, secret)VALUES (’10.1.1.254′, ‘R1′, ‘cisco’, ‘radius’);
Lo vemos en la imagen:
(En la entrada anterior tenéis una breve explicación de cada campo que acabamos de insertar).
Reiniciamos el servidor FreeRADIUS:
# service freeradius restart
Y ya tenemos todo listo así que desde un pc intentamos acceder al router por telnet y nos logueamos con un usuario y contraseña que hayamos introducido en la base de datos del servidor Radius
# telnet 10.1.1.254
Si todo va bien podremos loguearnos sin problemas como vemos en la imagen:
Si queremos comprobar las sesiones que hay iniciadas en el router podemos usar el siguiente comando:
R1# show aaa sessions
Y nos mostrara una salida similar a la imagen, en la que nos muestra entre otros datos, los usuarios que tienen iniciada sesion y la ip desde donde
conectan:
Configure
Configure a Switch for Authentication and Authorization
1. In order to create a local user on the switch with full privileges for fallback access, enter:
Switch(config)#username admin privilege 15 password 0 cisco123!
2. In order to enable AAA, enter:
switch(config)# aaa new-model
3. In order to provide the IP address of the RADIUS server as well as the key, enter:
switch# configure terminalswitch(config)#radius-server host 172.16.71.146 auth-port 1645 acct-port 1646switch(config)#radius-server key hello123
Note: The key must match the shared secret configured on the RADIUS server for the switch.
4. In order to test RADIUS server availability, enter the test aaa command:
switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH
The test authentication fails with a Rejection from the server because it is not yet configured, but it will confirm that the server itself is reachable.
5. In order to configure login authentications to fall back to local users if RADIUS is unreachable, enter:
switch(config)#aaa authentication login default group radius local
6. In order to configure authorization for a privilege level of 15, as long as a user is authenticated, enter:
switch(config)#aaa authorization exec default group radius if-authenticated
FreeRADIUS Configuration
Define the Client on the FreeRADIUS Server
1. In order to navigate to the configuration directory, enter:
# cd /etc/freeradius
2. In order to edit the clients.conf file, enter:
# sudo nano clients.conf
3. In order to add each device (router/switch) identified by hostname and include the correct shared secret, enter:
client 192.168.1.1 {secret = secretkeynastype = ciscoshortname = switch}
4. In order to edit the users file, enter:
# sudo nano users
5. Add each user allowed to access the device. This example demonstrates how to set a Cisco IOS privilege level of 15 for the user "cisco."
cisco Cleartext-Password := "password" Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
6. In order to restart FreeRADIUS, enter:
# sudo /etc/init.d/freeradius restart
7. In order to change the DEFAULT user group in the user's file in order to give all users who are members of cisco-rw a privilege level of 15, enter:
DEFAULT Group == cisco-rw, Auth-Type = System Service-Type = NAS-Prompt-User, cisco-avpair :="shell:priv-lvl=15"
8. You can add other users at different privilege levels as needed in the FreeRADIUS users file. For example, this user (life) is given a level of 3 (system maintenance):
sudo nano/etc/freeradius/users
life Cleartext-Password := "testing" Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=3"
Restart the FreeRADIUS service:sudo /etc/init.d/freeradius restart
Verify
In order to verify the configuration on the switch, use these commands:
switch# show run | in radius (Show the radius configuration)switch# show run | in aaa (Show the running AAA configuration)switch# show startup-config Radius (Show the startup AAA configuration instart-up configuration)
For this demonstration, I’m installing a new CentOS 5.2 virtual machine on my
MacBook under VMware Fusion. Installing the operating system, however, is
beyond the scope of this document. Also, we’ll just be using the local system
database for now — we’ll save SQL and LDAP (perhaps even Active Directory)
authentication for later. After we get FreeRADIUS up and running, we’ll set up
a user account and then configure a Cisco router to use RADIUS for
authentication.
Let’s begin with installing FreeRADIUS by running (as root) the following
command:
[root@bertram ~]# yum -y install freeradius
...
Complete!
[root@bertram ~]#
“yum” should have went out, grabbed the appropriates packages and
dependencies, and installed them.
Because FreeRADIUS will need to use the local system database for
authentication, we need to set ‘user = root’ and ‘group = root’ in radiusd.conf.
This is easy enough, just open up /etc/raddb/radiusd.conf, and change the lines
that reads “user = radiusd” and “group = radiusd” to “user = root” and “group
= root”, respectively. Note that this (running our daemons as root) is almost
always something we want to avoid. Using other authentication backends, such
as SQL or LDAP, would not require this change and would allow the
FreeRADIUS service to run under the default “radiusd” unprivileged account.
