
We want to authenticate and authorize the user on Cisco devices using the Free Radius on Ubuntu Server. In this tutorial, we want to create two users, Arbab and Ali. Arbab have full access to Cisco devices (privilege level 15) while Ali has custom access (like show commands including show running and interface configurations) only.
FreeRADIUS configuration on Ubuntu:
Install FreeRADIUS by using the following command:
sudo apt-get install freeradius

Move to the config directory:
cd /etc/freeradius

Edit the clients.conf file:
sudo nano clients.conf

Add each device (router or switch), which is identified by its hostname and requires secret key:
client 192.168.179.152 {
secret = secretkey
nastype = cisco
shortname = tendoRouter
}

Add each user inside the users file,that is allowed to access the device:
sudo nano users

In this example, we are adding user arbab with a privilege level of 15:
arbab Cleartext-Password := "password"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"

Restart the FreeRADIUS service:
sudo /etc/init.d/freeradius restart

Cisco Router Configuration:
Configure AAA security services,radius group and private key:
conf t
aaa new-model
aaa group server radius RadiusGrp
server-private 192.168.179.151 auth-port 1812 acct-port 1813 key secretkey
exit
Note: RadiusGrp is just my group name and 192.168.179.151 is the ip address of FreeRadius Server, so change them according to your environment.
To enable the Authentication & Authorization, use the following commands:
aaa authentication login default group RadiusGrp
aaa authorization exec default group RadiusGrp

For Accounting purpose, use the following commands to configure the exec shell sessions and system level events:
aaa accounting exec default start-stop group RadiusGrp
aaa accounting system default start-stop group RadiusGrp

Now, configure the authentication to the vty line(s):
line vty 0 4
transport input telnet ssh
login authentication default

Telnet/SSH to the Router from Client Machine:
Now, try to login to the router from the client machine using the username and password that we have defined inside the FreeRadius Server:

Enter the username and password:

Success 
Logging at FreeRADIUS:
Move inside the /var/log/freeradius/radacct/ directory and check the log of each device(s) that you have added inside the clients.conf file:

Create new User with Privilege level 3:
This user can only check the configuration using show commands and can only configure the interface(s).
Edit the /etc/freeradius/users file:
sudo nano /etc/freeradius/users

Add user ali with a privilege level of 3:
ali Cleartext-Password := "testing"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=3"

Restart the FreeRADIUS service:
sudo /etc/init.d/freeradius restart

Test from Client Machine:
User Ali has privilege level 3 and he can only run show command and even cannot check the running config:

Allow user Ali, to view the running config, configure the router using level 15 account or using the console:
privilege exec all level 3 show running-config

Now, check that Ali can view the running config:
show running-config view full

User Ali, even cannot run the configure terminal command:

Allow user Ali, to run the configure terminal command as well as the interface related commands:
privilege exec level 3 configure terminal
privilege configure all level 3 interface

Now, run configure terminal and interface commands again as user Ali:

Hope this will help you!
Please Remember me in your prayers!
Like this:
Like Loading...
Related
Pingback: Debian- Radius by NAS (freeradius) – ASC Learning Experience