Cisco IOS and Radius 08/07/20 09(23

not logged in | [Login]

Cisco IOS and Radius

Table of Contents
Shell Access Quick Links
Enable Mode
Global Enable Password Wiki Home
Concepts for beginners
Per User Privilege Level
Basic Configuration
Command Authorization Pre-built packages
IOS 12.x Building from source code
Common RADIUS Directives Troubleshooting
Contributing with GitHub
Config Sample #1
Browse the Source
Config Sample #2 Main web site
Shared Secret Encryption
Always use radiusd -X
Nested Accounting
when debugging!
Unique Acct-Session-Id's
IOS 11.x
Ascend Style
Cisco VSAs
Static Loopback IP
Problems
Comments by the FreeRADIUS Team
See Also

Cisco NAS equipment is quite popular, but being Cisco equipment running IOS,
the configuration can be a bit non-obvious to the unfamiliar. This document
aims to describe the most common configuration options to make your Ciscos
interoperate with RADIUS as you would expect a well-behaved NAS to do.

Shell Access
To use RADIUS to authenticate your inbound shell (telnet & ssh) connections
you need to create an entry in your users file similar to the following

youruser Cleartext-Password := "somepass"

Service-Type = NAS-Prompt-User

This will let a user (called youruser) in for the first level of access to your
Cisco. You will still need to enable to perform any configuration changes or
anything requiring a higher level of access.

See Configuring Basic AAA on an Access Server for more details.

https://wiki.freeradius.org/vendor/Cisco Page 1 of 7
Cisco IOS and Radius 08/07/20 09(23

Enable Mode

Global Enable Password

When a shell user attempts to enable (or enable 15) on a cisco device, the
cisco issues a RADIUS authentication request for the user $enab15$

If you type enable 2, it will send request for user '$enab2$', if you type enable
3 it will send a request for '$enab3$' and so on.

These user(s) needs to to be configured on your RADIUS server with the

password you wish to use to allow enable access.

$enab15$ Cleartext-Password := "someadminpass"

Service-Type = NAS-Prompt-User

Per User Privilege Level

You can also send the privilege level (enable mode is level 15) for individual
users as a reply item to automatically put them into that level with cisco-
avpair = "shell:priv-lvl=15"

You can do this with an entry in your users file similar to the following

youruser Cleartext-Password := "somepass"

Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15"

For more information, see Cisco page "How to Assign Privilege Levels with
TACACS+ and RADIUS".

Command Authorization
Cisco claims that there is a complete mapping scheme to translate TACACS+
expressions into Cisco-AVPair Vendor-Specific. This works for example with
the priv-lvl attribute:

cisco-avpair = "shell:priv-lvl=15"

The two TACACS+ attributes "cmd" and "cmd-arg" would be needed for
command authorization.There is a web page for Cisco IOS detailing which
TACACS+ commands exist, and it suggests that

cisco-avpair = "shell:cmd=show"

would do the trick to authorize the "show" command. EXCEPT that there is a
tiny note for the commands "cmd" and "cmd-arg" saying that they cannot be
used for encapsulation in the Vendor-Specific space.

These two are the ONLY ones. Since it's just about parsing the string content
of cisco-avpair at the router side, there is absolutely no technical reason why
these two wouldn't go through. The only explanation then is that this is a
deliberate step by Cisco to make sure that TACACS+ is "superior" to RADIUS by
arbitrarily cutting down functionality.

https://wiki.freeradius.org/vendor/Cisco Page 2 of 7
Cisco IOS and Radius 08/07/20 09(23

IOS 12.x
For Cisco 12.x ( 12.0 and 12.1 ), the following AAA configuration directives are
suggested:

aaa new-model
aaa authentication login default group radius local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa processes 6

this configuration works very well with most RADIUS servers. One of the more
important configurations is:

aaa accounting delay-start

This directive will delay the sending of the Accounting Start packet until after
an IP address has been assigned during the PPP negotiation process. This will
supersede the need to enable the sending of "Alive" packets as described
below for IOS versions 11.x

Common RADIUS Directives

IOS allows different ways of entering common config elements. You can enter
them as a single configuration stanza, or as separate items, as demonstrated
by the two samples.

Config Sample #1
The sample config below assumes two RADIUS servers with IP addresses
192.168.1.10 and 192.168.1.11. The sample specifies the RADIUS server and shared
secret as a single config element, and it also sources all requests from
interface Loopback0: It also declares a group (named RadiusServers) and
assign the two RADIUS servers to it. (Yes, you are essentially declaring the
same server twice)

Note: Don't use the key of Cis$ko. Make up your own.

conf t
aaa new-model
radius-server host 192.168.1.10 auth-port 1812 acct-port 1813 key Cis$ko
radius-server host 192.168.1.11 auth-port 1812 acct-port 1813 key Cis$ko

ip radius source-interface Loopback0

aaa group server radius RadiusServers

server 192.168.1.10 auth-port 1812 acct-port 1813
server 192.168.1.11 auth-port 1812 acct-port 1813
exit

aaa authentication login default group RadiusServers local

exit

https://wiki.freeradius.org/vendor/Cisco Page 3 of 7
Cisco IOS and Radius 08/07/20 09(23

This sample assumes the password-encryption service is started on the

device, so that the shared secrets will be encrypted after they’re entered. It is
also highly recommended that a local login exist in case there is a failure to
communicate with the RADIUS servers for any reason (the authentication
order in the configlet specifies falling back to the local database after the
RadiusServers group).

Config Sample #2
The sample config below assumes two RADIUS servers with IP addresses
192.168.1.10 and 192.168.1.11. The sample specifies the RADIUS server and shared
secret as a separate config elements.

