用免费radius软件实现设备AAA管理

用免费radius软件实现设备AAA管理

最近一个项目，客户没钱买ACS，却要求做AAA的认证，要求管理员登录时采用AAA，无奈之下找到freeradius来实现

1、在网上下载一个freeradius for win，并安装完毕

2、在freeradius上配置

C:\freeradius\etc\raddb下先改动clients.conf，users.conf

在clients.conf添加cisco设备IP地址和相关key

client 10.6.6.0/24{

#

#secret and password are mapped through the "secrets" file.

secret

=key4cisco

shortname

= ciscoap1240ag

#

# the following three fields are optional, but may be used by

#

# checkrad.pl for simultaneous usage checks

nastype

= cisco

#

login

= !root

#

password

= someadminpas

}

在users.conf中添加设备需要的管理员和一般用户

radiusadmin Auth-Type := Local,

Cleartext-Password := "radiusadmin"

Service-Type =NAS-Prompt-User,

cisco-avpair = "shell:priv-lvl=15"

radiususer

Auth-Type := Local, Cleartext-Password := "radiususer"

Service-Type = NAS-Prompt-User,

cisco-avpair = "shell:priv-lvl=1"

在freeradius命令行下用freeradius.exe

–X ../etc/raddb调试freeradius的启动

直到出现以下信息才算正常

Listening on authentication *:1812

Listening on accounting *:1813

Ready to process requests.

最后在cisco设备上配置如下

enable secret password-for-con-login

aaa new-model

aaa authentication login default group radiuslocal创建缺省的认证，先radius认证，radius 服务器无效的情况下再本地认证，注意radius认证失败不会本地认证

aaa authentication login con0login none 指定控制口登陆不要radius认证

aaa authorization exec default group radius local

aaa authorization network default group radius local

aaa accounting delay-start

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

username admin-password-for-locallogin password password-for-locallogin设定本地认证，radius无效的情况下使用

p radius source-interface interface-for-radius设定radius认证地址，必须与client.conf 相同

radius-server host10.6.6.247auth-port 1812acct-port 1813 key password-for-radius 设定radius认证信息，必须与client.conf相同

line con 0

login authentication con0login 设定认证方式

line vty 5 15

login authentication default

然后就可以使用radius来做网管管理了