Tag: router

Configure FreeRADIUS on a Raspberry Pi
This guide provides step-by-step instructions for installing and configuring a basic FreeRADIUS service on a Raspberry Pi, enabling it to authenticate logins for Cisco equipment.

1. Update the System

First, ensure that your system is up to date with the latest software packages:

sudo apt update

sudo apt upgrade -y

2. Install FreeRADIUS

Install FreeRADIUS from the official Ubuntu repositories. The package freeradius provides the RADIUS server and all the necessary utilities:

sudo apt install freeradius freeradius-utils -y

This command installs FreeRADIUS and some helpful utilities for managing RADIUS clients and users.

3. Check FreeRADIUS Service Status

After installation, the FreeRADIUS service should automatically start. To confirm it is running, check the status:

sudo systemctl status freeradius

You should see an output indicating that the service is active and running. If it’s not running, start it with:

sudo systemctl start freeradius

To enable FreeRADIUS to start at boot time:

sudo systemctl enable freeradius

4. Configure FreeRADIUS

FreeRADIUS configuration files are located in /etc/freeradius/3.0/ (the version may vary depending on your Ubuntu version). The most important configuration files are:
- /etc/freeradius/3.0/radiusd.conf: Main configuration file for the server.
- /etc/freeradius/3.0/clients.conf: Used to configure clients (devices or servers that will use RADIUS).
- /etc/freeradius/3.0/users: Used to configure user authentication.
You can edit these files to suit your requirements.

To configure clients, open the clients.conf file:

sudo nano /etc/freeradius/3.0/clients.conf

A simple example of a client configuration would look like this, where the ip address can be a host or the management subnet of the Cisco device. Add the following to the very top of the file:

client Cisco {

    ipaddr = 172.16.255.0/24

    secret = SuperSecretPassword#2025

    require_message_authenticator = no

}

You can configure users by editing the users file:

sudo nano /etc/freeradius/3.0/users

Add new users at the very top of the file, for example:

testuser Cleartext-Password := “password”

Cisco-AVPair = “shell:priv-lvl=15”

Formatting is very important here, the Cisco-AVPair line must be “tabbed”.

5. Configure Cisco device:

The following commands will configure radius for authentication and authorization, falling back to local credentials.

This will configure the “default” group, so there’s no need to specify a AAA group on the VTY/Console lines.

The console line will receive authorization upon authentication.

Accounting has been configured to log locally to the device.

Enable AAA

aaa new-model

aaa authentication login default group radius local line

aaa authorization console

aaa authorization exec default group radius local

aaa accounting exec default start-stop logger

Specify Radius Server

radius server RADIUS-SERVER-01

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

timeout 3

retransmit 3

key 0 SuperSecretPassword#2025

Specify radius source interface

ip radius source-interface Loopback1

6. Verify radius server is reachable:

show aaa servers

7. Troubleshoot

If you’re still encountering issues, try stopping the radius service and starting it in debug mode:

sudo systemctl stop freeradius

sudo freeradius -X

It is worth noting that any changes to the users file will require a restart of the service to take affect.

8. Enable FreeRADIUS to Start on Boot (Optional)

If you haven’t already done so, enable FreeRADIUS to start on boot:

sudo systemctl enable freeradius
15 March 2025
Cisco 1000 series full fiber (FTTP) basic configuration guide

Please follow the below guide to securely terminate a fiber (FTTP) broadband service on a Cisco C1117-4P router.

This configuration will handle DHCP on the LAN , outbound NAT (dynamic PAT), and statefully inspect packets to ensure connections are only ever built outbound.

The router will be unreachable from the outside world and can only be managed internally from the LAN via SSH, or locally via console.

This guide assumes a basic working knowledge of configuring Cisco equipment with a console cable.

Prerequisites

Please populate the below, ready to merge into the main config.

Enable password = #ENABLE_PASSWORD#

Login username = #USERNAME#

Login password = #PASSWORD#

Console and VTY fallback password = #FALLBACKPASSWORD#

Broadband username = #BROADBAND_USERNAME#

Broadband password = #BROADBAND_PASSWORD#

Configuration Steps

1 – Ensure any existing config on the router has been wiped and you are starting from fresh. (write erase & reload).

