ASR9k + Freeradius


Refer to IOX + Freeradius article that very less on Internet and lots of IOS with Freeradius, after study that, I summarized that by follow:

1: Install freeradius
You need install free radius first, ignore the part, you can check it by yourself or check my last article <RHEL7 install freeradius>

2: Config freeradius

[root@frank radius]# more /etc/raddb/clients.conf
client 10.x.x.x {
        secret = cisco123
        shortname = iox-5.2.2
        nas_type = cisco


Notes: as follow, we can assign a group for user “frank”, now priv5 is custom group, you can assign default group, e.g:
Cisco-avpair = “shell:task=#netadmin,#sysadmin,#cisco-support”

Btw, you can direct defined priv15 by follow:
Cisco-AVPair = “shell:priv-lvl=15”

Or direct defined cmd by follow:
Cisco-AVpair = “shell:cmd=show”

If you assign cisco-support group first, and then to limit command by “cmd=show”, cmd will unavailable; and vice versa.

[root@frank radius]# more /etc/raddb/users
frank   Cleartext-Password := "frank"
                Service-Type = NAS-Prompt-User,
                Reply-Message = "Hello!",
                Login-Service = Telnet,
                Cisco-AVPair = "shell:tasks*=#priv5,"

3: Config on ASR9k
Notes: IOX should not support accounting for command level, I checked some documents, IOS support that:

RP/0/0/CPU0:asr9k(config)#aaa accounting commands default start-stop group ?
  WORD     server-group name
  tacacs+  Use list of all TACACS+ hosts
RP/0/0/CPU0:asr9k#sh run
Mon Dec 15 08:10:00.144 UTC
Building configuration...
!! IOS XR Configuration 5.2.2
!! Last configuration change at Mon Dec 15 07:53:46 2014 by cisco
hostname asr9k
telnet vrf default ipv4 server max-servers 10
taskgroup priv5
 task read system
 task read logging
 task read host-services
 task read basic-services
 task read config-services
 description read_only_all
usergroup priv5
 taskgroup priv5
 description read_only_all
radius source-interface GigabitEthernet0/0/0/0 vrf default
radius-server host 10.x.x.x auth-port 1812 acct-port 1813
 key 7 121A0C0411045D5679
aaa accounting exec ACCT start-stop group frank
aaa group server radius frank
 server 10.x.x.x auth-port 1812 acct-port 1813
 source-interface GigabitEthernet0/0/0/0
aaa authentication login AUTH local group frank
line template vty
 accounting exec ACCT
 login authentication AUTH
 exec-timeout 10 0
vty-pool default 0 10 line-template vty

4: Verify whether authentication work

Trying ... Open

User Access Verification
Username: frank

RP/0/0/CPU0:asr9k#show user all   
Mon Dec 15 08:15:22.891 UTC
Username: frank
Groups: priv5
Authenticated using method radius
User frank has the following Task ID(s):

Task:       basic-services  : READ                             
Task:      config-services  : READ                             
Task:        host-services  : READ                             
Task:              logging  : READ                             
Task:               system  : READ                             
% This command is not authorized

5: Check account information on freeradius

[root@frank 10.x.x.x]# pwd
[root@frank 10.x.x.x]# more detail-20141215 
Mon Dec 15 02:36:15 2014
        User-Name = 'frank'
        NAS-IP-Address = 10.x.x.x
        NAS-Port = 130
        NAS-Port-Type = Virtual
        Service-Type = NAS-Prompt-User
        Acct-Status-Type = Start
        Acct-Session-Id = '00000002'
        Acct-Delay-Time = 0
        Event-Timestamp = 'Dec 15 2014 03:14:56 EST'
        Calling-Station-Id = ''
        Acct-Unique-Session-Id = 'aa9b5dd23397582f2033d2c087ebb7fa'
        Timestamp = 1418628975

6: Wireshark example for respond from server
Some relation Link:
Cisco IOS and Radius
Configuring FreeRADIUS to support Cisco AAA Clients
Using FreeRADIUS with Cisco Devices
IOS XR AAA – Network NSP Cisco

本文出自 Frank's Blog


本文链接:ASR9k + Freeradius
版权声明:本文为原创文章,仅代表个人观点,版权归 Frank Zhao 所有,转载时请注明本文出处及文章链接
你可以留言,或者trackback 从你的网站


blonde teen swallows videos