AAA Authentication on Cisco IOS

Locally configured usernames and passwords can become an administrative nightmare if you have a network with many network devices. Each time you want to add a username or change a password, you have to log in each device one-by-one to add or change something. It’s a better idea to work with a central AAA server for authentication. On this server, you add all your usernames and passwords. You configure your routers and switches to use this AAA server for authentication.

On Cisco IOS, you can configure precisely how you want to use the AAA server for authentication. You can use it for console or VTY access but also for enable (privileged) mode and some other options like PPP authentication.

In this lesson, I will show you how to configure AAA authentication on a Cisco IOS router. We will use a RADIUS server with the FreeRADIUS software. FreeRADIUS is (as the name implies) free and easy to configure. Once everything is configured, a user that wants to access the console and use privileged mode will be authenticated by the RADIUS server.

Configuration

Here is the topology that I will use:

r1 radius server

We have a router and the RADIUS server. Let’s start with the configuration of FreeRADIUS .

Locally configured usernames and passwords can become an administrative nightmare if you have a network with many network devices. Each time you want to add a username or change a password, you have to log in each device one-by-one to add or change something. It's a better idea to work with a centra


FreeRADIUS

FreeRADIUS runs on Linux and most Linux distributions have it in their repositories. I’m using a Ubuntu server and you can use apt-get to install it:

# apt-get install freeradius freeradius-utils

Once installed, we have to make some changes to the default configuration files. The first thing to do, is add a new client (our router). Edit the clients.conf file with your favorite text editor:

# vim /etc/freeradius/clients.conf

And add an entry at the bottom that looks like this:

client 192.168.1.1 {
secret = MY_KEY
nastype = cisco
shortname = router
}

My client has an IP address of 192.168.1.1 (the router) and the secret is “MY_KEY”. We will later configure this on the router.

Let’s add a user account, this will be used by the admin that wants access to the router. Open the users file:

# vim /etc/freeradius/users

And at the end of this file, create an entry that looks like this:

REMOTE_ADMIN Cleartext-Password := "MY_PASSWORD"
                    Service-Type = NAS-Prompt-User

This allows user account “REMOTE_ADMIN” to log in with password “MY_PASSWORD”. We will also add an entry for enable (privileged) mode:

$enab15$   Cleartext-Password := "REMOTE_ENABLE"
           Service-Type = NAS-Prompt-User

The password to access enable mode will be “REMOTE_ENABLE”. Save the users file and exit.

Now we have to (re)start FreeRADIUS to apply these changes:

# /etc/init.d/freeradius restart
freeradius stop/waiting
freeradius start/running, process 18145

FreeRADIUS runs as a service but when you are testing things in a lab, it’s easier to run it in debug mode. This allows you to see incoming authentication requests and debug when things go wrong. If you want to do this, you first have to stop the service:

# /etc/init.d/freeradius stop
freeradius stop/waiting

And now you can start it in debug mode:

# freeradius -X

It will produce some messages and then shows you that it’s ready to process requests:

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.

Whenever a client asks FreeRADIUS for authentication, it will now show up on the console.

Cisco IOS

Our router is configured by default to use no or local authentication. That’s something we have to change. First you need to enable the AAA commands:

R1(config)#aaa new-model 

This gives us access to some AAA commands. Let’s configure the RADIUS server that you want to use:

R1(config)#radius server MY_RADIUS 
R1(config-radius-server)#address ipv4 192.168.1.200 auth-port 1812 acct-port 1813
R1(config-radius-server)#key MY_KEY

You can pick whatever name you want for the RADIUS server, I’ll call mine “MY_RADIUS”. We do have to configure its IP address and it’s a good idea to specify the authentication (and accounting) port(s). The official ports for RADIUS authentication and accounting are 1812 and 1813. Before IANA allocated these ports, port number 1645 and 1646 were used unofficially, many RADIUS servers/clients still use these ports.

Older versions of Cisco IOS use the radius-server command to add new RADIUS servers.

Now we can configure the router to use our RADIUS server for authentication. Let’s check the aaa authentication command:

R1(config)#aaa authentication ?
  arap             Set authentication lists for arap.
  attempts         Set the maximum number of authentication attempts
  banner           Message to use when starting login/authentication.
  dot1x            Set authentication lists for IEEE 802.1x.
  enable           Set authentication list for enable.
  eou              Set authentication lists for EAPoUDP
  fail-message     Message to use for failed login/authentication.
  login            Set authentication lists for logins.
  password-prompt  Text to use when prompting for a password
  ppp              Set authentication lists for ppp.
  sgbp             Set authentication lists for sgbp.
  suppress         Do not send access request for a specific type of user.
  username-prompt  Text to use when prompting for a username

There is quite some stuff that we can use the RADIUS server for. Login and enable is what we are going to. Dot1x is another popular choice on switches for per-port authentication. That’s something I covered in another lesson.

