Configuring FreeRadius for AAA Cisco clients

AAA is a network protocol that define basically three functionality, Authentication, Authorization  and Accounting. It’s very useful for distributed systems to need authenticate users to have access for a specific services. In this post We’ll configure FreeRadius as AAA server and configure a Cisco device to allow login connections across ssh with the radius users configured on the server.

AAA-communication

The devices used in this scenario are:

- Cisco Router: 192.168.0.254/24

- Debian Server (FreeRadius): 192.168.0.1/24

Freeradius configuration
- Install freeradius:

# apt-get install freeradius
- Edit clients configuration file:

# vi /etc/freeradius/clients.conf
 
client 192.168.0.254 {
secret = shar3k3y
nastype = cisco
shortname = rcentral
}
 
- Add the new user to allow login to our router with a privilege level of 15:

# vi /etc/freeradius/users
 
admin Cleartext-Password := "P@ssw0rd"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"
 
- Restart freeradius:

# service freeradius restart
 
Router configuration
- Defining new aaa login configuration:

rcentral#config term
rcentral(config)# aaa new-model
rcentral(config)#radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key shar3k3y
rcentral(config)# aaa authentication login default group radius local
 
With this configuration if the radius server fails, the device will use local users for the authentication.
- Configuring ssh and use radius to authenticate the users:

rcentral#config term
rcentral(config)# ip domain name mydomain
rcentral(config)# crypto key generate rsa modulus 1024
rcentral(config)# ip ssh version 2
rcentral(config)# line vty 0 15
rcentral(config)# transport input ssh
rcentral(config)# login authentication default
 
Configuring authorization and accounting
- Authorizing users to run an exec shell if the authentication is success:

rcentral(config)#aaa authorization exec default if-authenticated
 
- Configuring accounting for all system level events and exec shell sessions:

rcentral(config)#aaa accounting system default start-stop group radius
rcentral(config)#aaa accounting exec default start-stop group radius
 
- Check accounting start and stop events of a login user:

# cat /var/log/freeradius/radacct/192.168.0.254/detail-20130107
 
Mon Jan 7 14:25:07 2013
Acct-Session-Id = "0000000A"
User-Name = "admin"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port = 2
NAS-Port-Id = "tty2"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
NAS-IP-Address = 192.168.0.254
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "df599de6a2047d4b"
Timestamp = 1357565107
Request-Authenticator = Verified
 
Mon Jan 7 14:29:05 2013
Acct-Session-Id = "0000000A"
User-Name = "admin"
Acct-Authentic = RADIUS
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 239
Acct-Status-Type = Stop
NAS-Port = 2
NAS-Port-Id = "tty2"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
NAS-IP-Address = 192.168.0.254
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "df599de6a2047d4b"
Timestamp = 1357565345
Request-Authenticator = Verified
Sources
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html#wp1088470
http://wiki.freeradius.org/vendor/Cisco
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e364.html

Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

CLEANING UP THE ZABBIX DATABASE

My Zabbix database size increased a lot in the last few months and since my disk was running out space, I decided to clean up the old events from the database. Looking at the database tables, the biggest one was  history_uint , which holds the items history data – over 400 millions of records and over 30 Gb of disk space before the clean up. Since deleting the old records from this table directly would be a very slow process, I decided to create a new table and insert the latest records from the  history_uint  table and then just replace the old table with a new one. Since this is not an offical procedure, use it at your own risk. Environment: Zabbix v2.2 MySql 5.1 – InnoDB with  innodb_file_per_table=ON Step 1 – Stop the Zabbix server Step 2 – Open your favourite MySQL client and create a new table CREATE TABLE  history_uint_new  LIKE  history_uint; Step 3 – Insert the latest records from the  history_uint  table to the...
Đọc thêm

Configuring DHCP Relay service on the FortiGate unit

Configuring DHCP Relay service on the FortiGate unit If the clients are configured to obtain a IP address using DHCP relay, configure the FortiGate server as below: To configure DHCP relay on the FortiGate unit   1. Go to System > Network > Interfaces and select Interface want to configure DHCP relay.   2. Enable DHCP Server in the interface and choose Advanced   3. For Mode, select Relay.   4. In Type select Regular.   5. Select OK.   6. If a router is installed between the FortiGate unit and the DHCP server, define a static route to the DHCP server. Note : Sometimes it is required to specify more than one DHCP relay IP, to allow for the coverage of additional LAN subnets. Although the Web Based Manager (GUI) does not provide an option to configure this, it is possible to set up to 8 IPs from the CLI.       config system interface             edit <REQUIRED_INTERFACE_HERE>   ...
Đọc thêm

[Resolved] Amazon EC2 Redhat 7 using 6GB for the root space

Hình ảnh
I create new server with 10GB of HDD, but when i check on the command line, the root space only show 6GB. I'm using t2.micto and Redhat 7.0, disk type: XFS. - xvda1: boot partition - xvda2: root partition Fix Step: We have instance A with the volume VA. 1) Stop the current instace A 2) Snapshot the current volume VA of the instance A 3) Start the instance A 4) Create new volume with 25GB by using the snapshot of volume VA then we have new volume VB 5) Attach the new volume VB to the instance A as default (/dev/sdf) 6) From the ssh console, i use the lsblk command to list the disk. # lsblk 7) Using the xfs_repair to repair the /dev/xvdf2 ( yum install xfsprogs) # xfs_repair /dev/xvdf2 8) Continue as the image below 9) Remove the /dev/xvdf2, remember the start of this disk then we will create the new one with the same. 10) Using XFS command to repair the /dev/xvdf2 again. # xfs_repair /dev/xvdf2 11) Use the lsblk co...
Đọc thêm