Cisco AP – telnet with Radius

This post shows how to configure Cisco AP to authenticate telnet clients with external Radius server. It also contains information how to configure radius server (freeradius) for that option.

Quick Notes

  1. RADIUS – Remote Authentication Dial In User Service
  2. Radius – network protocol for AAA; centralized authentication, authorization, accounting
  3. Topology used in this post: Laptop [telnet] AP (NAS) Radius Server (freeradius)

Radius server configuration

Note – for detailed information refer to http://wiki.freeradius.org/guide/Basic-configuration-HOWTO

  1. first you need to install freeradius package on your machine (I used Debian linux and run apt-get install freeradius command).
  2. edit /etc/freeradius/clients.conf and add the following entry
    client 192.168.0.41 {
       secret =  testing123
       nastype = cisco
       shortname = CiscoAP01
    }
    

    Basically the entry defines Radius client (your AP – 192.168.0.41) and shared Radius key – testing123 (the same key will be defined on your AP). For now your AP is allowed to connect to Radius server.

  3. edit /etc/freeradius/users and add the following entry
    testing Cleartext-Password := "password"
    

    The entry defines your username and password (testing/password) used by telnet user.

  4. start radius server with debug mode (X option):
    root@debian1:/etc/freeradius/modules# freeradius -X
    
  5. before you continue test your radius server locally with radtest utlity. Open console and run the following command.
    root@debian1:/etc/freeradius# radtest testing password 127.0.0.1 10 testing123
    Sending Access-Request of id 7 to 127.0.0.1 port 1812
    	User-Name = "testing"
    	User-Password = "password"
    	NAS-IP-Address = 127.0.1.1
    	NAS-Port = 10
    	Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=7, length=20
    root@debian1:/etc/freeradius# 
    

    Note – default radius server configuration allows connection from localhost with testing123 shared key (refer to /etc/freeradius/clients.conf file).

Configure your Cisco AP

For my test I used IOS Version 12.3(8)

ap(config)#
ap(config)# aaa new-model // enable AAA feature
ap(config)# aaa authentication login aaa_list1 group radius local // define auth. list
ap(config)# radius-server host 192.168.0.103 auth-port 1812 acct-port 1813 key testing123 // define radius server
ap(config)# line vty 0 15
ap(config-line)# transport input telnet // enable telnet
ap(config-line)# login authentication aaa_list1 // use aaa_list1 as auth. option
ap(config-line)#

Some explanation:

  1. The command aaa authentication login aaa_list1 group radius local means:
    • the command defines authentication list (the preferred authentication options): use radius first; if no radius-servers is available then use local (AP) username database
    • authentication login – define authentication list for login (for example for telnet login)
    • aaa_list1 – list name
    • group is a keyword. After this keyword you can put another keyword radius which means “use all defined radius-servers”. After group keyword you can also put a specific server-radius group name

Test and debug

Try to telnet to your Cisco device. You can enable radius debug on your Cisco device with command:

ap#
ap# debug radius

Authorization

The following example shows how to put the user into privileged mode automatically after login

  1. Add following commands to your AP:
    ap(config)#
    ap(config)# aaa authorization exec aaa_list1 group radius local
    ap(config)# line vty 0 15
    ap(config-line)# authorization exec aaa_list1
    ap(config-line)#
    
  2. modify /etc/freeradius/users file:
    testing Cleartext-Password := "password"
            Cisco-AVPair = "shell:priv-lvl=15"
    
  3. restart radius server; after that the user testing should automatically login into privileged mode

Leave a Reply

Your email address will not be published. Required fields are marked *