radius and cisco

Tue Feb 19 21:19:37 CET 2008

>My radius.conf is what was installed as default.
>Q1? Do I need to add anything other than the below to client.conf?
>
>In my client.conf I've added:
># Test on cisco 2801 router(internal ip of router)
>client 192.168.135.3 {
>        secret          =xxxxxxx
>        shortname       =myrouter
>        nastype         =cisco
>}
>
>I believe the relavent part of the users file is:
>
>DEFAULT Auth-Type = System
>        Fall-Through = 1
>
>and
>
>DEFAULT Service-Type == Framed-User
>        Framed-IP-Address = 255.255.255.254,
>        Framed-MTU = 576,
>        Service-Type = Framed-User,
>        Fall-Through = Yes
>
>Notes I've read say to change this to 255.255.255.255 ??
>

That looks fine. Notes are likely about the netmask not IP address.

>Q2? I believe I also need to add something similar to the below in
>the users file?
>
>youruser   Cleartext-Password := "somepass"
>           Service-Type = NAS-Prompt-User,
>           cisco-avpair = "shell:priv-lvl=15"
>

Remove the password. You said that it will be stored in /etc/passwd. If
you put the password here you dont need /etc/passwd check (Auth-Type
System) at all.

>Q3? Does "youruser" and "somepass" need to be a valid user from
>/etc/passwd? I'm unclear if there is a link between users in this
>file and valid users in /etc/passwd of the linux box.
>

Link is the username. You want to store password in /etc/passwd and reply
attributes in users file.

>My cisco 2801 currently has info like:
>aaa new-model
>!
>!
>aaa authentication login default local
>aaa authorization exec default local if-authenticated
>aaa authorization network default local
>!
>aaa session-id common
>!
>!
>crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
>!
>crypto isakmp client configuration group VPNCLIENTS
> key xxxxxxx
> dns 192.168.135.15
> domain xxxxxxx.com
> pool CLIENTPOOL
> acl 150
> netmask 255.255.255.0
>crypto isakmp profile IKE1
>   match identity group VPNCLIENTS
>   client authentication list default
>   isakmp authorization list default
>   client configuration address respond
>!
>
>Q4? Do I need to remove any of this info, or just replace the stuff
>at the top with something like:
>
>   aaa new-model
>   aaa authentication login default group radius local
>   aaa authentication login localauth local
>   aaa authentication ppp default if-needed group radius local
>   aaa authorization exec default group radius local
>   aaa authorization network default group radius local
>   aaa accounting delay-start
>   aaa accounting exec default start-stop group radius
>   aaa accounting network default start-stop group radius
>   aaa processes 6
>   aaa accounting delay-start
>

This is from here: http://wiki.freeradius.org/Cisco

>Q5? Do I also need a line similar to below on the cisco?
>radius-server host 192.168.135.3
>radius-server key xxxx
>radius-server auth-port 1812
>

That IP address is the same as the one for the router. That can't be
correct - linux box IP should go here. You have not set up accounting -
and that was the whole point of this exercise. Add that. If radius IP is
also on the private subnet it's quite likely that you wont have to
force the router to use the IP address defined in clients.conf - it
should select it on it's own. If it doesn't you can force radius
source interface in router config.

Ivan Kalik
Kalik Informatika ISP