We want to authenticate and authorize the user on Cisco devices using the Free Radius on Ubuntu Server. In this tutorial, we want to create two users, Arbab and Ali. Arbab have full access to Cisco devices (privilege level 15) while Ali has custom access (like show commands including show running and interface configurations) only.
FreeRADIUS configuration on Ubuntu:
Install FreeRADIUS by using the following command:
sudo apt-get install freeradius
Move to the config directory:
cd /etc/freeradius
Edit the clients.conf file:
sudo nano clients.conf
Add each device (router or switch), which is identified by its hostname and requires secret key:
client 192.168.179.152 {
secret = secretkey
nastype = cisco
shortname = tendoRouter
}
Add each user inside the users file,that is allowed to access the device:
sudo nano users
In this example, we are adding user arbab with a privilege level of 15:
arbab Cleartext-Password := "password"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"
Restart the FreeRADIUS service:
sudo /etc/init.d/freeradius restart
Cisco Router Configuration:
Configure AAA security services,radius group and private key:
conf t
aaa new-model
aaa group server radius RadiusGrp
server-private 192.168.179.151 auth-port 1812 acct-port 1813 key secretkey
exit
Note: RadiusGrp is just my group name and 192.168.179.151 is the ip address of FreeRadius Server, so change them according to your environment.
To enable the Authentication & Authorization, use the following commands:
aaa authentication login default group RadiusGrp
aaa authorization exec default group RadiusGrp
For Accounting purpose, use the following commands to configure the exec shell sessions and system level events:
aaa accounting exec default start-stop group RadiusGrp
aaa accounting system default start-stop group RadiusGrp
Now, configure the authentication to the vty line(s):
line vty 0 4
transport input telnet ssh
login authentication default
Telnet/SSH to the Router from Client Machine:
Now, try to login to the router from the client machine using the username and password that we have defined inside the FreeRadius Server:
Enter the username and password:
Success 
Logging at FreeRADIUS:
Move inside the /var/log/freeradius/radacct/ directory and check the log of each device(s) that you have added inside the clients.conf file:
Create new User with Privilege level 3:
This user can only check the configuration using show commands and can only configure the interface(s).
Edit the /etc/freeradius/users file:
sudo nano /etc/freeradius/users
Add user ali with a privilege level of 3:
ali Cleartext-Password := "testing"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=3"
Restart the FreeRADIUS service:
sudo /etc/init.d/freeradius restart
Test from Client Machine:
User Ali has privilege level 3 and he can only run show command and even cannot check the running config:
Allow user Ali, to view the running config, configure the router using level 15 account or using the console:
privilege exec all level 3 show running-config
Now, check that Ali can view the running config:
show running-config view full
User Ali, even cannot run the configure terminal command:
Allow user Ali, to run the configure terminal command as well as the interface related commands:
privilege exec level 3 configure terminal
privilege configure all level 3 interface
Now, run configure terminal and interface commands again as user Ali:
Hope this will help you!
Please Remember me in your prayers!
Like this:
Like Loading...
Related
Pingback: Debian- Radius by NAS (freeradius) – ASC Learning Experience