Next, we need to let FreeRADIUS know about our NAS — in this case, our
Cisco router. For the sake of this demonstration, our router (R1) will have IP
address 192.168.1.201. We’ll also need a shared secret that the router and
RADIUS server use. Let’s use the ever popular “SECRET_KEY”. Add the
following to the end of /etc/raddb/clients.conf:
client 192.168.1.201 {
secret = SECRET_KEY
shortname = R1
nastype = cisco
}
Then, on the FreeRADIUS side, we need to create a user account in the local
user database that we’ll use for actually authenticating to R1. Nothing special
here, just creating a new user account and setting the password. I’ve passed
the plain-text password into “passwd” via stdin so that you can see it.
Normally, we wouldn’t do that — just run “passwd cisco” and enter the
password when prompted:
[root@bertram ~]# /usr/sbin/useradd cisco
[root@bertram ~]# echo secret | passwd --stdin cisco
Changing password for user cisco.
passwd: all authentication tokens updated successfully.
[root@bertram ~]#
We now have a local user named “cisco” with a password of “secret” that we’ll
use when it comes time to authenticate to R1. Before we can do that, however,
we must let FreeRADIUS know about the user. Append the following to
/etc/raddb/users:
cisco Auth-Type := System
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15"
This notifies FreeRADIUS of a local user account named “cisco”. Using the
“cisco-avpair” attribute in this manner allows us to automatically assign
privilege level 15 to the user, removing the requirement for the user to issue
“enable” (and the enable secret) in order to gain elevated access.
Let’s get started configuring R1. I’m going to assume that you’re starting from
a default configuration. The first thing we want to do is create a “fallback” user
account (on the router itself) that we can use to authenticate if, for some
reason, connectivity to the RADIUS server is lost. Let’s create a user named
“admin” with a password of “letmein”:
R1(config)#username admin privilege 15 secret letmein
Under normal circumstances, we’ll never use this local account — only when
the RADIUS server is unavailable.
The first thing I need to do is configure my interface on R1 and verify we can
ping the RADIUS server. Assuming you already have your router up and
running, you can likely skip this step:
R1(config)# interface fastethernet 3/0
R1(config-if)# ip address 192.168.1.201 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)#
*Mar 1 00:10:14.635: %LINK-3-UPDOWN: Interface FastEthernet3/0,
changed state to up
*Mar 1 00:10:15.635: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet3/0, changed state to up
R1(config-if)# do ping 192.168.1.51
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.51, timeout is 2
seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/11/24
ms
R1(config-if)#
Excellent, all set! Let’s start configuring R1 for AAA:
R1(config)# aaa new-model
R1(config)# radius-server host 192.168.1.51 auth-port 1812 acct-
port 1813 key SECRET_KEY
AAA should now be enabled on R1. Note that we provided the IP address of the
RADIUS server as well as the shared secret we configured in FreeRADIUS
earlier. In addition, we must specify the “auth-port” and “acct-port” used by
FreeRADIUS, as these are different from Cisco’s defaults (1645 and 1646).
Let’s configure authentication:
R1(config)# aaa authentication login default group radius local
R1(config)# line vty 0 4
R1(config-line)# login authentication default
R1(config-line)# line con 0
R1(config-line)# login authentication default
Here, we’ve told R1 to use RADIUS for authentication and to fall back to the
local user database if the RADIUS server is not available. We don’t want to
DoS ourselves!
The following command will allow the user to run an “exec” shell when logging
into the router:
R1(config)# aaa authorization exec default group radius if-
authenticated
Last, but not least, we want accounting (the final “A” in “AAA”):
R1(config)# aaa accounting exec default start-stop group radius
R1(config)# aaa accounting system default start-stop group radius
That should be enough to allow us to login with our local (Linux) system
account “cisco” that we created earlier. Let’s give it a shot:
macbook:~ jlgaddis$ telnet 192.168.1.201
Trying 192.168.1.201...
Connected to 192.168.1.201.
Escape character is '^]'.
User Access Verification
Username: cisco
Password:
R1# show ip interface brief
Interface IP-Address OK? Method Status
Protocol
Ethernet0/0 unassigned YES unset
administratively down down
Ethernet0/1 unassigned YES unset
administratively down down
Ethernet0/2 unassigned YES unset
administratively down down
Ethernet0/3 unassigned YES unset
administratively down down
Serial1/0 unassigned YES unset
administratively down down
Serial1/1 unassigned YES unset
administratively down down
Serial1/2 unassigned YES unset
administratively down down
Serial1/3 unassigned YES unset
administratively down down
FastEthernet3/0 192.168.1.201 YES manual up
up
R1# exit
Connection closed by foreign host.
macbook:~ jlgaddis$
Success! We’ve installed FreeRADIUS, added a local user account, set up the
NAS client (R1) and configured it to authenticate against the RADIUS server.
