Tag Archives: cisco radius

Cisco debian freeradius authentication with local fallback

This article describes the configuration of a radius server to Log on a cisco device

  • Freeradius server setup on debian
  • Radius server configuration for one cisco device and one user
  • Cisco device configuration to user the freeradius login
  • Cisco device configuration to fall back on local authentication when the radius server is unreachable

On your debian box:

apt-get install freeradius

Add at the end of file /etc/freeradius/3.0/clients.conf. In this file we define clients allowed to authenticate agains the radius server.

client {
secret = PASSTEST
nastype = cisco
shortname = Switch_test

We define a user « jdoe » witch password « theroot » and level 15 privilege on the Cisco device:
At the end of file /etc/freeradius/3.0/users:

jdoe Cleartext-Password := "theroot"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"

On your cisco device create an entry for your radius server.
Server name will be LNXSRV with the IP
The shared key is PASSTEST

radius server LNXSRV
address ipv4 auth-port 1812 acct-port 1813

Define a group server that will contain your radius server.
We define the group: GRPSRV
The radius server is LNXSRV

aaa group server radius GRPSRV
server name LNXSRV

To get access to your cisco device locally you are supposed to have something like:

aaa authentication login default local
aaa authentication login SSH local

To get radius authentication then it falls back to local change the two lines:

aaa authentication login default group GRPSRV local
aaa authentication login SSH group GRPSRV local

Warning: local authentication will occur only when the radius server is unreachable. To make some tests can stop radius services.