En primer lugar vamos a proceder a configurar el Router Cisco para

autenticacin AAA basada en servidor:

Comenzamos por las configuracines bsicas, contrasea del modo enable y
la ip del Router:
R1(config)# enable secret cisco
R1(config)# interface fastethernet 1/0
R1(config-if)# ip address 10.1.1.254 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit
Ahora habilitamos AAA en el Router, para ello:
1. Primero creamos un usuario y contresea.
2. Activamos AAA con el comando aaa new-model.
3. Establecemos los metodos de autenticacin, en este caso
establecemos que se autentique mediante el servidor RADIUS y en caso
de que no se pueda establecer conexin con el servidor, establecemos
como metodo secundario la base de datos local del Router.
4. Le indicamos la interface a la que esta conectado el servidor RADIUS.
5. Por ltimo, agregamos el servidor RADIUS, indicando la ip, el puerto
de autenticacin y la key (clave secreta compartida con el servidor).
R1(config)# username local password local
R1(config)# aaa new-model
R1(config)# aaa authentication login default group radius local
R1(config)# ip radius source-interface fastethernet 1/0
R1(config)# radius-server host 10.1.1.5 auth-port 1812 key radius
Ahora procedemos a configurar las lineas vty, para establecer las conexiones
remotas, en el ejemplo le indicamos que el mtodo de autenticacin ser la
lista por defecto que hemos creado en el apartado anterior:
R1(config)# line vty 0 4
R1(config-line)# login authentication default
R1(config-line)# exit
Y con esto hemos completado la configuracin en el Router.
Ahora accedemos al servidor FreeRADIUS e introducimos los datos
del Router Cisco:
Para ello accedemos a la base de datos radius:
# mysql -u root -p radius
Insertamos los datos del Router:
mysql > INSERT INTO nas (nasname, shortname, type, secret)
VALUES (10.1.1.254, R1, cisco, radius);
Lo vemos en la imagen:
(En la
entrada anterior tenis una breve explicacin de cada campo que acabamos de
insertar).
Reiniciamos el servidor FreeRADIUS:
# service freeradius restart
Y ya tenemos todo listo as que desde un pc intentamos acceder al router por
telnet y nos logueamos con un usuario y contrasea que hayamos introducido
en la base de datos del servidor Radius
# telnet 10.1.1.254
Si todo va bien podremos loguearnos sin problemas como vemos en la imagen:

Si queremos comprobar las sesiones que hay iniciadas en el router podemos
usar el siguiente comando:
R1# show aaa sessions
Y nos mostrara una salida similar a la imagen, en la que nos muestra entre
otros datos, los usuarios que tienen iniciada sesion y la ip desde donde
conectan:



Configure
Configure a Switch for Authentication and Authorization
1. In order to create a local user on the switch with full privileges for fallback access, enter:

Switch(config)#username admin privilege 15 password 0 cisco123!
2. In order to enable AAA, enter:

switch(config)# aaa new-model
3. In order to provide the IP address of the RADIUS server as well as the key, enter:

switch# configure terminal
switch(config)#radius-server host 172.16.71.146 auth-port 1645 acct-port
1646
switch(config)#radius-server key hello123


Note: The key must match the shared secret configured on the RADIUS server for the switch.
4. In order to test RADIUS server availability, enter the test aaa command:

switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH

The test authentication fails with a Rejection from the server because it is not yet configured, but
it will confirm that the server itself is reachable.
5. In order to configure login authentications to fall back to local users if RADIUS is unreachable,
enter:

switch(config)#aaa authentication login default group radius local
6. In order to configure authorization for a privilege level of 15, as long as a user is authenticated,
enter:

switch(config)#aaa authorization exec default group radius if-authenticated
FreeRADIUS Configuration
Define the Client on the FreeRADIUS Server
1. In order to navigate to the configuration directory, enter:

# cd /etc/freeradius
2. In order to edit the clients.conf file, enter:

# sudo nano clients.conf
3. In order to add each device (router/switch) identified by hostname and include the correct shared
secret, enter:

client 192.168.1.1 {
secret = secretkey
nastype = cisco
shortname = switch
}
4. In order to edit the users file, enter:

# sudo nano users
5. Add each user allowed to access the device. This example demonstrates how to set a Cisco IOS
privilege level of 15 for the user "cisco."

cisco Cleartext-Password := "password"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"
6. In order to restart FreeRADIUS, enter:

# sudo /etc/init.d/freeradius restart
7. In order to change the DEFAULT user group in the user's file in order to give all users who are
members of cisco-rw a privilege level of 15, enter:

DEFAULT Group == cisco-rw, Auth-Type = System
Service-Type = NAS-Prompt-User,
cisco-avpair :="shell:priv-lvl=15"
8. You can add other users at different privilege levels as needed in the FreeRADIUS users file. For
example, this user (life) is given a level of 3 (system maintenance):

sudo nano/etc/freeradius/users

life Cleartext-Password := "testing"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=3"