Let’s look at the login options:

R1(config)#aaa authentication login ?
  WORD     Named authentication list (max 31 characters, longer will be
           rejected).
  default  The default authentication list.

Here we have to choose an authentication list. Cisco IOS uses the default list for the console, VTY lines (telnet or SSH) and the AUX port. If you want to use AAA authentication for all these methods then you can use the default list. If you only want to use AAA authentication for the console and not for the VTY and AUX port then it might be better to use a new authentication list.

I will use the default authentication list so that AAA authentication is used for the console and AUX port. I’ll show you how I can exclude the VTY lines.

Let’s look at the options of the default list:

R1(config)#aaa authentication login default ?
  cache          Use Cached-group
  enable         Use enable password for authentication.
  group          Use Server-group
  krb5           Use Kerberos 5 authentication.
  krb5-telnet    Allow logins only if already authenticated via Kerberos V
                 Telnet.
  line           Use line password for authentication.
  local          Use local username authentication.
  local-case     Use case-sensitive local username authentication.
  none           NO authentication.
  passwd-expiry  enable the login list to provide password aging support

First, we will configure the servers that we want to use:

R1(config)#aaa authentication login default group ?
  WORD     Server-group name
  ldap     Use list of all LDAP hosts.
  radius   Use list of all Radius hosts.
  tacacs+  Use list of all Tacacs+ hosts.

We only have one RADIUS server configured so let’s go for all RADIUS hosts. If you have a lot of RADIUS servers then it’s also possible to create a server group that contains the RADIUS servers you want to use. Let’s continue:

R1(config)#aaa authentication login default group radius ?
  cache       Use Cached-group
  enable      Use enable password for authentication.
  group       Use Server-group
  krb5        Use Kerberos 5 authentication.
  line        Use line password for authentication.
  local       Use local username authentication.
  local-case  Use case-sensitive local username authentication.
  none        NO authentication.
  <cr>

Besides the RADIUS server, we can choose a fallback option. If our RADIUS server is unreachable, do you want all authentication to fail or perhaps fall back to some local usernames and passwords of the router? Let’s add local fall back authentication:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 662 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

515 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,


Forum Replies

  1. Hi Hans,

    Which IOS version are you running? I would expect this device to support all 802.1x commands.

    Rene

  2. Hi Hans
    You need to type ‘dot1x pae authenticator’ instead- it enables 802.1X authentication on the port with default parameters

  3. First off if I post this in wrong place let me know and I will move the question to better forum area.

    I am studying AAA Authentication. I keep hearing it stressed to be aware that its best practice to put “local” on the end of your lines in case your tacacs server or radius server goes down.

    For example I setup switch and AAA Server and PC in Boson Simulator to play with and test:


    username brian  password brian
    !
    aaa new-model
    aaa authentication login auth group tacacs+ local
    tacacs-server host 192.168.1.3 
    !
    line con 0
    line aux 0
    line vty 0 4
    login
    !
    

    I cr

    ... Continue reading in our forum

  4. Hi Brian,

    Good to hear you figured it out. The output of your Boson simulator was indeed that it was unable to connect so this didn’t have anything to do with your AAA configuration :slight_smile: Boson is nice to practice commands but it’s only a simulator so you can’t really test things.

    If you don’t add anything to your VTY line(s) then it will use the default AAA group. If you want to use RADIUS / TACACS+ authentication for some things but not for your VTY lines, then you can also create a second group and use that for the VTY lines. Something like this:

    SW1(config)#aaa 
    ... Continue reading in our forum

  5. Hi Elia,

    It depends on the EAP type that you use. In this lesson, you can see this checkbox on the RADIUS server:

    https://networklessons.com/wp-content/uploads/2014/10/windows-xp-peap-settings.png

    The RADIUS server generated a certificate and when the client connects, it checks the server certificate to see if it’s talking to the correct server. The client then sends a username/password to authenticate the client.

    EAP-TLS allows you to use client certificates which is very safe, but does take time to setup (you need a client c

    ... Continue reading in our forum

33 more replies! Ask a question or join the discussion by visiting our Community Forum