Monthly Archives: septembre 2017

Cisco debian freeradius authentication with local fallback

This article describes the configuration of a radius server to Log on a cisco device

  • Freeradius server setup on debian
  • Radius server configuration for one cisco device and one user
  • Cisco device configuration to user the freeradius login
  • Cisco device configuration to fall back on local authentication when the radius server is unreachable

On your debian box:

apt-get install freeradius

Add at the end of file /etc/freeradius/3.0/clients.conf. In this file we define clients allowed to authenticate agains the radius server.

client 10.0.0.254 {
secret = PASSTEST
nastype = cisco
shortname = Switch_test
}

We define a user « jdoe » witch password « theroot » and level 15 privilege on the Cisco device:
At the end of file /etc/freeradius/3.0/users:

jdoe Cleartext-Password := "theroot"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"

On your cisco device create an entry for your radius server.
Server name will be LNXSRV with the IP 10.0.0.40.
The shared key is PASSTEST

radius server LNXSRV
address ipv4 10.0.0.40 auth-port 1812 acct-port 1813
key PASSTEST

Define a group server that will contain your radius server.
We define the group: GRPSRV
The radius server is LNXSRV

aaa group server radius GRPSRV
server name LNXSRV

To get access to your cisco device locally you are supposed to have something like:

aaa authentication login default local
aaa authentication login SSH local

To get radius authentication then it falls back to local change the two lines:

aaa authentication login default group GRPSRV local
aaa authentication login SSH group GRPSRV local

Warning: local authentication will occur only when the radius server is unreachable. To make some tests can stop radius services.

Cisco SNMP v3

Configure snmp v3:

snmp-server group GROUP v3 priv
snmr-server user USER GROUP v3 auth sha PUBPASSWORD priv aes 128 PRIVPASSWORD
snmp-server contact JohnDoe
snmp-server location Danlq

Change GROUP, USER, PUBPASSOWRD and PRIVPASSWORD according to your needs.

Get ID of the device:

sh snmp engineID

You get for example:

Local SNMP engineID: 300000090C009C4E90AFB1M3
Remote Engine ID          IP-addr    Port