Image of Cortney & Jeremy

Configuring FreeRADIUS to support Cisco AAA Clients

by Jeremy L. Gaddis on November 19, 2008 · 34 comments

in Networking

In this demonstration, we’re going to install FreeRADIUS onto a CentOS 5.2 server and configure it to support AAA on Cisco devices.

“FreeRADIUS is the most widely deployed RADIUS server in the world. It is the basis for multiple commercial offerings. It supplies the AAA needs of many Fortune-500 companies and Tier 1 ISPs. It is also widely used in the academic community, including eduroam. The server is fast, feature-rich, modular, and scalable.” –FreeRADIUS home page

I’ve been using FreeRADIUS in production for a few years now, mostly to support wireless users. One of the benefits of FreeRADIUS — besides being open source, of course — is the numbers of backends one can use for authentication:

“If a password is not available locally for some reason, the server can pass the authentication to another system such as LDAP, PAM, Unix (/etc/passwd), Kerberos, Active Directory, or RADIUS server via RADIUS proxying. Local programs (e.g. CGI scripts) can also be used to authenticate users via shell scripts or any other method. Perl or Python scripts can be pre-loaded into the server, which significantly lowers the cost of running such programs.”

Powerful, huh? Indeed.

For this demonstration, I’m installing a new CentOS 5.2 virtual machine on my MacBook under VMware Fusion. Installing the operating system, however, is beyond the scope of this document. Also, we’ll just be using the local system database for now — we’ll save SQL and LDAP (perhaps even Active Directory) authentication for later. After we get FreeRADIUS up and running, we’ll set up a user account and then configure a Cisco router to use RADIUS for authentication.

Let’s begin with installing FreeRADIUS by running (as root) the following command:

[root@bertram ~]# yum -y install freeradius
...
Complete!
[root@bertram ~]#

“yum” should have went out, grabbed the appropriates packages and dependencies, and installed them.

Because FreeRADIUS will need to use the local system database for authentication, we need to set ‘user = root’ and ‘group = root’ in radiusd.conf. This is easy enough, just open up /etc/raddb/radiusd.conf, and change the lines that reads “user = radiusd” and “group = radiusd” to “user = root” and “group = root”, respectively. Note that this (running our daemons as root) is almost always something we want to avoid. Using other authentication backends, such as SQL or LDAP, would not require this change and would allow the FreeRADIUS service to run under the default “radiusd” unprivileged account.

Next, we need to let FreeRADIUS know about our NAS — in this case, our Cisco router. For the sake of this demonstration, our router (R1) will have IP address 192.168.1.201. We’ll also need a shared secret that the router and RADIUS server use. Let’s use the ever popular “SECRET_KEY”. Add the following to the end of /etc/raddb/clients.conf:

client 192.168.1.201 {
  secret = SECRET_KEY
  shortname = R1
  nastype = cisco
}

Then, on the FreeRADIUS side, we need to create a user account in the local user database that we’ll use for actually authenticating to R1. Nothing special here, just creating a new user account and setting the password. I’ve passed the plain-text password into “passwd” via stdin so that you can see it. Normally, we wouldn’t do that — just run “passwd cisco” and enter the password when prompted:

[root@bertram ~]# /usr/sbin/useradd cisco
[root@bertram ~]# echo secret | passwd --stdin cisco
Changing password for user cisco.
passwd: all authentication tokens updated successfully.
[root@bertram ~]#

We now have a local user named “cisco” with a password of “secret” that we’ll use when it comes time to authenticate to R1. Before we can do that, however, we must let FreeRADIUS know about the user. Append the following to /etc/raddb/users:

cisco Auth-Type := System
  Service-Type = NAS-Prompt-User,
  cisco-avpair = "shell:priv-lvl=15"

This notifies FreeRADIUS of a local user account named “cisco”. Using the “cisco-avpair” attribute in this manner allows us to automatically assign privilege level 15 to the user, removing the requirement for the user to issue “enable” (and the enable secret) in order to gain elevated access.

