frazer.network

Tag: Switch

  • Configure FreeRADIUS on a Raspberry Pi

    free-radius-image

    This guide provides step-by-step instructions for installing and configuring a basic FreeRADIUS service on a Raspberry Pi, enabling it to authenticate logins for Cisco equipment.

    1. Update the System

    First, ensure that your system is up to date with the latest software packages:

    sudo apt update

    sudo apt upgrade -y

    2. Install FreeRADIUS

    Install FreeRADIUS from the official Ubuntu repositories. The package freeradius provides the RADIUS server and all the necessary utilities:

    sudo apt install freeradius freeradius-utils -y

    This command installs FreeRADIUS and some helpful utilities for managing RADIUS clients and users.

    3. Check FreeRADIUS Service Status

    After installation, the FreeRADIUS service should automatically start. To confirm it is running, check the status:

    sudo systemctl status freeradius

    You should see an output indicating that the service is active and running. If it’s not running, start it with:

    sudo systemctl start freeradius

    To enable FreeRADIUS to start at boot time:

    sudo systemctl enable freeradius

    4. Configure FreeRADIUS

    FreeRADIUS configuration files are located in /etc/freeradius/3.0/ (the version may vary depending on your Ubuntu version). The most important configuration files are:

    • /etc/freeradius/3.0/radiusd.conf: Main configuration file for the server.
    • /etc/freeradius/3.0/clients.conf: Used to configure clients (devices or servers that will use RADIUS).
    • /etc/freeradius/3.0/users: Used to configure user authentication.

    You can edit these files to suit your requirements.

    To configure clients, open the clients.conf file:

    sudo nano /etc/freeradius/3.0/clients.conf

    A simple example of a client configuration would look like this, where the ip address can be a host or the management subnet of the Cisco device. Add the following to the very top of the file:

    client Cisco {

        ipaddr = 172.16.255.0/24

        secret = SuperSecretPassword#2025

        require_message_authenticator = no

    }

    You can configure users by editing the users file:

    sudo nano /etc/freeradius/3.0/users

    Add new users at the very top of the file, for example:

    testuser Cleartext-Password := “password”

    Cisco-AVPair = “shell:priv-lvl=15”

    Formatting is very important here, the Cisco-AVPair line must be “tabbed”.

    5. Configure Cisco device:

    The following commands will configure radius for authentication and authorization, falling back to local credentials.

    This will configure the “default” group, so there’s no need to specify a AAA group on the VTY/Console lines.

    The console line will receive authorization upon authentication.

    Accounting has been configured to log locally to the device.

    Enable AAA

    aaa new-model

    aaa authentication login default group radius local line

    aaa authorization console

    aaa authorization exec default group radius local

    aaa accounting exec default start-stop logger

    Specify Radius Server

    radius server RADIUS-SERVER-01

     address ipv4 x.x.x.x auth-port 1812 acct-port 1813

     timeout 3

     retransmit 3

     key 0 SuperSecretPassword#2025

    Specify radius source interface

    ip radius source-interface Loopback1

    6. Verify radius server is reachable:

    show aaa servers

    7. Troubleshoot

    If you’re still encountering issues, try stopping the radius service and starting it in debug mode:

    sudo systemctl stop freeradius

    sudo freeradius -X

    It is worth noting that any changes to the users file will require a restart of the service to take affect.

    8. Enable FreeRADIUS to Start on Boot (Optional)

    If you haven’t already done so, enable FreeRADIUS to start on boot:

    sudo systemctl enable freeradius