Cisco IOS and Radius

Introduction

Cisco NAS equipment running IOS may, the configuration can be a bit non-obvious to the unfamiliar. This document aims to describe the most common configuration options to make your Ciscos interoperate with radius as you would expect a well-behaved NAS to do.

Shell Access

To use RADIUS to authenticate your inbound shell (telnet and ssh) connections you need to create an entry in your users file similar to the following:

    youruser   Cleartext-Password := "somepass"
               Service-Type = NAS-Prompt-User

This will let a user (called youruser) in for the first level of access to your Cisco. You still need to enable to perform any configuration changes or anything requiring a higher level of access.

See Configuring Basic AAA on a Cisco Access Server for more details.

Enable Mode

Global Enable Password

When a shell user attempts to enable (or enable 15) on a cisco device, the cisco issues a RADIUS authentication request for the user $enab15$

If you type enable 2, it will send request for user '$enab2$', if you type enable 3 it will send a request for '$enab3$' and so on.

These user(s) needs to to be configured on your RADIUS server with the password you wish to use to allow enable access.

    $enab15$   Cleartext-Password := "someadminpass"
               Service-Type = NAS-Prompt-User

Per User Privilege Level

You can also send the privilege level (enable mode is level 15) for individual users as a reply item to automatically put them into that level with cisco-avpair = "shell:priv-lvl=15"

You can do this with an entry in your users file similar to the following

    youruser   Cleartext-Password := "somepass"
               Service-Type = NAS-Prompt-User,
               cisco-avpair = "shell:priv-lvl=15"

For more information, see the How to Assign Privilege Levels with TACACS+ and RADIUS page.

Command Authorization

Cisco claims that there is a complete mapping scheme to translate TACACS+ expressions into Cisco-AVPair Vendor-Specific. This works for example with the priv-lvl attribute:

  cisco-avpair = "shell:priv-lvl=15"

The two TACACS+ attributes "cmd" and "cmd-arg" would be needed for command authorization. See the Cisco IOS page detailing which TACACS+ commands exist, and suggests that

  cisco-avpair = "shell:cmd=show"

would work to authorize the "show" command. However, there is a note for the commands "cmd" and "cmd-arg" stating that they cannot be used for encapsulation in the Vendor-Specific space.

These two commands are the ONLY ones. Since it’s just about parsing the string content of cisco-avpair at the router side, there is absolutely no technical reason why these two commands won’t go through. The only explanation is that this is a deliberate design choice by Cisco ensuring that TACACS+ is "superior" to RADIUS by arbitrarily cutting down functionality.

IOS 12.x

For Cisco 12.x (12.0 and 12.1), the following AAA configuration directives are suggested:

aaa new-model
aaa authentication login default group radius local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa processes 6

This configuration works very well with most RADIUS servers. One of the more important configurations is:

aaa accounting delay-start

This directive will delay the sending of the Accounting Start packet until after an IP address has been assigned during the PPP negotiation process. This will supersede the need to enable the sending of Accounting-Request packets with Acct-Status-Type = Interim-Update, as described below for IOS versions 11.x

The above it will use the radius server to authenticate your inbound telnet connections. You will need to create an entry in your users file similar to the following to allow access:

!root Password.Cleartext := "somepass" Service-Type = NAS-Prompt-User

This will let a user in for the first level of access to your Cisco. You will still need to enable (using the locally configured enable secret) to perform any configuration changes or anything requiring a higher level of access. The username !root was used as an example here, you can make this any username you want, of course.

Unique Acct-Session-Id’s

Just a note to all cisco ISPs out there who want RFC 2866 compliance need to enable the hidden command: radius-server unique-ident <n>

Minimum IOS: 12.1(4.1)T.

`Acct-Session-Id` should be unique and wrap after every 256 reboots.

You must reboot after entering this command to take effect. If not, you will observe after 10 minutes of entering this command, the following message:

%RADIUS-3-IDENTFAIL: Save of unique accounting ident aborted.

IOS 11.x

To get the Cisco (IOS 11.1) to talk to a radius server enter the following commands:

aaa new-model
aaa authentication ppp radppp if-needed radius
aaa authorization network radius none
aaa accounting network wait-start radius

With IOS 11.3

aaa accounting update newinfo

If you want the IP address of the user to show up in the radutmp file (and thus, the output of radwho).

This is because with IOS 11.3, the Cisco first sends a Start accounting packet without the IP address included. By setting update newinfo it will send an accounting Interim-Update packet which updates the information.

Also you might see a lot of duplicates in the logfile. That can be fixed by:

aaa accounting network wait radius
radius-server timeout 3

To disable the Ascend style attributes (which is a VERY good idea):

radius-server host X.Y.Z.A auth-port 1645 acct-port 1646

To enable the Ascend style attributes (which we do NOT recommend):

radius-server host X.Y.Z.A auth-port 1645 acct-port 1646 non-standard

To see Vendor-Specific.Cisco.AVPair attributes in the Cisco debugging log:

radius-server vsa accounting

Cisco 36xx & 26xx, keeping the NAS IP static

The Cisco 36/26 by default selects (it seems at random) any IP address assigned to it (serial, ethernet etc.) as it’s RADIUS client source address, thus the access request may be dropped by the RADIUS server, because it can not verify the client. To make the cisco box always use one fixed address, add the following to your configuration:

ip radius source-interface Loopback0

Configure the loopback interface on your router as follows:

interface Loopback0
ip address 192.0.2.250 255.255.255.255

Use a real world IP address and check the Cisco documentation for why it is a good idea to have working loopback interface configured on your router.

If you don’t want to use the loopback interface of course you can set the source-interface to any interface on your Cisco box which has an IP address.

Shared Secret Encryption

IOS has a feature called the password-encryption service.

    service password-encryption
    no service password-encryption

From the Cisco Guide to Harden Cisco IOS Devices.

The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including username passwords, authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and Border Gateway Protocol neighbor passwords. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.

When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered.

his command does not provide a high level of network security. If you use this command, you should also take additional network security measures.

Remember if your using password encryption, you cannot paste the encrypted password into the FreeRADIUS clients.conf file, It will not be the same shared secret.

Nested Accounting

    aaa accounting nested

results in sending a second accounting start message, possibly causing problems with total usage counters. Cisco NAS devices issue an Accounting Start packet when the user is authenticated, and again when a PPP session is initiated. They send an Accounting Stop packet at the end of the PPP session, and a second at the conclusion of the call (usually nearly simultaneously). Because of this, programs such as RadiusReport may see this as two connections, and would account for approximately twice the total time used. Not using this nested command causes the NAS device to send an Accounting Stop packet followed almost immediately by an Accounting Start packet when a PPP connection is chosen, eliminating the overlap. This is particularly useful for those organizations interested in monitoring user usage accurately.

More information about this process can be seen here.

More Information

For more information, see the Cisco web site.