Restart the FreeRADIUS service:
sudo /etc/init.d/freeradius restart

Verify
In order to verify the configuration on the switch, use these commands:
switch# show run | in radius (Show the radius configuration)
switch# show run | in aaa (Show the running AAA configuration)
switch# show startup-config Radius (Show the startup AAA configuration in
start-up configuration)


For this demonstration, Im installing a new CentOS 5.2 virtual machine on my MacBook
under VMware Fusion. Installing the operating system, however, is beyond the scope of this
document. Also, well just be using the local system database for now well save SQL and
LDAP (perhaps even Active Directory) authentication for later. After we get FreeRADIUS
up and running, well set up a user account and then configure a Cisco router to use
RADIUS for authentication.
Lets begin with installing FreeRADIUS by running (as root) the following command:
[root@bertram ~]# yum -y install freeradius
...
Complete!
[root@bertram ~]#
yum should have went out, grabbed the appropriates packages and dependencies, and
installed them.
Because FreeRADIUS will need to use the local system database for authentication, we need
to set user = root and group = root in radiusd.conf. This is easy enough, just open up
/etc/raddb/radiusd.conf, and change the lines that reads user = radiusd and group =
radiusd to user = root and group = root, respectively. Note that this (running our
daemons as root) is almost always something we want to avoid. Using other authentication
backends, such as SQL or LDAP, would not require this change and would allow the
FreeRADIUS service to run under the default radiusd unprivileged account.
Next, we need to let FreeRADIUS know about our NAS in this case, our Cisco router. For
the sake of this demonstration, our router (R1) will have IP address 192.168.1.201. Well
also need a shared secret that the router and RADIUS server use. Lets use the ever popular
SECRET_KEY. Add the following to the end of /etc/raddb/clients.conf:
client 192.168.1.201 {
secret = SECRET_KEY
shortname = R1
nastype = cisco
}
Then, on the FreeRADIUS side, we need to create a user account in the local user database
that well use for actually authenticating to R1. Nothing special here, just creating a new
user account and setting the password. Ive passed the plain-text password into passwd
via stdin so that you can see it. Normally, we wouldnt do that just run passwd cisco and
enter the password when prompted:
[root@bertram ~]# /usr/sbin/useradd cisco
[root@bertram ~]# echo secret | passwd --stdin cisco
Changing password for user cisco.
passwd: all authentication tokens updated successfully.
[root@bertram ~]#
We now have a local user named cisco with a password of secret that well use when it
comes time to authenticate to R1. Before we can do that, however, we must let FreeRADIUS
know about the user. Append the following to /etc/raddb/users:
cisco Auth-Type := System
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15"
This notifies FreeRADIUS of a local user account named cisco. Using the cisco-avpair
attribute in this manner allows us to automatically assign privilege level 15 to the user,
removing the requirement for the user to issue enable (and the enable secret) in order to
gain elevated access.
Lets get started configuring R1. Im going to assume that youre starting from a default
configuration. The first thing we want to do is create a fallback user account (on the
router itself) that we can use to authenticate if, for some reason, connectivity to the
RADIUS server is lost. Lets create a user named admin with a password of letmein:
R1(config)#username admin privilege 15 secret letmein
Under normal circumstances, well never use this local account only when the RADIUS
server is unavailable.
The first thing I need to do is configure my interface on R1 and verify we can ping the
RADIUS server. Assuming you already have your router up and running, you can likely skip
this step:
R1(config)# interface fastethernet 3/0
R1(config-if)# ip address 192.168.1.201 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)#
*Mar 1 00:10:14.635: %LINK-3-UPDOWN: Interface FastEthernet3/0, changed
state to up
*Mar 1 00:10:15.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet3/0, changed state to up
R1(config-if)# do ping 192.168.1.51
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.51, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/11/24 ms
R1(config-if)#
Excellent, all set! Lets start configuring R1 for AAA:
R1(config)# aaa new-model
R1(config)# radius-server host 192.168.1.51 auth-port 1812 acct-port 1813
key SECRET_KEY
AAA should now be enabled on R1. Note that we provided the IP address of the RADIUS
server as well as the shared secret we configured in FreeRADIUS earlier. In addition, we
must specify the auth-port and acct-port used by FreeRADIUS, as these are different
from Ciscos defaults (1645 and 1646). Lets configure authentication:
R1(config)# aaa authentication login default group radius local
R1(config)# line vty 0 4
R1(config-line)# login authentication default
R1(config-line)# line con 0
R1(config-line)# login authentication default
Here, weve told R1 to use RADIUS for authentication and to fall back to the local user
database if the RADIUS server is not available. We dont want to DoS ourselves!
The following command will allow the user to run an exec shell when logging into the
router:
R1(config)# aaa authorization exec default group radius if-authenticated
Last, but not least, we want accounting (the final A in AAA):
R1(config)# aaa accounting exec default start-stop group radius
R1(config)# aaa accounting system default start-stop group radius
That should be enough to allow us to login with our local (Linux) system account cisco
that we created earlier. Lets give it a shot:
macbook:~ jlgaddis$ telnet 192.168.1.201
Trying 192.168.1.201...
Connected to 192.168.1.201.
Escape character is '^]'.

