FREERADIUS, CENTOS & CISCO

In this lab we are going to simulate running a radius server and authenticating users before they are allowed to configure a cisco device, in this case a switch.

 

Requirements for this lab, I would recommend the following:

• Windows 7/8 installed with oracle virtual box or vmware vmplayer

• Centos 6 iso

• freeradius

• gedit

• cisco switch (you may also use a cisco router)

 

Assuming you have installed CENTOS OS on a virtual machine, I normally set my lab with 2 NIC cards, 1^st one for NAT to access internet and 2^nd one as bridged which we’ll connect to one of the ports of our switch.

 

Open a terminal session on your CENTOS: click Applications > System Tools > Terminal

 

 

INSTALL FREERADIUS

 

Make sure you are running root, install freeradius by typing:

 

yum install freeradius freeradius-utils -y

 

Also install gedit

 

yum install gedit

 

CREATE AND TEST A TEST/DUMMY USER

 

We have to test our radius server by adding a test user. Open the user file using gedit:

 

gedit /etc/raddb/users

 

At the top of the file insert:

 

<username> Cleartext-Password:=”<password>”

e.g.

 

hello Cleartext-Password:=”world”

 

Save and exit gedit editor. Whenever you are adding something in any of the radius files, make sure you restart your radius server by typing:

 

service radiusd restart

 

If all goes well you should be able to test your test user:

 

radtest <username> <password> localhost 0 testing123

 

e.g.

 

radtest hello world localhost 0 testing123

 

ADDING A CLIENT DEVICE

 

Lets configure our client, client in this case is a cisco device (switch) thats going to use our radius server to authenticate users before it can configure the device.

 

gedit /etc/raddb/clients.conf

 

and enter the following

 

client <client’s ip address> {

secret = <password>

nastype = cisco

shortname = <hostname>

}

 

e.g.

 

client 10.1.1.1 {

secret = secretkey

nastype = cisco

shortname = SW1

}

 

 

ADD A USER TO BE AUTHENTICATED

 

Save and close. Now lets add a user to be authenticated for our cisco switch. Again, lets go back to our user file:

 

gedit /etc/raddb/users

 

and add our user:

 

<username> Cleartext-Password:=”<password>”

service-type=NAS-Prompt-User,

Cisco-AVPair=”Shell:Priv-lvl=15”

 

e.g.

 

jamie Cleartext-Password:=”oliver”

service-type=NAS-Prompt-User,

Cisco-AVPair=”Shell:Priv-lvl=15”

 

Note: make sure you follow the exact syntax, linux is unforgiving in a way if an error won’t occur it won’t just work and won’t show you where the error is coming from.

 

Save, close gedit and run service radiusd restart for changes to take effect.

 

BTW, before we start configuring our client switch, lets turn off centos’ firewall by typing service iptables stop. I know we are not supposed to do this in production but again the purpose of this lab is to authenticate users using radius.

 

CONFIGURE YOUR CLIENT (CISCO SWITCH)

 

Console in to the switch, change the hostname (SW1), assign the ip address of 10.1.1.1/24 to vlan1 and plug the PC’s NIC card to one of the cisco switch’s ports. Make sure your CENTOS has a static ip and can ping your switch.

 

SW1(config)#username admin privilege 15 secret letmein

SW1(config)#enable secret cisco

 

This assigns a local user, password with privilege level 15, so in the event that our radius server is down or we don’t have a user entered in the server, we can still access the device.

 

Now lets start configuring SW1 for AAA:

 

SW1(config)# aaa new-model

SW1(config)# radius-server host 10.1.1.2 auth-port 1812 acc-port 1813 key secretkey

 

* remember secretkey is the password we assigned for this client

 

SW1(config)# aaa authentication login default group radius local

SW1(config)# line vty 0 4

SW1(config-line)# login authentication default

SW1(config-line)# line con 0

SW1(config-line)# login authentication default

SW1(config-line)#exit

 

SW1(config)# aaa authorization exec default group radius if-authenticated

SW1(config)# aaa accounting exec default start-stop group radius-server

SW1(config)# aaa accounting system default start-stop gropu radius-server

 

That wasn’t so bad right?:) Now all we have to do now is get into a PC who belongs to our 10.1.1.0/24 network and telnet into our switch using our user: jamie pw: oliver. Or….you can just go to your switch and telnet to yourself. Yes…you can do it this way just for testing purposes.