ASR9k + Freeradius
Refer to IOX + Freeradius article that very less on Internet and lots of IOS with Freeradius, after study that, I summarized that by follow:
1: Install freeradius
You need install free radius first, ignore the part, you can check it by yourself or check my last article <RHEL7 install freeradius>
2: Config freeradius
clients.conf
[root@frank radius]# more /etc/raddb/clients.conf
client 10.x.x.x {
secret = cisco123
shortname = iox-5.2.2
nas_type = cisco
}
users
Notes: as follow, we can assign a group for user “frank”, now priv5 is custom group, you can assign default group, e.g:
Cisco-avpair = “shell:task=#netadmin,#sysadmin,#cisco-support”Btw, you can direct defined priv15 by follow:
Cisco-AVPair = “shell:priv-lvl=15”Or direct defined cmd by follow:
Cisco-AVpair = “shell:cmd=show”If you assign cisco-support group first, and then to limit command by “cmd=show”, cmd will unavailable; and vice versa.
[root@frank radius]# more /etc/raddb/users
frank Cleartext-Password := "frank"
Service-Type = NAS-Prompt-User,
Reply-Message = "Hello!",
Login-Service = Telnet,
Cisco-AVPair = "shell:tasks*=#priv5,"
3: Config on ASR9k
Notes: IOX should not support accounting for command level, I checked some documents, IOS support that:
RP/0/0/CPU0:asr9k(config)#aaa accounting commands default start-stop group ? WORD server-group name tacacs+ Use list of all TACACS+ hosts
RP/0/0/CPU0:asr9k#sh run Mon Dec 15 08:10:00.144 UTC Building configuration... !! IOS XR Configuration 5.2.2 !! Last configuration change at Mon Dec 15 07:53:46 2014 by cisco ! hostname asr9k telnet vrf default ipv4 server max-servers 10 taskgroup priv5 task read system task read logging task read host-services task read basic-services task read config-services description read_only_all ! usergroup priv5 taskgroup priv5 description read_only_all ! radius source-interface GigabitEthernet0/0/0/0 vrf default radius-server host 10.x.x.x auth-port 1812 acct-port 1813 key 7 121A0C0411045D5679 ! aaa accounting exec ACCT start-stop group frank aaa group server radius frank server 10.x.x.x auth-port 1812 acct-port 1813 source-interface GigabitEthernet0/0/0/0 ! aaa authentication login AUTH local group frank line template vty accounting exec ACCT login authentication AUTH exec-timeout 10 0 ! vty-pool default 0 10 line-template vty
4: Verify whether authentication work
Router#telnet 12.1.1.2
Trying 12.1.1.2 ... Open
User Access Verification
Username: frank
Password:
Hello!
RP/0/0/CPU0:asr9k#show user all
Mon Dec 15 08:15:22.891 UTC
Username: frank
Groups: priv5
Authenticated using method radius
User frank has the following Task ID(s):
Task: basic-services : READ
Task: config-services : READ
Task: host-services : READ
Task: logging : READ
Task: system : READ
RP/0/0/CPU0:asr9k#
RP/0/0/CPU0:asr9k#admin
% This command is not authorized
5: Check account information on freeradius
[root@frank 10.x.x.x]# pwd
/var/log/radius/radacct/10.x.x.x
[root@frank 10.x.x.x]# more detail-20141215
Mon Dec 15 02:36:15 2014
User-Name = 'frank'
NAS-IP-Address = 10.x.x.x
NAS-Port = 130
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
Acct-Status-Type = Start
Acct-Session-Id = '00000002'
Acct-Delay-Time = 0
Event-Timestamp = 'Dec 15 2014 03:14:56 EST'
Calling-Station-Id = '12.1.1.1'
Acct-Unique-Session-Id = 'aa9b5dd23397582f2033d2c087ebb7fa'
Timestamp = 1418628975
6: Wireshark example for respond from server

Some relation Link:
Cisco IOS and Radius
Configuring FreeRADIUS to support Cisco AAA Clients
Using FreeRADIUS with Cisco Devices
IOS XR AAA – Network NSP Cisco
[…] ASR9k + Freeradius […]