User Access Verification

Username: cisco
Password:

R1# show ip interface brief
Interface IP-Address OK? Method Status
Protocol
Ethernet0/0 unassigned YES unset administratively
down down
Ethernet0/1 unassigned YES unset administratively
down down
Ethernet0/2 unassigned YES unset administratively
down down
Ethernet0/3 unassigned YES unset administratively
down down
Serial1/0 unassigned YES unset administratively
down down
Serial1/1 unassigned YES unset administratively
down down
Serial1/2 unassigned YES unset administratively
down down
Serial1/3 unassigned YES unset administratively
down down
FastEthernet3/0 192.168.1.201 YES manual up
up
R1# exit
Connection closed by foreign host.
macbook:~ jlgaddis$
Success! Weve installed FreeRADIUS, added a local user account, set up the NAS client
(R1) and configured it to authenticate against the RADIUS server. Lets take a look at what
was logged by FreeRADIUS:
[root@bertram ~]# cat /var/log/radius/radacct/192.168.1.201/detail-
20081119
Wed Nov 19 00:24:47 2008
Acct-Session-Id = "00000005"
User-Name = "cisco"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port = 130
NAS-Port-Id = "tty130"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.1.49"
Service-Type = NAS-Prompt-User
NAS-IP-Address = 192.168.1.201
Acct-Delay-Time = 0
Client-IP-Address = 192.168.1.201
Acct-Unique-Session-Id = "31b757fca2145e79"
Timestamp = 1227072287

Wed Nov 19 00:25:14 2008
Acct-Session-Id = "00000005"
User-Name = "cisco"
Acct-Authentic = RADIUS
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 27
Acct-Status-Type = Stop
NAS-Port = 130
NAS-Port-Id = "tty130"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.1.49"
Service-Type = NAS-Prompt-User
NAS-IP-Address = 192.168.1.201
Acct-Delay-Time = 0
Client-IP-Address = 192.168.1.201
Acct-Unique-Session-Id = "31b757fca2145e79"
Timestamp = 1227072314
[root@bertram ~]#









Switch Configuration - Authentication and Authorization
1. Create a local user on the switch with full privileges for fallback with the username
command as shown here
Switch(config)#username admin privilege 15 password 0 cisco123!
2. Enabling AAA- By default aaa is disabled on the IOS.
switch(config)# aaa new-model
3. Provide the IP address of the Radius server (Free Radius) and key
switch# configure terminal
switch(config)#radius-server host 172.16.71.146 auth-port 1645 acct-port
1646
switch(config)#radius-server key hello123
Note
The key must match the Shared Secret configured on the free radius for this switch
4.Test the RADIUS server availability with the test aaa command as shown.
switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH
Test authentication will fail with a Reject from the server since it is not configured,
However, it will confirms that server is reachable.
5.Configure login authentications as shown here:
command configures the switch to use RADIUS for authentication at the login prompt. If
RADIUS returns an error, the user is authenticated using the local database.
switch(config)#aaa authentication login default group radius local
Note: The Local keyword is used for fallback if the Radius server is unreachable
6. Configure authorization for privilege level 15:
command queries the RADIUS database for information that is used during EXEC
authorization, such as autocommands and privilege levels, but only provides authorization
if the user has successfully authenticated.
switch(config)#aaa authorization exec default group radius if-authenticated


Configuration on FreeRadius Server
Defining Client on the Free Radius server:
Move to the config directory
cd /etc/freeradius
Edit the clients.conf file
sudo nano clients.conf
Add each device (router or switch), which is identified by its hostname and requires
secret key
client 192.168.1.1 {secret = secretkeynastype = ciscoshortname = switch}
Add each user inside the users file,that is allowed to access the device
sudo nano users
Creating user on FreeRadius: we are adding user cisco with a privilege level of 15
cisco Cleartext-Password := "password", Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"
Restart the FreeRADIUS service
sudo /etc/init.d/freeradius restart
Push the below role, The user in the IOS will get the level 15 Privilege.This would be
applicable for all the users who are member of group cisco-rw
DEFAULT Group == cisco-rw, Auth-Type = System, Service-Type = NAS-Prompt-
User,
cisco-avpair :="shell:priv-lvl=15"
After pushing the shell lvl 15, The user will get the privi level 15 access.
User Based Privilege:If you want that user in the FreeRadius server should login and
get level 3 privilege:
Create new User with Privilege level 3
Edit /etc/freeradius/users file:
sudo nano/etc/freeradius/users
Add another user "Life" with a privilege level of 3
Life Cleartext-Password := "testing" Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=3"
Restart the Radius service, Now when you login to the device, User will get the level 3
privilege.
Restart the FreeRADIUS service
sudo /etc/init.d/freeradius restart
Note: The configuration of Free Radius is done on Ubuntu(Linux) Server. The commands
may differ in any other Linux OS.
Verification
To verify the configuration on switch use the following commands:
1. switch# show run | in radius (Shows the
radius configuration)
2. switch# show run | in aaa (Show AAA
configuration)
3. switch# show startup-config Radius (Show AAA
configuration in start-up configuration)
Please post comments if there are any queries and rate if useful