0. As of recent, starting the free radius daemon on eg Debian like OS-es might provide you with hassle regarding permissions on the SSL keys. In case of startup problems, start the daemon with “-X” or run “strace -t open” to verify the access to the proper files.
1. On the router:
R1(config)# aaa new-model
R1(config)# radius-server host 192.168.1.51 auth-port 1812 acct-port 1813 key SECRET_KEY
R1(config)# aaa authentication login default group radius local
R1(config)# line vty 0 4
R1(config-line)# login authentication default local
R1(config-line)# line con 0
R1(config-line)# login authentication default local
[the next part is optional, in case you want to assign special privilege levels to a user]
R1(config)# aaa authorization exec default group radius if-authenticated
R1(config)# aaa accounting exec default start-stop group radius
R1(config)# aaa accounting system default start-stop group radius
2. On the Debian Linux server:
# apt-get install freeradius
# vi /etc/freeradius/users
cisco Auth-Type := System
Service-Type = NAS-Prompt-User,
Cisco-AVpair : = “shell:priv-lvl=15”
# vi /etc/freeradius/clients.conf:
client 192.168.2.25 {
secret = SECRET_KEY
shortname = R1
nastype = cisco
}
3. Restart the daemon:
# service freeradius restart
The IP address is the Switch / Router address, SECRET_KEY is the authentication key.
3. For the users in radius, we’ll use the local users in Linux here:
[root@bertram ~]# /usr/sbin/useradd cisco
[root@bertram ~]# echo secret | passwd –stdin cisco
Changing password for user cisco.
passwd: all authentication tokens updated successfully.
-> telnet to the switch and login as cisco/secret.
——->>> this will actually work.
-> make sure you allow the ports 1812 + 1813 through iptables.
4. If it fails…
Try to add another IP address, eg a linux box, to add as a client as (the server itself is a good candidate) and see whether Radius will behave positively to an authorization check.
-> Add to the client.conf file:
client 192.168.2.104 {
secret = SECRET_KEY
shortname = pi
}
And from a Linux box, try a CLI test:
$ radtest cisco cisco 192.168.2.250 0 SECRET_KEY
Sending Access-Request of id 153 to 192.168.2.250 port 1812
User-Name = “cisco”
User-Password = “cisco”
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.2.250 port 1812, id=153, length=51
Service-Type = NAS-Prompt-User
Cisco-AVPair = “shell:priv-lvl=15”
The thing to watch out for is: Access-Accept