Let’s get started configuring R1. I’m going to assume that you’re starting from a default configuration. The first thing we want to do is create a “fallback” user account (on the router itself) that we can use to authenticate if, for some reason, connectivity to the RADIUS server is lost. Let’s create a user named “admin” with a password of “letmein”:

R1(config)#username admin privilege 15 secret letmein

Under normal circumstances, we’ll never use this local account — only when the RADIUS server is unavailable.

The first thing I need to do is configure my interface on R1 and verify we can ping the RADIUS server. Assuming you already have your router up and running, you can likely skip this step:

R1(config)# interface fastethernet 3/0
R1(config-if)# ip address 192.168.1.201 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)#
*Mar 1 00:10:14.635: %LINK-3-UPDOWN: Interface FastEthernet3/0, changed state to up
*Mar 1 00:10:15.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0, changed state to up
R1(config-if)# do ping 192.168.1.51
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.51, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/11/24 ms
R1(config-if)#

Excellent, all set! Let’s start configuring R1 for AAA:

R1(config)# aaa new-model
R1(config)# radius-server host 192.168.1.51 auth-port 1812 acct-port 1813 key SECRET_KEY

AAA should now be enabled on R1. Note that we provided the IP address of the RADIUS server as well as the shared secret we configured in FreeRADIUS earlier. In addition, we must specify the “auth-port” and “acct-port” used by FreeRADIUS, as these are different from Cisco’s defaults (1645 and 1646). Let’s configure authentication:

R1(config)# aaa authentication login default group radius local
R1(config)# line vty 0 4
R1(config-line)# login authentication default
R1(config-line)# line con 0
R1(config-line)# login authentication default

Here, we’ve told R1 to use RADIUS for authentication and to fall back to the local user database if the RADIUS server is not available. We don’t want to DoS ourselves!

The following command will allow the user to run an “exec” shell when logging into the router:

R1(config)# aaa authorization exec default group radius if-authenticated

Last, but not least, we want accounting (the final “A” in “AAA”):

R1(config)# aaa accounting exec default start-stop group radius
R1(config)# aaa accounting system default start-stop group radius

That should be enough to allow us to login with our local (Linux) system account “cisco” that we created earlier. Let’s give it a shot:

macbook:~ jlgaddis$ telnet 192.168.1.201
Trying 192.168.1.201...
Connected to 192.168.1.201.
Escape character is '^]'.

User Access Verification

Username: cisco
Password:

R1# show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  administratively down down
Ethernet0/1                unassigned      YES unset  administratively down down
Ethernet0/2                unassigned      YES unset  administratively down down
Ethernet0/3                unassigned      YES unset  administratively down down
Serial1/0                  unassigned      YES unset  administratively down down
Serial1/1                  unassigned      YES unset  administratively down down
Serial1/2                  unassigned      YES unset  administratively down down
Serial1/3                  unassigned      YES unset  administratively down down
FastEthernet3/0            192.168.1.201   YES manual up                    up
R1# exit
Connection closed by foreign host.
macbook:~ jlgaddis$

Success! We’ve installed FreeRADIUS, added a local user account, set up the NAS client (R1) and configured it to authenticate against the RADIUS server. Let’s take a look at what was logged by FreeRADIUS:

[root@bertram ~]# cat /var/log/radius/radacct/192.168.1.201/detail-20081119
Wed Nov 19 00:24:47 2008
  Acct-Session-Id = "00000005"
  User-Name = "cisco"
  Acct-Authentic = RADIUS
  Acct-Status-Type = Start
  NAS-Port = 130
  NAS-Port-Id = "tty130"
  NAS-Port-Type = Virtual
  Calling-Station-Id = "192.168.1.49"
  Service-Type = NAS-Prompt-User
  NAS-IP-Address = 192.168.1.201
  Acct-Delay-Time = 0
  Client-IP-Address = 192.168.1.201
  Acct-Unique-Session-Id = "31b757fca2145e79"
  Timestamp = 1227072287

