En primer lugar vamos a proceder a configurar el Router Cisco para
autenticacin AAA basada en servidor:
Comenzamos por las configuracines bsicas, contrasea del modo enable y la ip del Router: R1(config)# enable secret cisco R1(config)# interface fastethernet 1/0 R1(config-if)# ip address 10.1.1.254 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# exit Ahora habilitamos AAA en el Router, para ello: 1. Primero creamos un usuario y contresea. 2. Activamos AAA con el comando aaa new-model. 3. Establecemos los metodos de autenticacin, en este caso establecemos que se autentique mediante el servidor RADIUS y en caso de que no se pueda establecer conexin con el servidor, establecemos como metodo secundario la base de datos local del Router. 4. Le indicamos la interface a la que esta conectado el servidor RADIUS. 5. Por ltimo, agregamos el servidor RADIUS, indicando la ip, el puerto de autenticacin y la key (clave secreta compartida con el servidor). R1(config)# username local password local R1(config)# aaa new-model R1(config)# aaa authentication login default group radius local R1(config)# ip radius source-interface fastethernet 1/0 R1(config)# radius-server host 10.1.1.5 auth-port 1812 key radius Ahora procedemos a configurar las lineas vty, para establecer las conexiones remotas, en el ejemplo le indicamos que el mtodo de autenticacin ser la lista por defecto que hemos creado en el apartado anterior: R1(config)# line vty 0 4 R1(config-line)# login authentication default R1(config-line)# exit Y con esto hemos completado la configuracin en el Router. Ahora accedemos al servidor FreeRADIUS e introducimos los datos del Router Cisco: Para ello accedemos a la base de datos radius: # mysql -u root -p radius Insertamos los datos del Router: mysql > INSERT INTO nas (nasname, shortname, type, secret) VALUES (10.1.1.254, R1, cisco, radius); Lo vemos en la imagen: (En la entrada anterior tenis una breve explicacin de cada campo que acabamos de insertar). Reiniciamos el servidor FreeRADIUS: # service freeradius restart Y ya tenemos todo listo as que desde un pc intentamos acceder al router por telnet y nos logueamos con un usuario y contrasea que hayamos introducido en la base de datos del servidor Radius # telnet 10.1.1.254 Si todo va bien podremos loguearnos sin problemas como vemos en la imagen:
Si queremos comprobar las sesiones que hay iniciadas en el router podemos usar el siguiente comando: R1# show aaa sessions Y nos mostrara una salida similar a la imagen, en la que nos muestra entre otros datos, los usuarios que tienen iniciada sesion y la ip desde donde conectan:
Configure Configure a Switch for Authentication and Authorization 1. In order to create a local user on the switch with full privileges for fallback access, enter:
Switch(config)#username admin privilege 15 password 0 cisco123! 2. In order to enable AAA, enter:
switch(config)# aaa new-model 3. In order to provide the IP address of the RADIUS server as well as the key, enter:
Note: The key must match the shared secret configured on the RADIUS server for the switch. 4. In order to test RADIUS server availability, enter the test aaa command:
switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH
The test authentication fails with a Rejection from the server because it is not yet configured, but it will confirm that the server itself is reachable. 5. In order to configure login authentications to fall back to local users if RADIUS is unreachable, enter:
switch(config)#aaa authentication login default group radius local 6. In order to configure authorization for a privilege level of 15, as long as a user is authenticated, enter:
switch(config)#aaa authorization exec default group radius if-authenticated FreeRADIUS Configuration Define the Client on the FreeRADIUS Server 1. In order to navigate to the configuration directory, enter:
# cd /etc/freeradius 2. In order to edit the clients.conf file, enter:
# sudo nano clients.conf 3. In order to add each device (router/switch) identified by hostname and include the correct shared secret, enter:
client 192.168.1.1 { secret = secretkey nastype = cisco shortname = switch } 4. In order to edit the users file, enter:
# sudo nano users 5. Add each user allowed to access the device. This example demonstrates how to set a Cisco IOS privilege level of 15 for the user "cisco."
