FreeRadius and Cisco 2600 Terminal Server [IOS 12.1(3)T]

frankcui90 · ‎05-23-2014

Hi Cisco People

I'm using FreeRadius 2 and Cisco 2600 Terminal server to coordinate access to cisco routers based on time‏ ranges.

Basically we are an education/training environment where we have some students accessing the routers and switches for practise, terminal server are used to consolidate the console access, and these terminal servers authenticate the users through a Radius server (as shown in the following figure). Additionally, the students are categorized into few groups. We want to implement policy on the radius server so that only a certain group can access the resources in a given duration of time (the user should be dropped from the terminal when the subscribed time is reached and cannot access thereafter .)

+++++++++++++++ +++++++++++++++++ +++++++++++++

+ User +++++++++++++++++++++++ Cisco 2600 +++++++++++++++++++++ Network +

+ + + Terminal Serv + + Devices +

+++++++++++++++ +++++++++++++++++ +++++++++++++

(NAS)

+

+++++++++++++++

+ FreeRadius +

+++++++++++++++

Right now I'm able to do the "hello-world" setup with the following users and clients.conf. On the terminal server side, aaa new-model is enabled on the cisco terminal server to communicate with this radius server.

users

=============

cisco Auth-Type := System

Service-Type = NAS-Prompt-User,

cisco-avpair = "shell:priv-lvl=15"

clients.conf

==============

client 192.168.1.1 {

secret = SECRET_KEY

shortname = termserver

nastype = cisco

}

A typical transaction would be :

Access-Request

=======

NAS-IP-Address = 192.168.1.1

NAS-Port = 35

NAS-Port-Type = Async

User-Name = "cisco"

Calling-Station-Id = "1.1.1.1"

User-Password = "cisco"

Access-Accept

=======

Service-Type = NAS-Prompt-User

Cisco-AVPair = "shell:priv-lvl=15"

This works fine but doesn't provide any timing limitations. So I have modified the FreeRadius config to be :

users

=============

cisco Auth-Type := System

Service-Type = NAS-Prompt-User,

cisco-avpair = "shell:priv-lvl=15",

Session-Timeout = 20

Cisco Terminal Server

==============

aaa new-model
aaa authentication login default group radius local none
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius

After this, I am able to see that the terminal server actually receives an Access-Accept including the Session-Timeout attributes like the following :

Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
Session-Timeout = 20

But the problem is that it doesn't really terminate the session after the 20 seconds are reached . My questions is that :

1. Is the terminal server really able to enforce such time limit after receiving the attribute ?

2. Is the 2600 terminal server with [IOS 12.1(3)T] compliant with RFC 2865?

3. What can I do so that the terminal server forces the user to be logged out after the session time limit is reached ?

Thanks

Frank

edwardcollins7 · ‎05-23-2014

Frank,

I think you should use the login time s well:

Login-Time

Login-Time is a very powerful internal check AVP. It allows flexible authorization and its value is used by the logintime (rlm_logintime) module to determine if a person is allowed to authenticate to the FreeRADIUS server or not. This value is also used to calculate the Session-Timeout reply value. Session-Timeout is subsequently used by the NAS to limit access time.

The following line will grant Alice access only between 08:00 and 18:00 each day.

"alice" Cleartext-Password := "passme", Login-Time := 'Al0800-1800'

The logintime module will calculate the reply value of Session-Timeout if Alice has logged in within the permitted timeslots to inform the NAS how long she is allowed to stay connected. If Alice tries to access the network when she is not permitted, the request will be rejected.

http://www.packtpub.com/article/getting-started-with-freeradius

http://wiki.freeradius.org/config/Users

yes, the terminal server is RFC 2865 compliant.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

frankcui90 · ‎05-24-2014

Hi Edward,

Thanks a lot for taking time to share the knowledge, really appreciate it.

I also did some reading on the FreeRadius beginner guide book and the wiki page.

Now the real question I'm facing is that :

The session-timeout AVP seems to be only working with the vty session, not the tty session.

For example, If I am authenticating and logging in through the console line, it doesn't really kick me out after the timeout session expires.

On the flip side, If I am authentication and logging in through a telnet session, it indeed says line time out and kicks me out at that time.

I'm not sure if this is the right behaviour. I need the tty line perform in the same manner as the vty line.

Thanks again for your time, and hope you get a immortal life.

Frank

edwardcollins7 · ‎05-26-2014

Frank,

I agree with you, I have seen this before once on the TTY line.

You might want to try a code upgrade if there is any available.

If not, check with TAC for a defect/enhancement.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed