This article describes the configuration of a radius server to Log on a cisco device
- Freeradius server setup on debian
- Radius server configuration for one cisco device and one user
- Cisco device configuration to user the freeradius login
- Cisco device configuration to fall back on local authentication when the radius server is unreachable
On your debian box:
Add at the end of file /etc/freeradius/3.0/clients.conf. In this file we define clients allowed to authenticate agains the radius server.
secret = PASSTEST
nastype = cisco
shortname = Switch_test
We define a user « jdoe » witch password « theroot » and level 15 privilege on the Cisco device:
At the end of file /etc/freeradius/3.0/users:
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"
On your cisco device create an entry for your radius server.
Server name will be LNXSRV with the IP 10.0.0.40.
The shared key is PASSTEST
address ipv4 10.0.0.40 auth-port 1812 acct-port 1813
Define a group server that will contain your radius server.
We define the group: GRPSRV
The radius server is LNXSRV
server name LNXSRV
To get access to your cisco device locally you are supposed to have something like:
aaa authentication login SSH local
To get radius authentication then it falls back to local change the two lines:
aaa authentication login SSH group GRPSRV local
Warning: local authentication will occur only when the radius server is unreachable. To make some tests can stop radius services.