Category Archives: Cisco

Cisco debian freeradius authentication with local fallback

This article describes the configuration of a radius server to Log on a cisco device

  • Freeradius server setup on debian
  • Radius server configuration for one cisco device and one user
  • Cisco device configuration to user the freeradius login
  • Cisco device configuration to fall back on local authentication when the radius server is unreachable

On your debian box:

apt-get install freeradius

Add at the end of file /etc/freeradius/3.0/clients.conf. In this file we define clients allowed to authenticate agains the radius server.

client 10.0.0.254 {
secret = PASSTEST
nastype = cisco
shortname = Switch_test
}

We define a user « jdoe » witch password « theroot » and level 15 privilege on the Cisco device:
At the end of file /etc/freeradius/3.0/users:

jdoe Cleartext-Password := "theroot"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"

On your cisco device create an entry for your radius server.
Server name will be LNXSRV with the IP 10.0.0.40.
The shared key is PASSTEST

radius server LNXSRV
address ipv4 10.0.0.40 auth-port 1812 acct-port 1813
key PASSTEST

Define a group server that will contain your radius server.
We define the group: GRPSRV
The radius server is LNXSRV

aaa group server radius GRPSRV
server name LNXSRV

To get access to your cisco device locally you are supposed to have something like:

aaa authentication login default local
aaa authentication login SSH local

To get radius authentication then it falls back to local change the two lines:

aaa authentication login default group GRPSRV local
aaa authentication login SSH group GRPSRV local

Warning: local authentication will occur only when the radius server is unreachable. To make some tests can stop radius services.

Cisco SNMP v3

Configure snmp v3:

snmp-server group GROUP v3 priv
snmr-server user USER GROUP v3 auth sha PUBPASSWORD priv aes 128 PRIVPASSWORD
snmp-server contact JohnDoe
snmp-server location Danlq

Change GROUP, USER, PUBPASSOWRD and PRIVPASSWORD according to your needs.

Get ID of the device:

sh snmp engineID

You get for example:

Local SNMP engineID: 300000090C009C4E90AFB1M3
Remote Engine ID          IP-addr    Port

Cisco NAT range ports

This article describes how to open a range port from outside to an inside server.

fa0/0 is public interface
Public interface has IP address 222.10.10.1
fa0/1 is lan interface
LAN network is 192.168.99.0/24

Create an extended acl

R1(config)#ip access-list extended NAT_SERVER1
r0(config-ext-nacl)#permit tcp host 192.168.99.10 range 40000 60000 any
r0(config-ext-nacl)#permit udp host 192.168.99.10 range 40000 60000 any
r0(config-ext-nacl)#exit

Associate the acl to the route-map

R1(config)#route-map NAT_SERVER1_RULES per 10
R1(config)#match ip address NAT_SERVER1

Finaly nat with route-map

R1(config)#ip nat inside source static 192.168.45.10 222.10.10.1 route-map NAT_SERVER1