Let’s take a look at what was logged by FreeRADIUS:
[root@bertram ~]# cat /var/log/radius/radacct/192.168.1.201/detail-
20081119
Wed Nov 19 00:24:47 2008
Acct-Session-Id = "00000005"
User-Name = "cisco"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port = 130
NAS-Port-Id = "tty130"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.1.49"
Service-Type = NAS-Prompt-User
NAS-IP-Address = 192.168.1.201
Acct-Delay-Time = 0
Client-IP-Address = 192.168.1.201
Acct-Unique-Session-Id = "31b757fca2145e79"
Timestamp = 1227072287
Wed Nov 19 00:25:14 2008
Acct-Session-Id = "00000005"
User-Name = "cisco"
Acct-Authentic = RADIUS
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 27
Acct-Status-Type = Stop
NAS-Port = 130
NAS-Port-Id = "tty130"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.1.49"
Service-Type = NAS-Prompt-User
NAS-IP-Address = 192.168.1.201
Acct-Delay-Time = 0
Client-IP-Address = 192.168.1.201
Acct-Unique-Session-Id = "31b757fca2145e79"
Timestamp = 1227072314
[root@bertram ~]#
Switch Configuration - Authentication and Authorization
1. Create a local user on the switch with full privileges for fallback with the username
command as shown here
Switch(config)#username admin privilege 15 password 0 cisco123!
2. Enabling AAA- By default aaa is disabled on the IOS.
switch(config)# aaa new-model
3. Provide the IP address of the Radius server (Free Radius) and key
switch# configure terminal
switch(config)#radius-server host 172.16.71.146 auth-port 1645 acct-port 1646
switch(config)#radius-server key hello123
Note
The key must match the Shared Secret configured on the free radius for this switch
4.Test the RADIUS server availability with the test aaa command as shown.
switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH
Test authentication will fail with a Reject from the server since it is not configured,
However, it will confirms that server is reachable.
5.Configure login authentications as shown here:
command configures the switch to use RADIUS for authentication at the login prompt. If
RADIUS returns an error, the user is authenticated using the local database.
switch(config)#aaa authentication login default group radius local
Note: The Local keyword is used for fallback if the Radius server is unreachable
6. Configure authorization for privilege level 15:
command queries the RADIUS database for information that is used during EXEC
authorization, such as autocommands and privilege levels, but only provides authorization
if the user has successfully authenticated.
switch(config)#aaa authorization exec default group radius if-
authenticated
Configuration on FreeRadius Server
Defining Client on the Free Radius server:
Move to the config directory
cd /etc/freeradius
Edit the clients.conf file
sudo nano clients.conf
Add each device (router or switch), which is identified by its hostname and requires
secret key
client 192.168.1.1 {secret = secretkeynastype = ciscoshortname = switch}
Add each user inside the users file,that is allowed to access the device
sudo nano users
Creating user on FreeRadius: we are adding user cisco with a privilege level of 15
cisco Cleartext-Password := "password", Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"
Restart the FreeRADIUS service
sudo /etc/init.d/freeradius restart
Push the below role, The user in the IOS will get the level 15 Privilege.This would be
applicable for all the users who are member of group cisco-rw
DEFAULT Group == cisco-rw, Auth-Type = System, Service-Type = NAS-Prompt-User,
cisco-avpair :="shell:priv-lvl=15"
After pushing the shell lvl 15, The user will get the privi level 15 access.
User Based Privilege:If you want that user in the FreeRadius server should login and
get level 3 privilege:
Create new User with Privilege level 3
Edit /etc/freeradius/users file:
sudo nano/etc/freeradius/users
Add another user "Life" with a privilege level of 3
Life Cleartext-Password := "testing" Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=3"
Restart the Radius service, Now when you login to the device, User will get the level 3
privilege.
Restart the FreeRADIUS service
sudo /etc/init.d/freeradius restart
Note: The configuration of Free Radius is done on Ubuntu(Linux) Server. The commands
may differ in any other Linux OS.
Verification
To verify the configuration on switch use the following commands:
1. switch# show run | in radius (Shows the radius configuration)
2. switch# show run | in aaa (Show AAA configuration)
3. switch# show startup-config Radius (Show AAA configuration in start-up configuration)
Please post comments if there are any queries and rate if useful