All authentication on my network (with carefully selected exceptions) should be centralized. This includes router administrative logins via telnet or SSH. My authentication information is in an OpenLDAP 2.4 server. Attaching Cisco gear to an OpenLDAP database is hard. But attaching Cisco gear to RADIUS is pretty easy. But my FreeRADIUS server uses LDAP as its back end, and attaching Cisco gear to RADIUS is pretty easy.
To have your enable password, you’ll need an LDAP user called $enab15$. Take careful note of how that is spelled: dollar sign, ENAB, the number 15, and another dollar sign. There is no L, and no second E. Add this user to any LDAP groups needed for RADIUS access. This user’s password is your enable secret.
Create a loopback address for the router.
interface Loopback0
description management
ip address 192.0.2.13 255.255.255.255
Use this address for all router management functions. If you use an IP for a real interface for management or monitoring, you can have trouble when that interface goes down.
Then tell the router about your RADIUS servers. Always list multiple RADIUS servers. If you have only one RADIUS server, get a second, preferably on a completely different part of your network.
ip radius source-interface Loopback0
radius-server host 192.0.2.253 auth-port 1812 acct-port 1813 key RadiusSecret
radius-server host 192.0.2.252 auth-port 1812 acct-port 1813 key RadiusSecret
Create a local enable password and a local user with administrative privileges. These will come into play when your RADIUS servers fail. (Hopefully, they never will. But assuming things will go well sets yourself up for a really bad day.)
enable secret 5 $1$lnds$LNrkh4d8aoeuY/Q2Akm1k7
username admin privilege 15 password 7 1D1C1B050B8290E1
Now attach the radius servers to the authentication system.
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default group radius enable
With this setup, your Cisco will try radius first, and then fall back to the local authentication file if your RADIUS server does not answer.
You might also need to attach your virtual terminals to your authentication settings.
line vty 0 4
login authentication default
line vty 5 15
login authentication default
You should now have Cisco user names and the enable password synchronized with LDAP, through RADIUS.
Nice. I use the tac_plus package to run a TACACS+ AAA server and tie it to PAM. Therefore, the tac_plus server will use whatever user and authentication information the server uses. As a result, you could get account information from LDAP and authenticate via Kerberos/Active Directory.
Nice writeup.
I need to add privilege separation based on Group Membership (i.e: net_admins=priv 15 ; heldpesk=priv 7) of the users in LDAP. I have found instructions on setting up the cisco-av pair for local users on the FreeRadius servers but not for backend LDAP users or groups.
Have you setup something similar?
Thanks.
Hey there, thanks for that post. I’m curious if its possible to enable the local user authentication also when the RADIUS Connection does NOT fail. I’ve had the problem, that my RADIUS was reachable and listened on the socket, but the harddrive was full, so no logins were possible and I was not able to access my switches anymore. Cause from the cisco everything looked fine. Any idea how to resolve this?
That’s a great question, Liu. I have no idea, but I’ll play with it when I get a chance.
Great, looking forward to your feedback 🙂