Friday, March 19, 2010

Misc 7

(This uses the topology found in Misc 3)
I will now begin elaborating on how you can set up FreeRadius to do simple PAP authentications required for AAA Login Authentication for Cisco routers/switches. You can build on this knowledge to set up more advanced features like EAP/MD5.

FreeRadius is an open-source RADIUS server capable of using local LDAP or integrate with Active Directory. FreeRadius listens to standards-based ports like TCP 1812 for Authentication/Authorization and TCP 1813 for Accounting.

To not bore you with too much of the details, let's install FreeRadius:
apt-get install freeradius

The procedures required are similar to Windows. We first have to add a RADIUS client. To do this, modify the /etc/freeradius/clients.conf and add in the following:
client C2600 {
ipaddr =
secret = cisco

Next, we add in the users. To do this, modify the /etc/users file and add in:
Kelvin Cleartext-Password := "kelvin"

Now do a restart or a reload of the freeradius server and it's time to set up the router.

First of all, enable the new AAA model:
aaa new-model

Now, create some local users:
user cisco pass cisco

Now, set up AAA Login Authentication to use the Default Radius Group, then fall back to Local database if Radius is not available:
aaa authentication login default group radius login

Add the server and the key:
radius-server host auth-port 1812 acct-port 1813 key 0 cisco

Finally, set up Telnet to use the Radius group:
line vty 0 4
login authentication radius default

Now login authentication for Cisco should be working fine!

No comments :

Post a Comment