cisco Cleartext-Password := "password" Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15" 6. In order to restart FreeRADIUS, enter:
# sudo /etc/init.d/freeradius restart 7. In order to change the DEFAULT user group in the user's file in order to give all users who are members of cisco-rw a privilege level of 15, enter:
DEFAULT Group == cisco-rw, Auth-Type = System Service-Type = NAS-Prompt-User, cisco-avpair :="shell:priv-lvl=15" 8. You can add other users at different privilege levels as needed in the FreeRADIUS users file. For example, this user (life) is given a level of 3 (system maintenance):
sudo nano/etc/freeradius/users
life Cleartext-Password := "testing" Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=3"
Restart the FreeRADIUS service: sudo /etc/init.d/freeradius restart
Verify In order to verify the configuration on the switch, use these commands: switch# show run | in radius (Show the radius configuration) switch# show run | in aaa (Show the running AAA configuration) switch# show startup-config Radius (Show the startup AAA configuration in start-up configuration)
For this demonstration, Im installing a new CentOS 5.2 virtual machine on my MacBook under VMware Fusion. Installing the operating system, however, is beyond the scope of this document. Also, well just be using the local system database for now well save SQL and LDAP (perhaps even Active Directory) authentication for later. After we get FreeRADIUS up and running, well set up a user account and then configure a Cisco router to use RADIUS for authentication. Lets begin with installing FreeRADIUS by running (as root) the following command: [root@bertram ~]# yum -y install freeradius ... Complete! [root@bertram ~]# yum should have went out, grabbed the appropriates packages and dependencies, and installed them. Because FreeRADIUS will need to use the local system database for authentication, we need to set user = root and group = root in radiusd.conf. This is easy enough, just open up /etc/raddb/radiusd.conf, and change the lines that reads user = radiusd and group = radiusd to user = root and group = root, respectively. Note that this (running our daemons as root) is almost always something we want to avoid. Using other authentication backends, such as SQL or LDAP, would not require this change and would allow the FreeRADIUS service to run under the default radiusd unprivileged account. Next, we need to let FreeRADIUS know about our NAS in this case, our Cisco router. For the sake of this demonstration, our router (R1) will have IP address 192.168.1.201. Well also need a shared secret that the router and RADIUS server use. Lets use the ever popular SECRET_KEY. Add the following to the end of /etc/raddb/clients.conf: client 192.168.1.201 { secret = SECRET_KEY shortname = R1 nastype = cisco } Then, on the FreeRADIUS side, we need to create a user account in the local user database that well use for actually authenticating to R1. Nothing special here, just creating a new user account and setting the password. Ive passed the plain-text password into passwd via stdin so that you can see it. Normally, we wouldnt do that just run passwd cisco and enter the password when prompted: [root@bertram ~]# /usr/sbin/useradd cisco [root@bertram ~]# echo secret | passwd --stdin cisco Changing password for user cisco. passwd: all authentication tokens updated successfully. [root@bertram ~]# We now have a local user named cisco with a password of secret that well use when it comes time to authenticate to R1. Before we can do that, however, we must let FreeRADIUS know about the user. Append the following to /etc/raddb/users: cisco Auth-Type := System Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" This notifies FreeRADIUS of a local user account named cisco. Using the cisco-avpair attribute in this manner allows us to automatically assign privilege level 15 to the user, removing the requirement for the user to issue enable (and the enable secret) in order to gain elevated access. Lets get started configuring R1. Im going to assume that youre starting from a default configuration. The first thing we want to do is create a fallback user account (on the router itself) that we can use to authenticate if, for some reason, connectivity to the RADIUS server is lost. Lets create a user named admin with a password of letmein: R1(config)#username admin privilege 15 secret letmein Under normal circumstances, well never use this local account only when the RADIUS server is unavailable. The first thing I need to do is configure my interface on R1 and verify we can ping the RADIUS server. Assuming you already have your router up and running, you can likely skip this step: R1(config)# interface fastethernet 3/0 R1(config-if)# ip address 192.168.1.201 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# *Mar 1 00:10:14.635: %LINK-3-UPDOWN: Interface FastEthernet3/0, changed state to up *Mar 1 00:10:15.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0, changed state to up R1(config-if)# do ping 192.168.1.51 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.51, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 4/11/24 ms R1(config-if)# Excellent, all set! Lets start configuring R1 for AAA: R1(config)# aaa new-model R1(config)# radius-server host 192.168.1.51 auth-port 1812 acct-port 1813 key SECRET_KEY AAA should now be enabled on R1. Note that we provided the IP address of the RADIUS server as well as the shared secret we configured in FreeRADIUS earlier. In addition, we must specify the auth-port and acct-port used by FreeRADIUS, as these are different from Ciscos defaults (1645 and 1646). Lets configure authentication: R1(config)# aaa authentication login default group radius local R1(config)# line vty 0 4 R1(config-line)# login authentication default R1(config-line)# line con 0 R1(config-line)# login authentication default Here, weve told R1 to use RADIUS for authentication and to fall back to the local user database if the RADIUS server is not available. We dont want to DoS ourselves! The following command will allow the user to run an exec shell when logging into the router: R1(config)# aaa authorization exec default group radius if-authenticated Last, but not least, we want accounting (the final A in AAA): R1(config)# aaa accounting exec default start-stop group radius R1(config)# aaa accounting system default start-stop group radius That should be enough to allow us to login with our local (Linux) system account cisco that we created earlier. Lets give it a shot: macbook:~ jlgaddis$ telnet 192.168.1.201 Trying 192.168.1.201... Connected to 192.168.1.201. Escape character is '^]'.
