ASR9k + Freeradius
Refer to IOX + Freeradius article that very less on Internet and lots of IOS with Freeradius, after study that, I summarized that by follow:
1: Install freeradius
You need install free radius first, ignore the part, you can check it by yourself or check my last article <RHEL7 install freeradius>
2: Config freeradius
clients.conf
[root@frank radius]# more /etc/raddb/clients.conf client 10.x.x.x { secret = cisco123 shortname = iox-5.2.2 nas_type = cisco }
users
Notes: as follow, we can assign a group for user “frank”, now priv5 is custom group, you can assign default group, e.g:
Cisco-avpair = “shell:task=#netadmin,#sysadmin,#cisco-support”Btw, you can direct defined priv15 by follow:
Cisco-AVPair = “shell:priv-lvl=15”Or direct defined cmd by follow:
Cisco-AVpair = “shell:cmd=show”If you assign cisco-support group first, and then to limit command by “cmd=show”, cmd will unavailable; and vice versa.
[root@frank radius]# more /etc/raddb/users frank Cleartext-Password := "frank" Service-Type = NAS-Prompt-User, Reply-Message = "Hello!", Login-Service = Telnet, Cisco-AVPair = "shell:tasks*=#priv5,"
3: Config on ASR9k
Notes: IOX should not support accounting for command level, I checked some documents, IOS support that:
RP/0/0/CPU0:asr9k(config)#aaa accounting commands default start-stop group ? WORD server-group name tacacs+ Use list of all TACACS+ hosts
RP/0/0/CPU0:asr9k#sh run Mon Dec 15 08:10:00.144 UTC Building configuration... !! IOS XR Configuration 5.2.2 !! Last configuration change at Mon Dec 15 07:53:46 2014 by cisco ! hostname asr9k telnet vrf default ipv4 server max-servers 10 taskgroup priv5 task read system task read logging task read host-services task read basic-services task read config-services description read_only_all ! usergroup priv5 taskgroup priv5 description read_only_all ! radius source-interface GigabitEthernet0/0/0/0 vrf default radius-server host 10.x.x.x auth-port 1812 acct-port 1813 key 7 121A0C0411045D5679 ! aaa accounting exec ACCT start-stop group frank aaa group server radius frank server 10.x.x.x auth-port 1812 acct-port 1813 source-interface GigabitEthernet0/0/0/0 ! aaa authentication login AUTH local group frank line template vty accounting exec ACCT login authentication AUTH exec-timeout 10 0 ! vty-pool default 0 10 line-template vty
4: Verify whether authentication work
Router#telnet 12.1.1.2
Trying 12.1.1.2 ... Open
User Access Verification
Username: frank
Password:
Hello!
RP/0/0/CPU0:asr9k#show user all
Mon Dec 15 08:15:22.891 UTC
Username: frank
Groups: priv5
Authenticated using method radius
User frank has the following Task ID(s):
Task: basic-services : READ
Task: config-services : READ
Task: host-services : READ
Task: logging : READ
Task: system : READ
RP/0/0/CPU0:asr9k#
RP/0/0/CPU0:asr9k#admin
% This command is not authorized
5: Check account information on freeradius
[root@frank 10.x.x.x]# pwd /var/log/radius/radacct/10.x.x.x [root@frank 10.x.x.x]# more detail-20141215 Mon Dec 15 02:36:15 2014 User-Name = 'frank' NAS-IP-Address = 10.x.x.x NAS-Port = 130 NAS-Port-Type = Virtual Service-Type = NAS-Prompt-User Acct-Status-Type = Start Acct-Session-Id = '00000002' Acct-Delay-Time = 0 Event-Timestamp = 'Dec 15 2014 03:14:56 EST' Calling-Station-Id = '12.1.1.1' Acct-Unique-Session-Id = 'aa9b5dd23397582f2033d2c087ebb7fa' Timestamp = 1418628975
6: Wireshark example for respond from server
Some relation Link:
Cisco IOS and Radius
Configuring FreeRADIUS to support Cisco AAA Clients
Using FreeRADIUS with Cisco Devices
IOS XR AAA – Network NSP Cisco
[…] ASR9k + Freeradius […]