An enable secret is required following the first boot. Enter your enable password below.

The following will now be displayed:

As we don’t want to save anything at this stage, I would enter 0 when prompted. This should allow us to start with a blank config.

Finally, if prompted to enter the initial config, type ‘no’.

2 – Enter global configuration mode and apply general ‘best practice’ fixups

service sequence-numbers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service tcp-keepalives-in
service tcp-keepalives-out
service password-encryption
logging buffered 10240000
login on-success log
login on-failure log
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
no ip http server
no ip http secure-server
no ip http authentication local
ntp server 134.226.81.3
hostname R1

3 – Define login credentials and secure remote access

! Login credentials
enable secret 0 #ENABLE_PASSWORD#
username #USERNAME# privilege 15 secret 0 #PASSWORD#
ip domain name cisco.router
crypto key generate rsa general-keys modulus 4096

! Secure console and VTY lines
ip access-list standard SECURE_VTY
10 permit 192.168.1.0 0.0.0.255
exit

line con 0
password #FALLBACKPASSWORD#
login local
session-timeout 15
exit

line vty 0 15
password #FALLBACKPASSWORD#
login local
transport input ssh
access-class SECURE_VTY in
session-timeout 15
exit

4 – Configure Zones and ACLs to support stateful packet inspection

! Configure Zones
zone security OUTSIDE
zone security INSIDE
exit

! Configure ACLs to match traffic.
ip access-list extended ACL_ZBFW_INSIDE_TO_OUTSIDE
10 permit ip any any
exit
ip access-list extended ACL_ZBFW_ROUTER_TO_OUTSIDE
10 permit ip any any
exit

! Configure class-maps to match ACLs.
class-map type inspect match-any CM_ZBFW_INSIDE_TO_OUTSIDE
match access-group name ACL_ZBFW_INSIDE_TO_OUTSIDE
exit
class-map type inspect match-any CM_ZBFW_ROUTER_TO_OUTSIDE
match access-group name ACL_ZBFW_ROUTER_TO_OUTSIDE
exit

! Configure policy maps to reference class maps.
policy-map type inspect PM_ZBFW_ROUTER_TO_OUTSIDE
class type inspect CM_ZBFW_ROUTER_TO_OUTSIDE
inspect
class class-default
exit
exit

policy-map type inspect PM_ZBFW_INSIDE_TO_OUTSIDE
class type inspect CM_ZBFW_INSIDE_TO_OUTSIDE
inspect
class class-default
exit
exit

! Configure Zone pairs to reference policy-maps.
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PM_ZBFW_INSIDE_TO_OUTSIDE
zone-pair security ROUTER_TO_OUTSIDE source self destination OUTSIDE
service-policy type inspect PM_ZBFW_ROUTER_TO_OUTSIDE

5 – Configure LAN interface and enable DHCP

! Configure VLAN 1 interface and DHCP
interface Vlan1
description ### LAN DEFAULT GATEWAY ###
ip address 192.168.1.254 255.255.255.0
ip nat inside
zone-member security INSIDE
no shutdown
exit

ip dhcp excluded-address 192.168.1.0 192.168.1.10
ip dhcp excluded-address 192.168.1.240 192.168.1.254
ip dhcp pool VLAN_1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 1.1.1.1 8.8.8.8
exit

! Configure built-in switchports
interface range gi0/1/0-3
description ### ACCESS PORT ###
switchport
switchport mode access
switchport access vlan 1
spanning-tree portfast
no shutdown
exit

6 – Configure PPPoE interface

interface GigabitEthernet0/0/0
description ### PPPoE INTERFACE – TO ISP FIBER MODEM ###
no ip address
negotiation auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
no shutdown
exit

7 – Configure Dialer interface and default route

! Dialer interface
interface Dialer1
description ### OUTSIDE INTERFACE ###
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
ip nat outside
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname #BROADBAND_USERNAME#
ppp chap password 0 #BROADBAND_PASSWORD#
ppp ipcp route default
ppp ipcp address accept
no shutdown
exit

! Default route
ip route 0.0.0.0 0.0.0.0 dialer1 name DEFAULT_VIA_VDSL

8 – Configure outbound NAT (Dynamic PAT)

! NAT ACL
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
exit

! NAT Rule
ip nat inside source list NAT interface dialer1 overload
end

9 – Verify the configuration works

! Confirm ISP has assigned an IP address to the router.

show ip int brief

! Test a ping to Google

ping 8.8.8.8

10 – Verify and save the configuration

! Verify running-config and ensure all of the above commands have been applied.

show run

! Save running-config to NVRAM

copy running-config startup-config

– or

wr

11 – Conclusion

You should now have a working broadband connection with a router that has been secured for local management.

At this point it should be possible to connect your laptop to the router switchports and open an SSH session to 192.168.1.254, logging in with the username and password configured earlier.

(The fallback password will only ever be used in the event the local username is removed in error).

The ZBFW configuration is very basic, if you intend to configure site-site VPNs you will likely need to add an OUTSIDE -> Self zone with bespoke rules to permit inbound connectivity from the remote peer. A policy-map can be configured to either ‘inspect’ or ‘pass’ packets, I have found ‘pass’ for protocols such as IKE/ESP can prevent common problems.

For convenience, please find copy of running-config below:

frazer_network_Cisco_C1117-4P_FTTP_config_example Download

23 February 2025
Cisco 1000 series VDSL (FTTC) basic configuration guide

Please follow the below guide to securely terminate a VDSL (FTTC) broadband service on a Cisco C1117-4P router.

This configuration will handle DHCP on the LAN , outbound NAT (dynamic PAT), and statefully inspect packets to ensure connections are only ever built outbound.

The router will be unreachable from the outside world and can only be managed internally from the LAN via SSH, or locally via console.

This guide assumes a basic working knowledge of configuring Cisco equipment with a console cable.

Prerequisites

Please populate the below, ready to merge into the main config.

Enable password = #ENABLE_PASSWORD#

Login username = #USERNAME#

Login password = #PASSWORD#

Console and VTY fallback password = #FALLBACKPASSWORD#

Broadband username = #BROADBAND_USERNAME#

Broadband password = #BROADBAND_PASSWORD#

Configuration Steps

1 – Ensure any existing config on the router has been wiped and you are starting from fresh. (write erase & reload).

An enable secret is required following the first boot. Enter your enable password below.

The following will now be displayed:

As we don’t want to save anything at this stage, I would enter 0 when prompted. This should allow us to start with a blank config.

Finally, if prompted to enter the initial config, type ‘no’.

2 – Enter global configuration mode and apply general ‘best practice’ fixups

service sequence-numbers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service tcp-keepalives-in
service tcp-keepalives-out
service password-encryption
logging buffered 10240000
login on-success log
login on-failure log
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
no ip http server
no ip http secure-server
no ip http authentication local
ntp server 134.226.81.3
hostname R1

3 – Define login credentials and secure remote access

! Login credentials
enable secret 0 #ENABLE_PASSWORD#
username #USERNAME# privilege 15 secret 0 #PASSWORD#
ip domain name cisco.router
crypto key generate rsa general-keys modulus 4096

! Secure console and VTY lines
ip access-list standard SECURE_VTY
10 permit 192.168.1.0 0.0.0.255
exit

line con 0
password #FALLBACKPASSWORD#
login local
session-timeout 15
exit

line vty 0 15
password #FALLBACKPASSWORD#
login local
transport input ssh
access-class SECURE_VTY in
session-timeout 15
exit

4 – Configure Zones and ACLs to support stateful packet inspection

! Configure Zones
zone security OUTSIDE
zone security INSIDE
exit

! Configure ACLs to match traffic.
ip access-list extended ACL_ZBFW_INSIDE_TO_OUTSIDE
10 permit ip any any
exit
ip access-list extended ACL_ZBFW_ROUTER_TO_OUTSIDE
10 permit ip any any
exit

! Configure class-maps to match ACLs.
class-map type inspect match-any CM_ZBFW_INSIDE_TO_OUTSIDE
match access-group name ACL_ZBFW_INSIDE_TO_OUTSIDE
exit
class-map type inspect match-any CM_ZBFW_ROUTER_TO_OUTSIDE
match access-group name ACL_ZBFW_ROUTER_TO_OUTSIDE
exit

