PG1X

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:radius:radius

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
tech:network:cisco:radius:radius [2019/08/13 05:09]
wnoguchi
tech:network:cisco:radius:radius [2019/08/14 09:17] (current)
wnoguchi
Line 1: Line 1:
 ====== Cisco Catalyst RADIUS AAA Configuration ====== ====== Cisco Catalyst RADIUS AAA Configuration ======
  
-{{tag>​RADIUS IEEE802.1X Authentication AAA Layer-2-Technologies Security Cisco Networking}}+{{tag>​RADIUS IEEE802.1X Authentication ​Authorization Accounting ​AAA Layer-2-Technologies Security Cisco Networking}}
  
 ===== Blueprint ===== ===== Blueprint =====
Line 20: Line 20:
           * 4.1.a Implement and troubleshoot IOS AAA using local database           * 4.1.a Implement and troubleshoot IOS AAA using local database
  
-===== RAIDUS ​Server Configuration =====+===== FreeRADIUS ​Server Configuration =====
  
-  - [[tech:​network:​cisco:​802.1x:​802.1x]]+See [[tech:​network:​cisco:​802.1x:​802.1x]]
  
-===== RAIDUS Client ​Configuration =====+===== Configuration =====
  
-IEEE802.1X +==== modearn ​====
- +
-==== modern ​====+
  
 <​code>​ <​code>​
Line 34: Line 32:
 ! !
 interface Vlan 1 interface Vlan 1
- ip address 10.0.8.210 255.255.252.0+ ip address 10.0.8.210 255.255.255.0
  no shutdown  no shutdown
 exit exit
 +!
 +ntp server 10.0.8.254
 ! !
 ! input first!! ! input first!!
Line 42: Line 42:
 ! !
 radius server ISE01 radius server ISE01
- ​address ipv4 10.0.8.193 auth-port 1812 acct-port 1813+ ​address ipv4 10.0.8.254 auth-port 1812 acct-port 1813
  key pg1xhimitsu  key pg1xhimitsu
 exit exit
Line 52: Line 52:
 aaa authentication dot1x default group GROUP-ISE aaa authentication dot1x default group GROUP-ISE
 aaa authorization network default group GROUP-ISE aaa authorization network default group GROUP-ISE
-accounting dot1x default start-stop group GROUP-ISE +aaa accounting dot1x default start-stop group GROUP-ISE 
-accounting system default start-stop group GROUP-ISE+aaa accounting system default start-stop group GROUP-ISE
 ! !
 dot1x system-auth-control dot1x system-auth-control
Line 62: Line 62:
  dot1x pae authenticator  dot1x pae authenticator
  ! i can't wait STP timer  ! i can't wait STP timer
 + ​spanning-tree portfast
 +!
 +interface GigabitEthernet 0/1
  ​spanning-tree portfast  ​spanning-tree portfast
 ! !
 monitor session 1 source interface FastEthernet 0/1 monitor session 1 source interface FastEthernet 0/1
 +!monitor session 1 source interface GigabitEthernet 0/1
 monitor session 1 destination interface FastEthernet 0/8 encapsulation replicate monitor session 1 destination interface FastEthernet 0/8 encapsulation replicate
 ! !
 end end
 </​code>​ </​code>​
 +
 +<​code>​
 +wnoguchi@kotone:​~$ sudo nmcli con edit "Wired connection 2"
 +
 +===| nmcli interactive connection editor |===
 +
 +Editing existing '​802-3-ethernet'​ connection: 'Wired connection 2'
 +
 +Type '​help'​ or '?'​ for available commands.
 +Type '​describe [<​setting>​.<​prop>​]'​ for detailed property description.
 +
 +You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, dcb, ipv4, ipv6, tc, proxy
 +nmcli> set 802-1x.eap peap
 +nmcli> set 802-1x.identity wnoguchi
 +nmcli> set 802-1x.phase2-auth mschapv2
 +nmcli> set 802-1x.password kotoneaishiteru
 +nmcli> save
 +Connection 'Wired connection 2' (bdf6d676-83df-3104-b8dc-5b1f34b9d10d) successfully updated.
 +nmcli> quit
 +wnoguchi@kotone:​~$ sudo nmcli con up "Wired connection 2"
 +Connection successfully activated (D-Bus active path: /​org/​freedesktop/​NetworkManager/​ActiveConnection/​8)
 +</​code>​
 +
 +<​code>​
 +SW10#
 +Aug 14 08:​57:​42.303:​ %SYS-5-CONFIG_I:​ Configured from console by console
 +SW10#
 +Aug 14 08:​57:​59.424:​ %AUTHMGR-5-START:​ Starting '​dot1x'​ for client (84af.ec73.9c01) on Interface Fa0/1 AuditSessionID 0A0008D20000000500390B5A
 +Aug 14 08:​57:​59.508:​ %DOT1X-5-SUCCESS:​ Authentication successful for client (84af.ec73.9c01) on Interface Fa0/1 AuditSessionID 0A0008D20000000500390B5A
 +Aug 14 08:​57:​59.508:​ %AUTHMGR-7-RESULT:​ Authentication result '​success'​ from '​dot1x'​ for client (84af.ec73.9c01) on Interface Fa0/1 AuditSessionID 0A0008D20000000500390B5A
 +SW10#
 +Aug 14 08:​57:​59.608:​ %AUTHMGR-5-SUCCESS:​ Authorization succeeded for client (84af.ec73.9c01) on Interface Fa0/1 AuditSessionID 0A0008D20000000500390B5A
 +SW10#
 +</​code>​
 +
 +<​code>​
 +root@kozue:/​etc/​tacacs+#​ tail -f /​var/​log/​freeradius/​radacct/​10.0.8.210/​detail-20190814
 +        NAS-Port-Id = "​FastEthernet0/​1"​
 +        Called-Station-Id = "​00-22-BD-89-21-81"​
 +        Service-Type = Framed-User
 +        NAS-IP-Address = 10.0.8.210
 +        Acct-Delay-Time = 0
 +        Event-Timestamp = "Aug 14 2019 18:07:21 JST"
 +        Tmp-String-9 = "​ai:"​
 +        Acct-Unique-Session-Id = "​d9b2a2110f53edc31cf8f536901be4af"​
 +        Timestamp = 1565773641
 +
 +Wed Aug 14 18:07:46 2019
 +        Acct-Session-Id = "​00000008"​
 +        Calling-Station-Id = "​84-AF-EC-73-9C-01"​
 +        User-Name = "​wnoguchi"​
 +        Acct-Authentic = RADIUS
 +        Acct-Status-Type = Start
 +        NAS-Port-Type = Ethernet
 +        NAS-Port = 50001
 +        NAS-Port-Id = "​FastEthernet0/​1"​
 +        Called-Station-Id = "​00-22-BD-89-21-81"​
 +        Service-Type = Framed-User
 +        NAS-IP-Address = 10.0.8.210
 +        Acct-Delay-Time = 0
 +        Event-Timestamp = "Aug 14 2019 18:07:46 JST"
 +        Tmp-String-9 = "​ai:"​
 +        Acct-Unique-Session-Id = "​762884b168d1705155d5dd4b97e9d992"​
 +        Timestamp = 1565773666
 +
 +Wed Aug 14 18:08:35 2019
 +        Acct-Session-Id = "​00000008"​
 +        Calling-Station-Id = "​84-AF-EC-73-9C-01"​
 +        User-Name = "​wnoguchi"​
 +        Acct-Authentic = RADIUS
 +        Acct-Terminate-Cause = Admin-Reset
 +        Acct-Session-Time = 49
 +        Acct-Input-Octets = 7826
 +        Acct-Output-Octets = 6992
 +        Acct-Input-Packets = 57
 +        Acct-Output-Packets = 53
 +        Acct-Status-Type = Stop
 +        NAS-Port-Type = Ethernet
 +        NAS-Port = 50001
 +        NAS-Port-Id = "​FastEthernet0/​1"​
 +        Called-Station-Id = "​00-22-BD-89-21-81"​
 +        Service-Type = Framed-User
 +        NAS-IP-Address = 10.0.8.210
 +        Acct-Delay-Time = 0
 +        Event-Timestamp = "Aug 14 2019 18:08:35 JST"
 +        Tmp-String-9 = "​ai:"​
 +        Acct-Unique-Session-Id = "​762884b168d1705155d5dd4b97e9d992"​
 +        Timestamp = 1565773715
 +</​code>​
 +
 +<​code>​
 +wnoguchi@kotone:​~$ echo 1565773666 - 1565773715 | bc
 +-49
 +</​code>​
 +
 +<​code>​
 +no monitor session 1 source interface FastEthernet 0/1
 +monitor session 1 source interface GigabitEthernet 0/1
 +monitor session 1 destination interface FastEthernet 0/8 encapsulation replicate
 +</​code>​
 +
 +{{:​tech:​network:​cisco:​radius:​pasted:​20190814-091714.png}}
  
 ==== legacy ==== ==== legacy ====
  
 <​code>​ <​code>​
 +configure terminal
 +!
 interface Vlan 1 interface Vlan 1
  ip address 10.0.8.210 255.255.252.0  ip address 10.0.8.210 255.255.252.0
Line 97: Line 205:
  ​spanning-tree portfast  ​spanning-tree portfast
 ! !
 +end
 </​code>​ </​code>​
  
Line 258: Line 367:
  
   - [[https://​www.infraexpert.com/​study/​aaaz03.html|AAA - RADIUSクライアントの設定]]   - [[https://​www.infraexpert.com/​study/​aaaz03.html|AAA - RADIUSクライアントの設定]]
 +  - [[https://​www.infraexpert.com/​study/​aaaz08.html|IEEE802.1X認証のためのAAAの設定]]
  
tech/network/cisco/radius/radius.txt · Last modified: 2019/08/14 09:17 by wnoguchi