用免费radius软件实现设备AAA管理
最近一个项目,客户没钱买ACS,却要求做AAA的认证,要求管理员登录时采用AAA,无奈之下找到freeradius来实现
1、在网上下载一个freeradius for win,并安装完毕
2、在freeradius上配置
C:\freeradius\etc\raddb下先改动clients.conf,users.conf
在clients.conf添加cisco设备IP地址和相关key
client 10.6.6.0/24{
#
#secret and password are mapped through the "secrets" file.
secret
=key4cisco
shortname
= ciscoap1240ag
#
# the following three fields are optional, but may be used by
#
# checkrad.pl for simultaneous usage checks
nastype
= cisco
#
login
= !root
#
password
= someadminpas
}
在users.conf中添加设备需要的管理员和一般用户
radiusadmin Auth-Type := Local,
Cleartext-Password := "radiusadmin"
Service-Type =NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15"
radiususer
Auth-Type := Local, Cleartext-Password := "radiususer"
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=1"
在freeradius命令行下用freeradius.exe
–X ../etc/raddb调试freeradius的启动
直到出现以下信息才算正常
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
最后在cisco设备上配置如下
enable secret password-for-con-login
aaa new-model
aaa authentication login default group radiuslocal创建缺省的认证,先radius认证,radius 服务器无效的情况下再本地认证,注意radius认证失败不会本地认证
aaa authentication login con0login none 指定控制口登陆不要radius认证
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
username admin-password-for-locallogin password password-for-locallogin设定本地认证,radius无效的情况下使用
p radius source-interface interface-for-radius设定radius认证地址,必须与client.conf 相同
radius-server host10.6.6.247auth-port 1812acct-port 1813 key password-for-radius 设定radius认证信息,必须与client.conf相同
line con 0
login authentication con0login 设定认证方式
line vty 5 15
login authentication default
然后就可以使用radius来做网管管理了