Authenticate the Cisco Devices using FreeRADIUS on Ubuntu

secnario

We want to authenticate and authorize the user on Cisco devices using the Free Radius on Ubuntu Server. In this tutorial, we want to create two users, Arbab and Ali. Arbab have full access to Cisco devices (privilege level 15) while Ali has custom access (like show commands including show running and interface configurations) only.

FreeRADIUS configuration on Ubuntu:

Install FreeRADIUS by using the following command:

sudo apt-get install freeradius

1

Move to the config directory:

cd /etc/freeradius

2

Edit the clients.conf file:

sudo nano clients.conf

3

Add each device (router or switch), which is identified by its hostname and requires secret key:

client 192.168.179.152 {
secret = secretkey
nastype = cisco
shortname = tendoRouter
}

4

Add each user inside the users file,that is allowed to access the device:

sudo nano users

5

In this example, we are adding user arbab with a privilege level of 15:

arbab  Cleartext-Password := "password"
       Service-Type = NAS-Prompt-User,
       Cisco-AVPair = "shell:priv-lvl=15"

6

Restart the FreeRADIUS service:

sudo /etc/init.d/freeradius restart

7

Cisco Router Configuration:

Configure AAA security services,radius group and private key:

conf t
aaa new-model
aaa group server radius RadiusGrp
server-private 192.168.179.151 auth-port 1812 acct-port 1813 key secretkey
exit

8Note: RadiusGrp is just my group name and 192.168.179.151 is the ip address of FreeRadius Server, so change them according to your environment.

To enable the Authentication & Authorization, use the following commands:

aaa authentication login default group RadiusGrp
aaa authorization exec default group RadiusGrp

9

For Accounting purpose, use the following commands to configure the exec shell sessions and system level events:

aaa accounting exec default start-stop group RadiusGrp
aaa accounting system default start-stop group RadiusGrp

10

Now, configure the authentication to the vty line(s):

line vty 0 4
transport input telnet ssh
login authentication default

11

Telnet/SSH to the Router from Client Machine:

Now, try to login to the router from the client machine using the username and password that we have defined inside the FreeRadius Server:

12

Enter the username and password:

13

Success :-)

Logging at FreeRADIUS:

Move inside the /var/log/freeradius/radacct/ directory and check the log of each device(s) that you have added inside the clients.conf file:

14

Create new User with Privilege level 3:

This user can only check the configuration using show commands and can only configure the interface(s).

Edit the /etc/freeradius/users file:

sudo nano /etc/freeradius/users

15

Add user ali with a privilege level of 3:

ali  Cleartext-Password := "testing"
     Service-Type = NAS-Prompt-User,
     Cisco-AVPair = "shell:priv-lvl=3"

16

Restart the FreeRADIUS service:

sudo /etc/init.d/freeradius restart

17

Test from Client Machine:

User Ali has privilege level 3 and he can only run show command and even cannot check the running config:

18

Allow user Ali, to view the running config, configure the router using level 15 account or using the console:

privilege exec all level 3 show running-config

19

Now, check that Ali can view the running config:

show running-config view full

20

User Ali, even cannot run the configure terminal command:

21

Allow user Ali, to run the configure terminal command as well as the interface related commands:

privilege exec level 3 configure terminal
privilege configure all level 3 interface

22

Now, run configure terminal and interface commands again as user Ali:

23

Hope this will help you!

Please Remember me in your prayers!

One response to “Authenticate the Cisco Devices using FreeRADIUS on Ubuntu

  1. Pingback: Debian- Radius by NAS (freeradius) – ASC Learning Experience

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: