radius and cisco

Jim McIver jmciver at lmtribune.com
Tue Feb 19 20:11:42 CET 2008 

I'm a newbie and looking for instructions on how to setup FreeRADIUS 
Version 1.1.7 on a SLES 10 linux box to use for authenication and  
logging for a cisco 2801 router. I want to track users connecting 
from the outside world using Cisco's vpn client and cisco sayes 
radius is the answer.

I'd like to start with just allowing users from the linux /etc/passwd 
access and then move onto authenication from my Netware 6.5 LDAP 
server.

I've read all I can find on freeradius.org and cisco, but still don't 
understand....hard learner I guess.

radiusd -xx gives:
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib/freeradius"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Initializing the thread pool...
 thread: start_servers = 5
 thread: max_servers = 32
 thread: min_spare_servers = 3
 thread: max_spare_servers = 10
 thread: max_requests_per_server = 0
 thread: cleanup_delay = 5
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread spawned new child 4. Total threads in pool: 4
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread 4 waiting to be assigned a request
Thread 5 waiting to be assigned a request
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.

My radius.conf is what was installed as default.
Q1? Do I need to add anything other than the below to client.conf?

In my client.conf I've added:
# Test on cisco 2801 router(internal ip of router)
client 192.168.135.3 {
        secret          =xxxxxxx
        shortname       =myrouter
        nastype         =cisco
}

I believe the relavent part of the users file is:

DEFAULT Auth-Type = System
        Fall-Through = 1

and

DEFAULT Service-Type == Framed-User
        Framed-IP-Address = 255.255.255.254,
        Framed-MTU = 576,
        Service-Type = Framed-User,
        Fall-Through = Yes

Notes I've read say to change this to 255.255.255.255 ??

Q2? I believe I also need to add something similar to the below in 
the users file?

youruser   Cleartext-Password := "somepass"
           Service-Type = NAS-Prompt-User,
           cisco-avpair = "shell:priv-lvl=15"

Q3? Does "youruser" and "somepass" need to be a valid user from 
/etc/passwd? I'm unclear if there is a link between users in this 
file and valid users in /etc/passwd of the linux box.

My cisco 2801 currently has info like:
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local if-authenticated
aaa authorization network default local
!
aaa session-id common
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPNCLIENTS
 key xxxxxxx
 dns 192.168.135.15
 domain xxxxxxx.com
 pool CLIENTPOOL
 acl 150
 netmask 255.255.255.0
crypto isakmp profile IKE1
   match identity group VPNCLIENTS
   client authentication list default
   isakmp authorization list default
   client configuration address respond
!

Q4? Do I need to remove any of this info, or just replace the stuff 
at the top with something like:

   aaa new-model
   aaa authentication login default group radius local
   aaa authentication login localauth local
   aaa authentication ppp default if-needed group radius local
   aaa authorization exec default group radius local
   aaa authorization network default group radius local
   aaa accounting delay-start
   aaa accounting exec default start-stop group radius
   aaa accounting network default start-stop group radius
   aaa processes 6
   aaa accounting delay-start

Q5? Do I also need a line similar to below on the cisco?
radius-server host 192.168.135.3
radius-server key xxxx
radius-server auth-port 1812

I guessing that my radius.log will then show when users login.

thx in advance,

-Jim McIver

More information about the Freeradius-Users mailing list