PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:radius:radius

Cisco Catalyst RADIUS AAA Configuration

Blueprint

  • CCIE R&S
    • Written v5.1
      • 5.0 Infrastructure Security
        • 5.1 Device security
          • 5.1.a Implement and troubleshoot IOS AAA using local database
          • 5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS
          • 5.1.d [i] AAA with TACACS+ and RADIUS
        • 5.2 Network security
          • 5.2.d Describe 802.1x
          • 5.2.d [i] 802.1x, EAP, RADIUS
    • Lab v5.0
      • 4.0 Infrastructure Security
        • 4.1 Device security
          • 4.1.a Implement and troubleshoot IOS AAA using local database

FreeRADIUS Server Configuration

Configuration

modearn

configure terminal
!
interface Vlan 1
 ip address 10.0.8.210 255.255.255.0
 no shutdown
exit
!
ntp server 10.0.8.254
!
! input first!!
aaa new-model
!
radius server ISE01
 address ipv4 10.0.8.254 auth-port 1812 acct-port 1813
 key pg1xhimitsu
exit
!
aaa group server radius GROUP-ISE
 server name ISE01
exit
!
aaa authentication dot1x default group GROUP-ISE
aaa authorization network default group GROUP-ISE
aaa accounting dot1x default start-stop group GROUP-ISE
aaa accounting system default start-stop group GROUP-ISE
!
dot1x system-auth-control
!
interface range FastEthernet 0/1 - 6
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
 ! i can't wait STP timer
 spanning-tree portfast
!
interface GigabitEthernet 0/1
 spanning-tree portfast
!
monitor session 1 source interface FastEthernet 0/1
!monitor session 1 source interface GigabitEthernet 0/1
monitor session 1 destination interface FastEthernet 0/8 encapsulation replicate
!
end
wnoguchi@kotone:~$ sudo nmcli con edit "Wired connection 2"

===| nmcli interactive connection editor |===

Editing existing '802-3-ethernet' connection: 'Wired connection 2'

Type 'help' or '?' for available commands.
Type 'describe [<setting>.<prop>]' for detailed property description.

You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, dcb, ipv4, ipv6, tc, proxy
nmcli> set 802-1x.eap peap
nmcli> set 802-1x.identity wnoguchi
nmcli> set 802-1x.phase2-auth mschapv2
nmcli> set 802-1x.password kotoneaishiteru
nmcli> save
Connection 'Wired connection 2' (bdf6d676-83df-3104-b8dc-5b1f34b9d10d) successfully updated.
nmcli> quit
wnoguchi@kotone:~$ sudo nmcli con up "Wired connection 2"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/8)
SW10#
Aug 14 08:57:42.303: %SYS-5-CONFIG_I: Configured from console by console
SW10#
Aug 14 08:57:59.424: %AUTHMGR-5-START: Starting 'dot1x' for client (84af.ec73.9c01) on Interface Fa0/1 AuditSessionID 0A0008D20000000500390B5A
Aug 14 08:57:59.508: %DOT1X-5-SUCCESS: Authentication successful for client (84af.ec73.9c01) on Interface Fa0/1 AuditSessionID 0A0008D20000000500390B5A
Aug 14 08:57:59.508: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (84af.ec73.9c01) on Interface Fa0/1 AuditSessionID 0A0008D20000000500390B5A
SW10#
Aug 14 08:57:59.608: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (84af.ec73.9c01) on Interface Fa0/1 AuditSessionID 0A0008D20000000500390B5A
SW10#
root@kozue:/etc/tacacs+# tail -f /var/log/freeradius/radacct/10.0.8.210/detail-20190814
        NAS-Port-Id = "FastEthernet0/1"
        Called-Station-Id = "00-22-BD-89-21-81"
        Service-Type = Framed-User
        NAS-IP-Address = 10.0.8.210
        Acct-Delay-Time = 0
        Event-Timestamp = "Aug 14 2019 18:07:21 JST"
        Tmp-String-9 = "ai:"
        Acct-Unique-Session-Id = "d9b2a2110f53edc31cf8f536901be4af"
        Timestamp = 1565773641

Wed Aug 14 18:07:46 2019
        Acct-Session-Id = "00000008"
        Calling-Station-Id = "84-AF-EC-73-9C-01"
        User-Name = "wnoguchi"
        Acct-Authentic = RADIUS
        Acct-Status-Type = Start
        NAS-Port-Type = Ethernet
        NAS-Port = 50001
        NAS-Port-Id = "FastEthernet0/1"
        Called-Station-Id = "00-22-BD-89-21-81"
        Service-Type = Framed-User
        NAS-IP-Address = 10.0.8.210
        Acct-Delay-Time = 0
        Event-Timestamp = "Aug 14 2019 18:07:46 JST"
        Tmp-String-9 = "ai:"
        Acct-Unique-Session-Id = "762884b168d1705155d5dd4b97e9d992"
        Timestamp = 1565773666

Wed Aug 14 18:08:35 2019
        Acct-Session-Id = "00000008"
        Calling-Station-Id = "84-AF-EC-73-9C-01"
        User-Name = "wnoguchi"
        Acct-Authentic = RADIUS
        Acct-Terminate-Cause = Admin-Reset
        Acct-Session-Time = 49
        Acct-Input-Octets = 7826
        Acct-Output-Octets = 6992
        Acct-Input-Packets = 57
        Acct-Output-Packets = 53
        Acct-Status-Type = Stop
        NAS-Port-Type = Ethernet
        NAS-Port = 50001
        NAS-Port-Id = "FastEthernet0/1"
        Called-Station-Id = "00-22-BD-89-21-81"
        Service-Type = Framed-User
        NAS-IP-Address = 10.0.8.210
        Acct-Delay-Time = 0
        Event-Timestamp = "Aug 14 2019 18:08:35 JST"
        Tmp-String-9 = "ai:"
        Acct-Unique-Session-Id = "762884b168d1705155d5dd4b97e9d992"
        Timestamp = 1565773715
wnoguchi@kotone:~$ echo 1565773666 - 1565773715 | bc
-49
no monitor session 1 source interface FastEthernet 0/1
monitor session 1 source interface GigabitEthernet 0/1
monitor session 1 destination interface FastEthernet 0/8 encapsulation replicate

legacy

configure terminal
!
interface Vlan 1
 ip address 10.0.8.210 255.255.252.0
 no shutdown
exit
!
aaa new-model
!
radius-server host 10.0.8.193 auth-port 1812 acct-port 1813 key pg1xhimitsu
radius-server host 10.0.8.194 auth-port 1812 acct-port 1813 key pg1xhimitsu
!
dot1x system-auth-control
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
!
interface range FastEthernet 0/1 - 6
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
 ! i can't wait STP timer
 spanning-tree portfast
!
end

SW10 Console Log

References

tech/network/cisco/radius/radius.txt · Last modified: 2019/08/14 18:17 by wnoguchi