Note: Don't use the key of Cis$ko. Make up your own.

conf t
radius-server host 192.168.1.10
radius-server key Cis$ko
radius-server auth-port 1812
radius-server host 192.168.1.11
radius-server key Cis$ko
radius-server auth-port 1812

Shared Secret Encryption

IOS has a feature called the password-encryption service.

service password-encryption
no service password-encryption

From the "Cisco Guide to Harden Cisco IOS Devices".

The actual encryption process occurs when the current configuration is

written or when a password is configured. Password encryption is applied to
all passwords, including username passwords, authentication key passwords,
the privileged command password, console and virtual terminal line access
passwords, and Border Gateway Protocol neighbor passwords. This command
is primarily useful for keeping unauthorized individuals from viewing your
password in your configuration file.

When password encryption is enabled, the encrypted form of the passwords is

displayed when a more system:running-config command is entered.

Caution This command does not provide a high level of network security. If
you use this command, you should also take additional network security
measures.

Remember if your using password encryption, you cannot paste the encrypted
password into the FreeRADIUS clients.conf file, It will not be the same shared
secret.

Nested Accounting
aaa accounting nested

results in sending a second accounting start message, possibly causing

https://wiki.freeradius.org/vendor/Cisco Page 4 of 7
Cisco IOS and Radius 08/07/20 09(23

problems with total usage counters. Cisco NAS devices issue an Accounting
Start packet when the user is authenticated, and again when a PPP session is
initiated. They send an Accounting Stop packet at the end of the PPP session,
and a second at the conclusion of the call (usually nearly simultaneously).
Because of this, programs such as RadiusReport may see this as two
connections, and would account for approximately twice the total time used.
Not using this nested command causes the NAS device to send an Accounting
Stop packet followed almost immediately by an Accounting Start packet when
a PPP connection is chosen, thereby eliminating the overlap. This is
particularly useful for those organizations interested in monitoring user usage
accurately. More information about this process can be seen here.

Unique Acct-Session-Id's
Minimum IOS: 12.2 (Also available as a hidden command in 12.1(4.1)T)

To enable RFC 2866 compliance (and stop duplicate Acct-Session-Id values) on

Cisco devices you need to issue the following command:

radius-server unique-ident 1

Acct-Session-Id should now be unique for the next 256 reboots.

You must reboot after entering this command to take effect otherwise you will
observe the following message after 10 minutes of entering this command:

%RADIUS-3-IDENTFAIL: Save of unique accounting ident aborted.

IOS 11.x
To get the For Cisco 11.1 to talk to a RADIUS server you normally use

aaa new-model
aaa authentication ppp radppp if-needed radius
aaa authorization network radius none
aaa accounting network wait-start radius

With IOS 11.3 if you want the IP address of the user to show up in the radutmp
file (and thus, the output of radwho), you need to add

aaa accounting update newinfo

Note: on newer ciscos you will need to use the command

radius-server attribute 8 include-in-access-req

This is because with IOS 11.3, the Cisco first sends a "Start" accounting packet
without the IP address included. By setting "update newinfo" it will send an
account "Alive" packet which updates the information.

Also you might see a lot of "duplicates" in the logfile. That can be fixed by

aaa accounting network wait radius

radius-server timeout 3

https://wiki.freeradius.org/vendor/Cisco Page 5 of 7
Cisco IOS and Radius 08/07/20 09(23

Ascend Style
To enable the Ascend style attributes (which we do NOT recommend!) add the
non-standard keyword to your radius-server line(s)

radius-server host X.Y.Z.A auth-port 1812 acct-port 1813 non-standard

Cisco VSAs
To see Cisco-AVPair attributes in the Cisco debugging log

radius-server vsa accounting

Static Loopback IP
The Cisco 36/26 by default selects (it seems at random) any IP address
assigned to it (serial, ethernet etc.) as its RADIUS client source address, thus
the access request may be dropped by the RADIUS server, because it can not
verify the client. To make the cisco box always use one fixed address, add the
following to your configuration:

ip radius source-interface Loopback0

and configure the loopback interface on your router as follows:

interface Loopback0
ip address 192.168.0.250 255.255.255.255

Use a real world IP address and check the Cisco documentation for why it is a
good idea to have working loopback interface configured on your router.

If you don't want to use the loopback interface of course you can set the
source-interface to any interface on your Cisco box which has an IP address.

Problems
According to some reports, the Aironet 1200 series of access points works
well, and fully supports RADIUS.

The Cisco WLC/WISM apparently use a single UDP socket for all RADIUS
requests to a single server - auth and acct - and thus there's a 255-packet
limit for in-progress requests. If the WLC reaches that limit, it just starts re-
using IDs aggressively, instead of opening a socket, which is nice - if you're in
the middle of processing a conflicted request, you still burn the work you're
currently doing, and the result is never used.

This behavior causes issues during the traffic spikes. It is certainly a problem
if you run an eduroam server, where proxied traffic can have very large RTTs.

https://wiki.freeradius.org/vendor/Cisco Page 6 of 7
Cisco IOS and Radius 08/07/20 09(23

They're apparently going to " improve" this in 7.6 - there will be a separate UDP
socket for auth/acct!

Comments by the FreeRADIUS Team

The above behavior is horrifically bad. Clients should open as many sockets as
necessary to handle the load. Using only one socket is a sign of laziness, and
of bad design. If the vendor doesn't fix basic RADIUS issues like this, we
recommend people complain loudly, and then buy from another vendor.

See Also
HP
Linksys
VSA
Cisco's Configuring AAA for Cisco Voice Gateways
Cisco's Configuring RADIUS with Livingston Server
Cisco Online Training Video

Last edited by Matthew Newton, 2016-07-28 12:06:13

Sponsored by Network RADIUS

https://wiki.freeradius.org/vendor/Cisco Page 7 of 7