Wed Nov 19 00:25:14 2008
  Acct-Session-Id = "00000005"
  User-Name = "cisco"
  Acct-Authentic = RADIUS
  Acct-Terminate-Cause = User-Request
  Acct-Session-Time = 27
  Acct-Status-Type = Stop
  NAS-Port = 130
  NAS-Port-Id = "tty130"
  NAS-Port-Type = Virtual
  Calling-Station-Id = "192.168.1.49"
  Service-Type = NAS-Prompt-User
  NAS-IP-Address = 192.168.1.201
  Acct-Delay-Time = 0
  Client-IP-Address = 192.168.1.201
  Acct-Unique-Session-Id = "31b757fca2145e79"
  Timestamp = 1227072314
[root@bertram ~]#

If there’s interest, I may expand on this later to include huntgroups, multiple RADIUS servers, using MySQL for accounting, or even through some LDAP and/or Active Directory authentication into the mix. If you’re interested, please leave a comment below!

{ 33 comments… read them below or add one }

ica November 28, 2008 at 5:41 am

wow! Thanks a lot! it’s a nice tutorial!
please, continue it with using LDAP as external authentication and mysql for accounting. I’m kinda curious with this scenario.

Thanks a lot!

Reply

robert January 29, 2013 at 3:54 am

i have a 7200 series nodes as my BRAS with subscriber policies got from free radius and all is working fine. but i need to replace the 7200 with asr 1006 but cant seem to work with free radius. has any one done it before. i am not good on free radius guys

Reply

Jeremy November 28, 2008 at 4:05 pm

Hi Ica,

Glad it was helpful. I’ll try to post the directions for using LDAP for authentication and MySQL for accounting before I go back to work Monday. I have that exact configuration working in a production wireless network (through a captive portal) so it shouldn’t be too difficult to replicate in my lab. Thanks for stopping by!

Reply

Richard December 3, 2008 at 1:47 pm

thx for this input…the only other thing I need is to determine how to get AD to look at the freeRADIUS server for authentication.

Reply

Lew Glendenning December 3, 2008 at 8:01 pm

Nice work, better than one of the Cisco manuals I read.

Lew

Reply

habib February 11, 2009 at 6:01 am

i want complete document that explain how to authenticate wifi with freeradius with mysql

Reply

Jeroen February 15, 2009 at 4:47 pm

Thank you for this excellent howto. I would love to read more on this subject!

Reply

Isada March 11, 2009 at 6:35 pm

This is great information and helped me configuring my FreeRadius and giving access using LDAP authentication with AD. I was hoping you have documentation on doing authorization via LDAP for different groups. I’m unable to figure out how to give other users or group(s) privilege mode 0 or 1 to our Cisco devices. I’m lost at this point. I hope you can proivde more information regarding this.

Reply

Bruno March 23, 2009 at 5:00 pm

Buddy, I still can’t login into Cisco Devices. I followed all the steps but after typing the password I received a “authentication failed” message. At first, the only difference is that I’m using Suse 11.0 OS.
Can you help me?

Reply

Roland April 4, 2009 at 11:24 am

Great tutorial, thank you for sharing! I would really appreciate another one abount freeradius with LDAP authentication on a Windows Server
Roland

Reply

Dave May 2, 2009 at 11:23 am

I to would really appreciate if you could upload your ldap/mysql guide to the site, if it’s anywhere near as good as this one it will be a great help.

Reply

Iliya May 27, 2009 at 8:09 am

Thank you so much for this tutorial, looking forward to see more articles from you. Thank you.

Reply

Saurabh July 21, 2009 at 7:19 am

Thanks for the excellent tutorial. However I am getting authentication failed messages. Tried debugging in the router. Apparently the router is timing out. FreeRadius is working correctly and sends Access-Accept response. I have no idea what’s wrong.

Also waiting for FreeRadius/MySQL guide.

Reply

jlgaddis July 21, 2009 at 10:53 pm

I’m glad everyone is finding the article helpful. I’ll try to get around to setting up FreeRADIUS with MySQL again soon so I can post the details.

Reply

yeled August 5, 2009 at 1:20 pm

thanks this was super easy to move my existing ldap auth radius across for cisco.

