AAA is a network protocol that define basically three functionality, Authentication, Authorization and Accounting. It’s very useful for distributed systems to need authenticate users to have access for a specific services. In this post We’ll configure FreeRadius as AAA server and configure a Cisco device to allow login connections across ssh with the radius users configured on the server.
The devices used in this scenario are:
– Cisco Router: 192.168.0.254/24
– Debian Server (FreeRadius): 192.168.0.1/24
Freeradius configuration
– Install freeradius:
# apt-get install freeradius
– Edit clients configuration file:
# vi /etc/freeradius/clients.conf
client 192.168.0.254 {
secret = shar3k3y
nastype = cisco
shortname = rcentral
}
– Add the new user to allow login to our router with a privilege level of 15:
# vi /etc/freeradius/users admin Cleartext-Password := "P@ssw0rd" Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
– Restart freeradius:
# service freeradius restart
Router configuration
– Defining new aaa login configuration:
rcentral#config term rcentral(config)# aaa new-model rcentral(config)#radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key shar3k3y rcentral(config)# aaa authentication login default group radius local
With this configuration if the radius server fails, the device will use local users for the authentication.
– Configuring ssh and use radius to authenticate the users:
rcentral#config term rcentral(config)# ip domain name mydomain rcentral(config)# crypto key generate rsa modulus 1024 rcentral(config)# ip ssh version 2 rcentral(config)# line vty 0 15 rcentral(config)# transport input ssh rcentral(config)# login authentication default
Configuring authorization and accounting
– Authorizing users to run an exec shell if the authentication is success:
rcentral(config)#aaa authorization exec default if-authenticated
– Configuring accounting for all system level events and exec shell sessions:
rcentral(config)#aaa accounting system default start-stop group radius rcentral(config)#aaa accounting exec default start-stop group radius
– Check accounting start and stop events of a login user:
# cat /var/log/freeradius/radacct/192.168.0.254/detail-20130107 Mon Jan 7 14:25:07 2013 Acct-Session-Id = "0000000A" User-Name = "admin" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port = 2 NAS-Port-Id = "tty2" NAS-Port-Type = Virtual Service-Type = NAS-Prompt-User NAS-IP-Address = 192.168.0.254 Acct-Delay-Time = 0 Acct-Unique-Session-Id = "df599de6a2047d4b" Timestamp = 1357565107 Request-Authenticator = Verified Mon Jan 7 14:29:05 2013 Acct-Session-Id = "0000000A" User-Name = "admin" Acct-Authentic = RADIUS Acct-Terminate-Cause = User-Request Acct-Session-Time = 239 Acct-Status-Type = Stop NAS-Port = 2 NAS-Port-Id = "tty2" NAS-Port-Type = Virtual Service-Type = NAS-Prompt-User NAS-IP-Address = 192.168.0.254 Acct-Delay-Time = 0 Acct-Unique-Session-Id = "df599de6a2047d4b" Timestamp = 1357565345 Request-Authenticator = Verified
Sources
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html#wp1088470
http://wiki.freeradius.org/vendor/Cisco
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e364.html
Pingback:Configuring FreeRadius for AAA Cisco clients | kitmana