Help‎ > ‎Security‎ > ‎

Authenticating a Cisco Device against FreeRADIUS

Introduction

There are many ways to authenticate users on Cisco devices.  The most basic way is setting a password on the "vty" and "console" lines and then setting the "login" switch.  This is also very insecure, and nearly impossible to audit.  Another way is to create a local AAA database and authenticate against that database with a user and password on each switch.  This works if you only have one switch or router in your network.  If you happen to have more than that, this becomes cumbersome to maintain the list of users and passwords on each and every device.  To avoid this problem there are several options out there to authenticate against a centralized user and password database.  A centralized database makes it simpler to add and remove users, conduct audits, and maintain access controls.  This can be accomplished by a Radius Server or a Cisco TACACS+ Server.  Cisco provides a document on the differences between these two methods (http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml).  

There are many different radius servers out there.  If you are using Active Directory in your organization you may want to consider IAS or in newer versions of Windows Server, NPS.  If you are familiar with Linux you may want to consider FreeRADIUS.  FreeRADIUS also gives you the ability to use Free Dual Factor Authentication via Google Authenticator (FreeRADIUS Google Dual Factor Authenticator).  For the purposes of this tutorial, we will use Ubuntu 12.04 and FreeRADIUS.

FreeRADIUS is a popular open source radius server.  Radius is a standardized authentication system that can be used to authenticate many different devices including VPNs, Routers, Switches, Computers, and much more.  For more information on FreeRADIUS see http://freeradius.org/.

Tutorial

Now, how to set it up.

For the purpose of this tutorial I will be using Ubuntu 12.04 Server, but this should be able to adapt to many different distributions.

Install FreeRADIUS

sudo bash
apt-get update
apt-get install freeradius


Environment

Right now, my switch is very basic.  All I have done is give it a IP address, set a login password to 'password', and enable password to 'cisco'.  I certainly recommend you use something much more complex than that.  Essentially it looks like this:

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
!
!
no aaa new-model
system mtu routing 1500
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!         
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
 switchport access vlan 100
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan100
 ip address 10.0.0.10 255.255.255.0
!
ip http server
ip http secure-server
!
line con 0
 password password
 login
line vty 0 4
 password password
 login
line vty 5 15
 password password
 login
!
end
  
My FreeRADIUS server is attached directly to interface GigabitEthernet 0/2.  The switch has a IP address of 10.0.0.10 and the server has a IP address of 10.0.0.5.  /etc/network/interfaces looks like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 10.0.0.5
netmask 255.255.255.0

Now that you understand how everything is connected, lets move forward and get it working.


Configuring FreeRADIUS


Configuring the clients.conf file

The first item that you need to take care of is to tell FreeRADIUS about the Cisco switch.  To do this we will need to edit the /etc/freeradius/clients.conf file.

and add the following lines to the bottom of the file:

client 10.0.0.10 {
       secret = mysupersecretpassword2
}

This defines a client secret.  When you select yours, you ought to do something more complex than what you see here, but for this tutorial we will just use "mysupersecretpassword2".  When FreeRADIUS receives a connection from a client, the client will use its RADIUS chared secret encrypt the credentials to send to FreeRADIUS that will be used to authenticate the client.  Because of this, we will need to remember to use the same shared secret on the switch when we configure it.


Configuring the users file

Next up, we will need to add a user to be used for authenticating on the device.  To do this we will need to edit the /etc/freeradius/users file.  There are other ways of doing this rather than adding static users in the users file.  You can also use the local unix password database or any PAM module to authenticate your users, but for the purposes of this tutorial we will simply add a user in the users file.

Right at the top of the file you should see something like this:

#
#       Please read the documentation file ../doc/processing_users_file,
#       or 'man 5 users' (after installing the server) for more information.
#
#       This file contains authentication security and configuration
#       information for each user.  Accounting requests are NOT processed
#       through this file.  Instead, see 'acct_users', in this directory.
#
#       The first field is the user's name and can be up to
#       253 characters in length.  This is followed (on the same line) with
#       the list of authentication requirements for that user.  This can
#       include password, comm server name, comm server port number, protocol
#       type (perhaps set by the "hints" file), and huntgroup name (set by
#       the "huntgroups" file).
#
#       If you are not sure why a particular reply is being sent by the
#       server, then run the server in debugging mode (radiusd -X), and
#       you will see which entries in this file are matched.
#
#       When an authentication request is received from the comm server,
#       these values are tested. Only the first match is used unless the
#       "Fall-Through" variable is set to "Yes".
#
#       A special user named "DEFAULT" matches on all usernames.
#       You can have several DEFAULT entries. All entries are processed
#       in the order they appear in this file. The first entry that
#       matches the login-request will stop processing unless you use
#       the Fall-Through variable.
#
#       If you use the database support to turn this file into a .db or .dbm
#       file, the DEFAULT entries _have_ to be at the end of this file and
#       you can't have multiple entries for one username.
#
#       Indented (with the tab character) lines following the first
#       line indicate the configuration values to be passed back to
#       the comm server to allow the initiation of a user session.
#       This can include things like the PPP configuration values
#       or the host to log the user onto.
#
#       You can include another `users' file with `$INCLUDE users.other'
#

#
#       For a list of RADIUS attributes, and links to their definitions,
#       see:
#
#       http://www.freeradius.org/rfc/attributes.html
#

Directly after this, add these lines:

radcisco    Cleartext-Password := "password"

Now you have added a user called "radcisco" with a password "password".  Once again, do something more complex than this, when you actually use this. :)

Restart FreeRADIUS


Your FreeRADIUS server is now completely configured and you will need to restart or reload the configuration.

service freeradius restart

Configuring the Cisco Switch

You now need to login to your switch and make the necessary configuration changes.  One of the things you will likely want to do is also set a local AAA user, just in case your radius server goes down or becomes unreachable.  Otherwise you will be locked out of your device.  You should keep the credentials for this user a secret and not use them yourself unless the radius server is down.  Infact, they will not work at all unless the radius server is down or unreachable.  For the purpose of this tutorial we will make a local AAA user called "admin" with a password of "p@ssw0rd".

Login to your device and issue the following commands.  Make sure you are already in enable mode.

config t
aaa new-model
user admin password 0 p@ssw0rd
radius-server host 10.0.0.5 auth-port 1812 acct-port 1813 key mysupersecretpassword2
aaa authentication login default group radius local

You will also notice that we configured the radius server with the shared secret that we used before "mysupersecretpassword2".  The final line tells the switch which AAA authentication service to use first.  You'll notice that it attempts to use the radius group first and then the local group second.

Very last, make sure you save your config

write memory

Final Config

This is what your configuration should look like when you are done.

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
username admin password 0 p@ssw0rd
!
!
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
aaa session-id common
system mtu routing 1500
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!         
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
 switchport access vlan 100
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan100
 ip address 10.0.0.10 255.255.255.0
!
ip http server
ip http secure-server
radius-server host 10.0.0.5 auth-port 1812 acct-port 1813 key mysupersecretpassword2
!
line con 0
 password password
line vty 0 4
 password password
line vty 5 15
 password password
!
end

Testing your Configuration

Well, if you've done everything correctly, you should now be able to login to your Cisco switch using the the "radcisco" user and the password "password".

Lets give it a try.

# telnet 10.0.0.10
Trying 10.0.0.10...
Connected to 10.0.0.10.
Escape character is '^]'.


User Access Verification

Username: radcisco
Password: 

Switch>en
Password: 
Switch#

And looks like its working great!

If for some reason its not working, you should be able to login using your local AAA user configured earlier and find out why.  ("admin" / "p@ssw0rd")

Comments