Reply

Mohamed August 7, 2009 at 12:28 am

Awesome. Can’t wait to read about implementation of multiple RADIUS servers with MySQL. Thanks for sharing your knowledge.

Reply

Puckel October 19, 2009 at 8:39 am

Yeah thanks a lot for ur article.

Also waiting for FreeRadius/MySQL guide.

Reply

Rick November 29, 2009 at 11:21 pm

This is a great tutorial. I concur with the rest of the posters that the grand finale will be adding the instructions to user a Security Group in AD with LDAP.

Reply

thedoc April 20, 2010 at 10:42 pm

I could contrib a fr+mysql setup config. May need some adjustment to work with Cisco.

Reply

Alex April 28, 2010 at 3:58 pm

Thanks for post. It was helpful for me – have configured routers in GNS3(Dynamips) with FreeRADIUS on Debian in VirtualBox successfully. Thanks!

Reply

jp November 19, 2010 at 3:04 am

Hey thanks for the article! Does this freeradius config work with the Cisco ASA?
Thank you again!

Reply

Ryan January 11, 2011 at 9:52 am

Hi how do I append the new user to “/etc/raddb/users:” also what is the service I must restart if any?
thanks in advance.

Reply

Saurabh Dass Manandhar January 12, 2011 at 2:13 am

@Ryan
Ryan,
Basic instruction to add users is given in the file itself. Otherwise check ‘man 5 users’, after installing freeradius, of course. I don’t believe you need to restart any service, but if it does not work, try restarting radiusd.

Reply

Jose April 27, 2011 at 9:14 pm

Thanks a lot. It’s so usefull to start trying with this solution.

from Argentina

Best Regards

Reply

Arturo G October 25, 2011 at 11:09 am

Fantastic, but… I’ve a problem. Radius is giving to different customers the same IP!!! Any idea?

Reply

j4ckripp3r December 19, 2011 at 6:56 pm

How would you set a user to login with their LDAP credentials when they connect to the wifi?

Reply

Moh Elhassan December 23, 2011 at 3:00 am

Good, but there is something missing, what about the executed command? It doesn’t appear on the radius log file? 

Reply

Ambrose Taylor April 14, 2012 at 7:23 pm

Nice! Thanks for this… works great.

Reply

Think4amit May 10, 2012 at 3:50 am

 what about the log of executed command during a particular session by a particular user ?

Reply

Scott coultish January 9, 2013 at 3:05 am

+1 for details of executed commands, similar to how ACS does it. Is that available using FreeRadius

Reply

Sophie July 2, 2013 at 2:44 am

Hey.
I’ve tried to do everything you’ve written and get:
Tue Jul 2 10:24:27 2013 : Info: Exiting normally.
Tue Jul 2 10:24:27 2013 : Error: rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
Tue Jul 2 10:24:27 2013 : Error: rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem
Tue Jul 2 10:24:27 2013 : Error: rlm_eap: Failed to initialize type tls
Tue Jul 2 10:24:27 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
Tue Jul 2 10:24:27 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
Tue Jul 2 10:24:27 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
Tue Jul 2 10:24:27 2013 : Error: Failed to load virtual server
Tue Jul 2 10:24:29 2013 : Error: rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
Tue Jul 2 10:24:29 2013 : Error: rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem
Tue Jul 2 10:24:29 2013 : Error: rlm_eap: Failed to initialize type tls
Tue Jul 2 10:24:29 2013 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
Tue Jul 2 10:24:29 2013 : Error: /etc/raddb/sites-enabled/default[310]: Failed to load module “eap”.
Tue Jul 2 10:24:29 2013 : Error: /etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section.
Tue Jul 2 10:24:29 2013 : Error: Failed to load virtual server

please help me.

Reply

Aynus August 30, 2013 at 3:23 pm

Interesting blog, thanks à lot.

Please ,if u could, expand on that, add MySql and Active directory…:)

Reply

Tryc December 26, 2013 at 10:28 pm

Good blog with clear explanation,

Thanks for your sharing…..

Reply

Leave a Comment

{ 1 trackback }

Previous post:

Next post: