Configure Network Equipment to use Radius for authentication

Following my recent article on 'How to configure install and configure Freeradius', you will find below several examples of 'How to configure network equipment to use Radius for authentication'.

Cisco Catalyst

aaa new-model
ip radius source-interface vlan XXX
radius-server host <IP_address_radius_server> auth-port <port-number> acct-port <port-number>
radius-server key SharedKey
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated => directly upgrade privilege to 'enable'
!
line vty 0 15
 login authentication default


Switch HP Procurve

radius-server host <IP_address_radius_server> key " SharedKey " acct-port <port-number> auth-port <port-number>
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication login privilege-mode

Switch Nexus

ip radius source-interface mgmt 0
 radius-server host <IP_address_radius_server> auth-port <port-number> acct-port<port-number>
 radius-server key SharedKey
!
aaa group server radius FREE-RADIUS
 server <IP_address_radius_server>
 use-vrf management
 source-interface mgmt 0
!
aaa authentication login default group FREE-RADIUS

Cisco and Freeradius configuration

 Installation description

In our case, the Freeradius aims to authenticate a remote access on network equipment. I have decided to use an existing database (Active directory).

FreeRadius paquets installations:

apt-get install freeradius

apt-get install freeradius-utils

apt-get install freeradius-ldap

Configure the radiusd.conf file

Modify the file radiusd.conf (/etc/freeradius/radiusd.conf) in order to specify the listen ports:

-          Authentification (2050)

-          Accounting (2051)

 listen {

        type = auth

        ipaddr = *       

       port = 2050

}

listen {

        ipaddr = *

        port = 2051

        type = acct

}

       auth = yes

 Uncomment the following lines in order to have more details in logs messages:

        msg_goodpass = "Host %n"

        msg_badpass = "Host %n"

Configure the Users file

Modify the file users (/etc/freeradius/users) .

This file includes users which are authorized to take control on 'client' (network equipment for us).

- We can use a local database:

Username Cleartext-Password := "Password"

       Service-Type = NAS-Prompt-User,

       Cisco-AVPair = "shell:priv-lvl=15"

- Or an external database. In this example, only members of groups 'Group_Network_Admin' (Active Directory) are authorized to access:

DEFAULT         LDAP-Group == "Group_Network_Admin"

                Service-Type = Administrative-User,

                Cisco-AVPair = "shell:priv-lvl=15"

DEFAULT    LDAP-Group != "Group_Network_Admin", Auth-Type := Reject

Enable authentication via LDAP:

Modify the file ldap (/etc/freeradius/sites-enabled/ default) by uncommenting the following lines :

ldap

        Auth-Type LDAP {

                ldap

        }

Create clients of the radius server

Modify the file users (/etc/freeradius/users). Clients are hosts which forward request of authentication to the radius server (ex: Cisco switch).

In the example below, I have added a complete subnet. All hosts in this subnet are authorized to send request.

We also defined the share key in this file:

client 10.110.22.0/24 {

        secret          = SharedKey

        nastype         = cisco

        shortname       = SWITCH-Branch-London

}

Configure request to Active Directory

Modify the file ldap (/etc/freeradius/modules/ldap). You will find below an example of configuration :

ldap {

        server = 'ldap://mydomain.com'

        identity = "Username@mydomain.com"

        password = "Password"

        basedn = "DC=mydomain,DC=com"

        filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"

  

       groupname_attribute = cn

       groupmembership_attribute = "memberOf"

Uncomment the following lines:

       chase_referrals = yes

        rebind = yes