Informational

Configure a Switch for Authentication and Authorization

In order to create a local user on the switch with full privileges for fallback access, enter:

Switch(config)#username admin privilege 15 password 0 cisco123!

In order to enable AAA, enter:

switch(config)# aaa new-model

In order to provide the IP address of the RADIUS server as well as the key, enter:

switch# configure terminal

switch(config)#radius-server host 172.16.71.146 auth-port 1645 acct-port 1646

switch(config)#radius-server key hello123

In order to test RADIUS server availability, enter the test aaa command:

switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH

The test authentication fails with a Rejection from the server because it is not yet configured, but it will confirm that the server itself is reachable.

In order to configure login authentications to fall back to local users if RADIUS is unreachable, enter:

switch(config)#aaa authentication login default group radius local

In order to configure authorization for a privilege level of 15, as long as a user is authenticated, enter:

switch(config)#aaa authorization exec default group radius if-authenticated

FreeRADIUS Configuration

Define the Client on the FreeRADIUS Server

In order to navigate to the configuration directory, enter:

# cd /etc/freeradius

In order to edit the clients.conf file, enter:

# vi clients.conf

In order to add each device (router/switch) identified by hostname and include the correct shared secret, enter:

client 192.168.1.1 {
secret = secretkey
nastype = cisco
shortname = switch
}