By adding authorization exec, we can bypass enable authentication and directly land the user to privilege 15 mode.
Prerequisites
Ensure that you have your Cisco switch defined as a client in free radius with the ip address and same shared secret key defined on the free radius and switch
Components Used
- Free Radius
- Cisco IOS 12.2 switch.
Switch Configuration - Authentication and Authorization
1. Create a local user on the switch with full privileges for fallback with the username command as shown here
Switch(config)#username admin privilege 15 password 0 cisco123!
2. Enabling AAA- By default aaa is disabled on the IOS.
switch(config)# aaa new-model
3. Provide the IP address of the Radius server (Free Radius) and key
switch# configure terminalswitch(config)#radius-server host 172.16.71.146 auth-port 1645 acct-port 1646
switch(config)#radius-server key hello123
Note
The key must match the Shared Secret configured on the free radius for this switch
4.Test the RADIUS server availability with the test aaa command as shown.
switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH
Test authentication will fail with a Reject from the server since it is not configured, However, it will confirms that server is reachable.
5.Configure login authentications as shown here:
command configures the switch to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database.
switch(config)#aaa authentication login default group radius local
Note: The Local keyword is used for fallback if the Radius server is unreachable
6. Configure authorization for privilege level 15:
command queries the RADIUS database for information that is used during EXEC authorization, such as autocommands and privilege levels, but only provides authorization if the user has successfully authenticated.
switch(config)#aaa authorization exec default group radius if-authenticated
Configuration on FreeRadius Server
Defining Client on the Free Radius server:
Move to the config directory
cd /etc/freeradius
Edit the clients.conf file
sudo nano clients.conf
Add each device (router or switch), which is identified by its hostname and requires secret key
client 192.168.1.1 {secret = secretkeynastype = ciscoshortname = switch}Add each user inside the users file,that is allowed to access the device
sudo nano users
Creating user on FreeRadius: we are adding user cisco with a privilege level of 15
cisco Cleartext-Password := "password", Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=15"
Restart the FreeRADIUS service
sudo /etc/init.d/freeradius restart
Push the below role, The user in the IOS will get the level 15 Privilege.This would be applicable for all the users who are member of group cisco-rw
DEFAULT Group == cisco-rw, Auth-Type = System, Service-Type = NAS-Prompt-User,
cisco-avpair :="shell:priv-lvl=15"
After pushing the shell lvl 15, The user will get the privi level 15 access.
User Based Privilege:If you want that user in the FreeRadius server should login and get level 3 privilege:
Create new User with Privilege level 3
Edit /etc/freeradius/users file:
sudo nano/etc/freeradius/users
Add another user "Life" with a privilege level of 3
Life Cleartext-Password := "testing" Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=3"
Restart the Radius service, Now when you login to the device, User will get the level 3 privilege.
Restart the FreeRADIUS service
sudo /etc/init.d/freeradius restart
Note: The configuration of Free Radius is done on Ubuntu(Linux) Server. The commands may differ in any other Linux OS.
Verification
To verify the configuration on switch use the following commands:
1. switch# show run | in radius (Shows the radius configuration)
2. switch# show run | in aaa (Show AAA configuration)
3. switch# show startup-config Radius (Show AAA configuration in start-up configuration)
Please post comments if there are any queries and rate if useful
