链接:http://blog.163.com/li_sunny007/blog/static/10156321620090894556764/
最近一个项目,客户没钱买ACS,却要求做AAA的认证,要求管理员登录时采用AAA,无奈之下找到freeradius来实现
1、在网上下载一个freeradius for win,并安装完毕
2、在 freeradius 上配置
C:\freeradius\etc\raddb 下先改动 clients.conf , users.conf
在 clients.conf 添加 cisco 设备 IP 地址和相关 key
client 10.6.6.0/24 {
#
#secret and password are mapped through the "secrets" file.
secret
= key4cisco
shortname
= ciscoap1240ag
#
# the following three fields are optional, but may be used by
#
# checkrad.pl for simultaneous usage checks
nastype
= cisco
#
login
= !root
#
password
= someadminpas
}
在 users.conf 中添加设备需要的管理员和一般用户
radiusadmin Auth-Type := Local ,
Cleartext-Password := " radiusadmin "
Service-Type = NAS-Prompt-User ,
cisco-avpair = " shell:priv-lvl=15 "
radiususer
Auth-Type := Local , Cleartext-Password := " radiususer "
Service-Type = NAS-Prompt-User ,
cisco-avpair = " shell:priv-lvl=1 "
在 freeradius 命令行下用 freeradius.exe
–X ../etc/raddb 调试 freeradius 的启动
直到出现以下信息才算正常
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
最后在cisco设备上配置如下
enable secret password-for-con-login
aaa new-model
aaa authentication login default group radiuslocal 创建缺省的认证,先 radius 认证, radius 服务器无效的情况下再本地认证,注意 radius 认证失败不会本地认证
aaa authentication login con0login none 指定控制口登陆不要 radius 认证
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
username admin-password-for-locallogin password password-for-locallogin 设定本地认证, radius 无效的情况下使用
p radius source-interface interface-for-radius 设定 radius 认证地址,必须与 client.conf 相同
radius-server host 10.6.6.247 auth-port 1812 acct-port 1813 key password-for-radius
设定 radius 认证信息,必须与 client.conf 相同
line con 0
login authentication con0login 设定认证方式
line vty 5 15
login authentication default
然后就可以使用 radius 来做网管管理了