To configure a freeradius server for a cisco switch

0. As of recent, starting the free radius daemon on eg Debian like OS-es might provide you with hassle regarding permissions on the SSL keys. In case of startup problems, start the daemon with “-X” or run “strace -t open” to verify the access to the proper files.

1. On the router:
R1(config)# aaa new-model
R1(config)# radius-server host auth-port 1812 acct-port 1813 key SECRET_KEY
R1(config)# aaa authentication login default group radius local
R1(config)# line vty 0 4
R1(config-line)# login authentication default local
R1(config-line)# line con 0
R1(config-line)# login authentication default local

[the next part is optional, in case you want to assign special privilege levels to a user]
R1(config)# aaa authorization exec default group radius if-authenticated
R1(config)# aaa accounting exec default start-stop group radius
R1(config)# aaa accounting system default start-stop group radius

2. On the Debian Linux server:
# apt-get install freeradius
# vi /etc/freeradius/users
cisco Auth-Type := System
      Service-Type = NAS-Prompt-User,
      Cisco-AVpair  : = “shell:priv-lvl=15”

# vi /etc/freeradius/clients.conf:
client {
secret = SECRET_KEY
shortname = R1
nastype = cisco

3. Restart the daemon:

# service freeradius restart


The IP address is the Switch / Router address, SECRET_KEY is the authentication key.

3. For the users in radius, we’ll use the local users in Linux here:
[root@bertram ~]# /usr/sbin/useradd cisco
[root@bertram ~]# echo secret | passwd –stdin cisco
Changing password for user cisco.
passwd: all authentication tokens updated successfully.

-> telnet to the switch and login as cisco/secret.
——->>> this will actually work.

-> make sure you allow the ports  1812 + 1813 through iptables.


4. If it fails…

Try to add another IP address, eg a linux box, to add as a client as (the server itself is a good candidate) and see whether Radius will behave positively to an authorization check.

-> Add to the client.conf file:

client {

secret = SECRET_KEY

shortname = pi


And from a Linux box, try a CLI test:

$ radtest cisco cisco 0 SECRET_KEY

Sending Access-Request of id 153 to port 1812

User-Name = “cisco”

User-Password = “cisco”

NAS-IP-Address =

NAS-Port = 0

Message-Authenticator = 0x00000000000000000000000000000000

rad_recv: Access-Accept packet from host port 1812, id=153, length=51

Service-Type = NAS-Prompt-User

Cisco-AVPair = “shell:priv-lvl=15”


The thing to watch out for is: Access-Accept

This entry was posted in Cisco Networking, Technical. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *