Authenticate the Cisco Devices using FreeRADIUS on Ubuntu


We want to authenticate and authorize the user on Cisco devices using the Free Radius on Ubuntu Server. In this tutorial, we want to create two users, Arbab and Ali. Arbab have full access to Cisco devices (privilege level 15) while Ali has custom access (like show commands including show running and interface configurations) only.

FreeRADIUS configuration on Ubuntu:

Install FreeRADIUS by using the following command:

sudo apt-get install freeradius


Move to the config directory:

cd /etc/freeradius


Edit the clients.conf file:

sudo nano clients.conf


Add each device (router or switch), which is identified by its hostname and requires secret key:

client {
secret = secretkey
nastype = cisco
shortname = tendoRouter


Add each user inside the users file,that is allowed to access the device:

sudo nano users


In this example, we are adding user arbab with a privilege level of 15:

arbab  Cleartext-Password := "password"
       Service-Type = NAS-Prompt-User,
       Cisco-AVPair = "shell:priv-lvl=15"


Restart the FreeRADIUS service:

sudo /etc/init.d/freeradius restart


Cisco Router Configuration:

Configure AAA security services,radius group and private key:

conf t
aaa new-model
aaa group server radius RadiusGrp
server-private auth-port 1812 acct-port 1813 key secretkey

8Note: RadiusGrp is just my group name and is the ip address of FreeRadius Server, so change them according to your environment.

To enable the Authentication & Authorization, use the following commands:

aaa authentication login default group RadiusGrp
aaa authorization exec default group RadiusGrp


For Accounting purpose, use the following commands to configure the exec shell sessions and system level events:

aaa accounting exec default start-stop group RadiusGrp
aaa accounting system default start-stop group RadiusGrp


Now, configure the authentication to the vty line(s):

line vty 0 4
transport input telnet ssh
login authentication default


Telnet/SSH to the Router from Client Machine:

Now, try to login to the router from the client machine using the username and password that we have defined inside the FreeRadius Server:


Enter the username and password:


Success :-)

Logging at FreeRADIUS:

Move inside the /var/log/freeradius/radacct/ directory and check the log of each device(s) that you have added inside the clients.conf file:


Create new User with Privilege level 3:

This user can only check the configuration using show commands and can only configure the interface(s).

Edit the /etc/freeradius/users file:

sudo nano /etc/freeradius/users


Add user ali with a privilege level of 3:

ali  Cleartext-Password := "testing"
     Service-Type = NAS-Prompt-User,
     Cisco-AVPair = "shell:priv-lvl=3"


Restart the FreeRADIUS service:

sudo /etc/init.d/freeradius restart


Test from Client Machine:

User Ali has privilege level 3 and he can only run show command and even cannot check the running config:


Allow user Ali, to view the running config, configure the router using level 15 account or using the console:

privilege exec all level 3 show running-config


Now, check that Ali can view the running config:

show running-config view full


User Ali, even cannot run the configure terminal command:


Allow user Ali, to run the configure terminal command as well as the interface related commands:

privilege exec level 3 configure terminal
privilege configure all level 3 interface


Now, run configure terminal and interface commands again as user Ali:


Hope this will help you!

Please Remember me in your prayers!

One response to “Authenticate the Cisco Devices using FreeRADIUS on Ubuntu

  1. Pingback: Debian- Radius by NAS (freeradius) – ASC Learning Experience

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: