Cisco debian freeradius authentication with local fallback

This article describes the configuration of a radius server to Log on a cisco device

  • Freeradius server setup on debian
  • Radius server configuration for one cisco device and one user
  • Cisco device configuration to user the freeradius login
  • Cisco device configuration to fall back on local authentication when the radius server is unreachable

On your debian box:

apt-get install freeradius

Add at the end of file /etc/freeradius/3.0/clients.conf. In this file we define clients allowed to authenticate agains the radius server.

client {
secret = PASSTEST
nastype = cisco
shortname = Switch_test

We define a user « jdoe » witch password « theroot » and level 15 privilege on the Cisco device:
At the end of file /etc/freeradius/3.0/users:

jdoe Cleartext-Password := "theroot"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"

On your cisco device create an entry for your radius server.
Server name will be LNXSRV with the IP
The shared key is PASSTEST

radius server LNXSRV
address ipv4 auth-port 1812 acct-port 1813

Define a group server that will contain your radius server.
We define the group: GRPSRV
The radius server is LNXSRV

aaa group server radius GRPSRV
server name LNXSRV

To get access to your cisco device locally you are supposed to have something like:

aaa authentication login default local
aaa authentication login SSH local

To get radius authentication then it falls back to local change the two lines:

aaa authentication login default group GRPSRV local
aaa authentication login SSH group GRPSRV local

Warning: local authentication will occur only when the radius server is unreachable. To make some tests can stop radius services.

Cisco SNMP v3

Configure snmp v3:

snmp-server group GROUP v3 priv
snmr-server user USER GROUP v3 auth sha PUBPASSWORD priv aes 128 PRIVPASSWORD
snmp-server contact JohnDoe
snmp-server location Danlq

Change GROUP, USER, PUBPASSOWRD and PRIVPASSWORD according to your needs.

Get ID of the device:

sh snmp engineID

You get for example:

Local SNMP engineID: 300000090C009C4E90AFB1M3
Remote Engine ID          IP-addr    Port

Debian java 8 setup

Java 8 setup (for ELK for example):

echo "deb trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp:// --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer

Activate this java version:

# show all java version installed
update-java-alternatives -l
# use one of the installation by default :
update-java-alternatives -s java-8-oracle