AAA Server with freeradius, Ubuntu, Virtualbox and GNS3

I've spent a fair few hours now trying to get a AAA Radius server working with GNS3, so I thought I'd share my experiences.

Just so you know, I'm using Windows 7.

First off, I installed VirtualBox. You can get this here: Oracle VM VirtualBox

Next, I downloaded Ubuntu Desktop. You can get this here: Download Ubuntu

I created a new VM, with 512MB RAM, a NAT type network adapter (to allow internet connectivity for updates / installs) and all default settings. The Operating System type was set to Linux / Ubuntu. I then installed Linux.

First problem. It runs like a dog. This is because of the Ubuntu Unity 3D, and the (lack of) resources which I allowed my VM. Easy fix, get rid of Unity. It's nice enough, but I don't need fancy. It's only a AAA server. I opted for Lubuntu's LXDE by opening a terminal and entering:

sudo apt-get install lubuntu-desktop

Once that is done, log out. On the log in screen, next to your username, click on the icon and select Lubuntu. Then log in. It's much quicker!

I then installed free radius with the following set of commands:

sudo apt-get install mysql-client mysql-server
sudo apt-get install freeradius freeradius-utils freeradius-mysql
sudo apt-get install php5 php-pear php5-gd```

I would imagine that for what I'm currently using my freeradius server
for, I don't need mySQL or PHP, but I found the instructions
[here](http://mywiseguys.com/topic/2784-how-to-install-freeradius-server-on-ubuntu-server-1204/ "How to install FreeRadius Server on Ubuntu Server 12.04")
and followed blindly!

At this point I shut the virtual machine down and changed the network
card for the VM to a host-only adapter. It's a good idea to reboot the
PC at this point, as I've found dynamips (GNS3) to have some problems
recognising the new virtualbox network adapters without a reboot.  

The only thing I did next was to statically assign the IP address of
the VM - I used 10.1.0.2/24 with a default gateway of 10.1.0.1. The
default gateway will be my router in GNS3. (To do this in Lubuntu, click
Start | Preferences | Network Connections then edit then IPV4
settings). *Sorry to all you proper linux people who will probably hate
me for calling it a Start menu. I'm just learning! :-)*

At this point, before I even started with AAA, I wanted to get IP
connectivity first. I fired up GNS3 and chucked a router on the page. I
started it up and literally only entered:

enable configure terminal interface FastEthernet0/0 ip address 10.1.0.1 255.255.255.0 no shutdown


Next, I dropped a "cloud" on the topology in GNS3. *Note that due to my
obsessive compulsive nature, I actually went to Edit | Symbol Manager
and made my cloud look like a server...*

I configured the cloud (right click | configure) to use the right adapter.

I had a few problems with this bit, as I said above, with the VirtualBox
network adapter not appearing. After playing with GNS and dynamips and
googling, a quick techy-reboot fixed it.

After I configure all of this and cabled it up, I could ping between the
router and the VM. One thing I have noticed though, is that if my PC
goes to sleep while the VM / GNS3 are open, they lose connectivity. I
then need to reboot my PC to make it work again. Dunno why, it's a
"feature".  

That's the basic IP connectivity sorted, so next I configured the
freeradius server. This first thing to do is add the router as a valid
client of the server. This is done by editing
/etc/freeradius/clients.conf. I added the following the bottom of the
file:

 

```client 10.1.0.1 {
secret = CISCO_KEY
shortname = R1
nastype = cisco
}

This allows the router to connect to the server using the server key of CISCO_KEY.

I then added a user to freeradius by adding the following to the bottom of the /etc/freeradius/users file:

aaauser Cleartext-Password := "aaapassword"
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=7"

This adds the user aaauser with the password aaapassword. Note the comma
on the end of the second line - I missed it the first time and the
freeradius server won't start without it!

At this point I tested the freeradius server locally to make sure it
works. From a terminal I entered:

sudo killall freeradius sudo freeradius -X


The first command stops all instances of freeradius running. The server
will load on boot up at default, and it won't take any configuration
changes until it is restarted. The second command starts freeradius in
debug mode, so you can see exactly what's happening. After a few seconds
I saw:

Listening on authentication address * port 1812

Listening on accounting address * port 1813

Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel

Listening on proxy address * port 1814

Ready to process requests. ```  

If you don't (and a few times while playing I didn't), then you should see some errors. The two which I had a couple of times were because my config file was incorrect (the missing comma), and because the server was already running.

From a second terminal window, the following command will test the server:

radtest aaauser aaapassword localhost 1812 testing123

This tests user aaauser with password aaapassword, on the localhost server port 1812 using the secret key testing123. The key testing123 is defined by default in the clients.conf file, under the client localhost.

If this works, you should see an Access-Accept packet. Because the server is in debug mode, you can also track exactly why it failed. This came in handy a few times!

Next came setting up the router. This is the bit I'm actually bothered about, as I doubt the configuration of a freeradius server is going feature in the CCNA: Security which I'm studying for!

Here is the (relevant) config from the router:

R1#sh run | i aaa|radius|user aaa new-model aaa authentication login default group radius local username failsafe secret 5 $1$OJU6$uN72rgfZOcePe06mi6jX61 radius-server host 10.1.0.2 auth-port 1812 acct-port 1813 key CISCO_KEY

I've included the command I used to show this, to demonstrate the flexibility of output modifiers for those who don't know!

This turns on the new-model aaa services, sets up a method list to authenticate when someone tries to log in, first to the radius servers, and if they are unreachable to use the local database. This is always a good idea, in case the network connection is down!

The user failsafe with a secret of failsafe is in the local database, so if the radius server is unreachable, it's there to log in with. However, if the radius server IS reachable, the local database is not checked, so the local user can't be used just because you don't know a password on the aaa server.

The radius server is then defined, with the correct ports (found when launching the server in debug mode, or in the config files), and importantly, the key to authenticate the client (this router) with the server.

At this point, a good check is to do the following command from exec mode:

test aaa group radius aaauser aaapassword legacy

This verifies that it can reach the server, authenticate, and checks the username and password.

The second check I did was to telnet into the router...from the router. This way, if all goes wrong, I can just ctrl-shift-6-x out of the telnet session without locking myself out! I then turned off the AAA server and checked the failsafe account worked - it did.

One thing is missing here. I set up the AAA server to dump me in to privilege level 7...but when I telnet in I find I'm in privilege level 1! (show privilege will verify this - but so did the ">" instead of the "#" at the prompt.

This is because you also have to enable AAA authorization for it to pay any attention to what the server tells it regarding privilege levels.

This is simple enough, using:

aaa authorization exec default group radius local

Now it works!

I hope this is useful to someone. I'd upload the VM to save people the trouble, but it's 5gb and my web host won't like it!

Share this post

  • Share to Facebook
  • Share to Twitter
  • Share to Google+
  • Share to LinkedIn
  • Share by Email