User Access Verification
Username: cisco Password:
R1# show ip interface brief Interface IP-Address OK? Method Status Protocol Ethernet0/0 unassigned YES unset administratively down down Ethernet0/1 unassigned YES unset administratively down down Ethernet0/2 unassigned YES unset administratively down down Ethernet0/3 unassigned YES unset administratively down down Serial1/0 unassigned YES unset administratively down down Serial1/1 unassigned YES unset administratively down down Serial1/2 unassigned YES unset administratively down down Serial1/3 unassigned YES unset administratively down down FastEthernet3/0 192.168.1.201 YES manual up up R1# exit Connection closed by foreign host. macbook:~ jlgaddis$ Success! Weve installed FreeRADIUS, added a local user account, set up the NAS client (R1) and configured it to authenticate against the RADIUS server. Lets take a look at what was logged by FreeRADIUS: [root@bertram ~]# cat /var/log/radius/radacct/192.168.1.201/detail- 20081119 Wed Nov 19 00:24:47 2008 Acct-Session-Id = "00000005" User-Name = "cisco" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port = 130 NAS-Port-Id = "tty130" NAS-Port-Type = Virtual Calling-Station-Id = "192.168.1.49" Service-Type = NAS-Prompt-User NAS-IP-Address = 192.168.1.201 Acct-Delay-Time = 0 Client-IP-Address = 192.168.1.201 Acct-Unique-Session-Id = "31b757fca2145e79" Timestamp = 1227072287
Switch Configuration - Authentication and Authorization 1. Create a local user on the switch with full privileges for fallback with the username command as shown here Switch(config)#username admin privilege 15 password 0 cisco123! 2. Enabling AAA- By default aaa is disabled on the IOS. switch(config)# aaa new-model 3. Provide the IP address of the Radius server (Free Radius) and key switch# configure terminal switch(config)#radius-server host 172.16.71.146 auth-port 1645 acct-port 1646 switch(config)#radius-server key hello123 Note The key must match the Shared Secret configured on the free radius for this switch 4.Test the RADIUS server availability with the test aaa command as shown. switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH Test authentication will fail with a Reject from the server since it is not configured, However, it will confirms that server is reachable. 5.Configure login authentications as shown here: command configures the switch to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database. switch(config)#aaa authentication login default group radius local Note: The Local keyword is used for fallback if the Radius server is unreachable 6. Configure authorization for privilege level 15: command queries the RADIUS database for information that is used during EXEC authorization, such as autocommands and privilege levels, but only provides authorization if the user has successfully authenticated. switch(config)#aaa authorization exec default group radius if-authenticated
Configuration on FreeRadius Server Defining Client on the Free Radius server: Move to the config directory cd /etc/freeradius Edit the clients.conf file sudo nano clients.conf Add each device (router or switch), which is identified by its hostname and requires secret key client 192.168.1.1 {secret = secretkeynastype = ciscoshortname = switch} Add each user inside the users file,that is allowed to access the device sudo nano users Creating user on FreeRadius: we are adding user cisco with a privilege level of 15 cisco Cleartext-Password := "password", Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15" Restart the FreeRADIUS service sudo /etc/init.d/freeradius restart Push the below role, The user in the IOS will get the level 15 Privilege.This would be applicable for all the users who are member of group cisco-rw DEFAULT Group == cisco-rw, Auth-Type = System, Service-Type = NAS-Prompt- User, cisco-avpair :="shell:priv-lvl=15" After pushing the shell lvl 15, The user will get the privi level 15 access. User Based Privilege:If you want that user in the FreeRadius server should login and get level 3 privilege: Create new User with Privilege level 3 Edit /etc/freeradius/users file: sudo nano/etc/freeradius/users Add another user "Life" with a privilege level of 3 Life Cleartext-Password := "testing" Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=3" Restart the Radius service, Now when you login to the device, User will get the level 3 privilege. Restart the FreeRADIUS service sudo /etc/init.d/freeradius restart Note: The configuration of Free Radius is done on Ubuntu(Linux) Server. The commands may differ in any other Linux OS. Verification To verify the configuration on switch use the following commands: 1. switch# show run | in radius (Shows the radius configuration) 2. switch# show run | in aaa (Show AAA configuration) 3. switch# show startup-config Radius (Show AAA configuration in start-up configuration) Please post comments if there are any queries and rate if useful