! Configure policy maps to reference class maps.
policy-map type inspect PM_ZBFW_ROUTER_TO_OUTSIDE
class type inspect CM_ZBFW_ROUTER_TO_OUTSIDE
inspect
class class-default
exit
exit

policy-map type inspect PM_ZBFW_INSIDE_TO_OUTSIDE
class type inspect CM_ZBFW_INSIDE_TO_OUTSIDE
inspect
class class-default
exit
exit

! Configure Zone pairs to reference policy-maps.
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PM_ZBFW_INSIDE_TO_OUTSIDE
zone-pair security ROUTER_TO_OUTSIDE source self destination OUTSIDE
service-policy type inspect PM_ZBFW_ROUTER_TO_OUTSIDE

5 – Configure LAN interface and enable DHCP

! Configure VLAN 1 interface and DHCP
interface Vlan1
description ### LAN DEFAULT GATEWAY ###
ip address 192.168.1.254 255.255.255.0
ip nat inside
zone-member security INSIDE
no shutdown
exit

ip dhcp excluded-address 192.168.1.0 192.168.1.10
ip dhcp excluded-address 192.168.1.240 192.168.1.254
ip dhcp pool VLAN_1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 1.1.1.1 8.8.8.8
exit

! Configure built-in switchports
interface range gi0/1/0-3
description ### ACCESS PORT ###
switchport
switchport mode access
switchport access vlan 1
spanning-tree portfast
no shutdown
exit

6 – Configure PPPoE interface and sub-interface

interface Ethernet0/2/0
description ### VDSL CONTROLLER ###
no ip address
no negotiation auto
no shutdown

interface Ethernet0/2/0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
no shutdown

7 – Configure Dialer interface and default route

! Dialer interface
interface Dialer1
description ### OUTSIDE INTERFACE ###
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
ip nat outside
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname #BROADBAND_USERNAME#
ppp chap password 0 #BROADBAND_PASSWORD#
ppp ipcp route default
ppp ipcp address accept
no shutdown
exit

! Default route
ip route 0.0.0.0 0.0.0.0 dialer1 name DEFAULT_VIA_VDSL

8 – Configure outbound NAT (Dynamic PAT)

! NAT ACL
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
exit

! NAT Rule
ip nat inside source list NAT interface dialer1 overload
end

9 – Verify the configuration works

! Confirm phone line has synced with modem. (You want to see a modem status of TC Sync and downstream/upstream channels as below).
show controllers vdsl 0/2/0

! Confirm ISP has assigned an IP address to the router.

show ip int brief

! Test a ping to Google

ping 8.8.8.8

10 – Verify and save the configuration

! Verify running-config and ensure all of the above commands have been applied.

show run

! Save running-config to NVRAM

copy running-config startup-config

– or

wr

11 – Conclusion

You should now have a working broadband connection with a router that has been secured for local management.

At this point it should be possible to connect your laptop to the router switchports and open an SSH session to 192.168.1.254, logging in with the username and password configured earlier.

(The fallback password will only ever be used in the event the local username is removed in error).

The ZBFW configuration is very basic, if you intend to configure site-site VPNs you will likely need to add an OUTSIDE -> Self zone with bespoke rules to permit inbound connectivity from the remote peer. A policy-map can be configured to either ‘inspect’ or ‘pass’ packets, I have found ‘pass’ for protocols such as IKE/ESP can prevent common problems.

For convenience, please find copy of running-config below:

frazer_network_Cisco_C1117-4P_FTTC_config_example Download

23 February 2025
Cisco 887 VDSL (FTTC) basic configuration guide

Please follow the below guide to securely terminate a VDSL (FTTC) broadband service on a Cisco 887 router.

This configuration will handle DHCP on the LAN , outbound NAT (dynamic PAT), and statefully inspect packets to ensure connections are only ever built outbound.

The router will be unreachable from the outside world and can only be managed internally from the LAN via SSH, or locally via console.

This guide assumes a basic working knowledge of configuring Cisco equipment with a console cable.

Prerequisites

Please populate the below, ready to merge into the main config.

Enable password = #ENABLE_PASSWORD#

Login username = #USERNAME#

Login password = #PASSWORD#

Console and VTY fallback password = #FALLBACKPASSWORD#

Broadband username = #BROADBAND_USERNAME#

Broadband password = #BROADBAND_PASSWORD#

Configuration Steps

1 – Ensure any existing config on the router has been wiped and you are starting from fresh. (write erase & reload).

If prompted to enter the initial config, type ‘no’.

2 – Enter global configuration mode and apply general ‘best practice’ fixups

service sequence-numbers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service tcp-keepalives-in
service tcp-keepalives-out
service password-encryption
logging buffered 1024000
login on-success log
login on-failure log
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
no ip http server
no ip http secure-server
ntp server 134.226.81.3
hostname R1

3 – Define login credentials and secure remote access

! Login credentials
enable secret 0 #ENABLE_PASSWORD#
username #USERNAME# privilege 15 secret 0 #PASSWORD#
ip domain-name cisco.router
crypto key generate rsa general-keys modulus 4096

! Secure console and VTY lines
ip access-list standard SECURE_VTY
10 permit 192.168.1.0 0.0.0.255
exit

line con 0
password #FALLBACKPASSWORD#
login local
session-timeout 15
exit

line vty 0 15
password #FALLBACKPASSWORD#
login local
transport input ssh
access-class SECURE_VTY in
session-timeout 15
exit

4 – Configure LAN interface and enable DHCP

! Configure VLAN 1 interface and DHCP
interface Vlan1
description ### LAN DEFAULT GATEWAY ###
ip address 192.168.1.254 255.255.255.0
ip nat inside
no shutdown
exit

ip dhcp excluded-address 192.168.1.0 192.168.1.10
ip dhcp excluded-address 192.168.1.240 192.168.1.254
ip dhcp pool VLAN_1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 1.1.1.1 8.8.8.8
exit

! Configure built-in switchports
interface range fa0-3
description ### ACCESS PORT ###
switchport mode access
switchport access vlan 1
spanning-tree portfast
exit

5 – Configure outside ACL, stateful packet inspection and PPPoE interfaces

! Configure dialer interface ACL
ip access-list extended FIREWALL_IN
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit udp host 134.226.81.3 eq 123 any
deny ip any any
exit

! Configure CBAC
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp

! Configure PPPoE interface and bind to dialer.

interface Ethernet0
no ip address
no shutdown
exit

interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
no shutdown
exit

6 – Configure Dialer interface and default route

! Dialer interface

interface Dialer1
description ### OUTSIDE INTERFACE ###
mtu 1492
ip address negotiated
ip access-group FIREWALL_IN in
no ip redirects
no ip unreachables
ip nat outside
ip inspect CBAC out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname #BROADBAND_USERNAME#
ppp chap password 0 #BROADBAND_PASSWORD#
ppp ipcp route default
ppp ipcp address accept
no shutdown
exit

! Default route

ip route 0.0.0.0 0.0.0.0 dialer1 name DEFAULT_VIA_VDSL

7 – Configure outbound NAT (Dynamic PAT)

! NAT ACL
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
exit

! NAT Rule
ip nat inside source list NAT interface dialer1 overload
end

8 – Verify the configuration works

! Confirm phone line has synced with modem. (You want to see a modem status of TC Sync and downstream/upstream channels as below).

show controllers vdsl 0

! Confirm ISP has assigned an IP address to the router.

show ip int brief

! Test a ping to Google

ping 8.8.8.8

9 – Verify and save the configuration

! Verify running-config and ensure all of the above commands have been applied.

show run

! Save running-config to NVRAM

copy running-config startup-config

– or

wr

10 – Conclusion

You should now have a working broadband connection with a router that has been secured for local management.

At this point it should be possible to connect your laptop to the router switchports and open an SSH session to 192.168.1.254, logging in with the username and password configured earlier.

(The fallback password will only ever be used in the event the local username is removed in error).

For convenience, please find copy of running-config below:

frazer_network_Cisco_887_Config_Example Download

22 February 2025