CCNP SWITCH and GNS3 – part 2.2 FreeRadius and WPA supplicant installation and configuration

LiSA is Linux Multilayer switch developed by Romanian developers and can do L2 switching and L3 routing between virtual switch interfaces.

I made Qemu images of LISA installed on Centos 5.4 and you can use this image  for building your virtual network  in GNS3 environment.  GNS3 also  supports Dynamips emulator which can emulate older Cisco routers.

Thanks to Qemu emulator  support in GNS3  it is possible to use various Qemu images as network devices (VyOS, Juniper) , servers or hosts  (Core Linux).

I decided to install Free Radius server in to  existing CentOS 5.4 Qemu  LiSA  image.  This LiSA-Radius Qemu image keeps L2/L3 forwarding capabilities and thanks to Radius can acts as AAA server. We can perfectly use it for  AAA part of CCNP Switch exam, forcing emulated routers pass authentication to Radius server.

You can read my article about AAA  here:

I wrote  the steps bellow for Free Radius installation and configuration On CetOS 5.4 Qemu image with LiSA.

FreeRadius Configuration for local user authentication with AAA

1) Start Qemu image and login to CentOS

Note: LiSA Qemu image can be downloaded at the end of this tutorial:

/usr/local/bin/qemu -m 128 ./lisa-centos-2.0.2.img

username/password  = root/password

2) Install FreeRadius from repository

yum install freeradius.i386

Note: This version of Radius  (1.1.3) is older than actual Radius version but sufficient for our goal.

3) FreeRadius Configuration

You need to modify two files - clients.conf and users in /etc/raddb/ directory. Use vi editor, for online manual visit:

http://www.linuxconfig.org/Vim_Tutorial

a) Client configuration (subnet, radius key)

In this configuration we choose radius server key (cisco123) and access from authenticator (switch) to Radius from all subnets (0.0.0.0/0).

vi /etc/raddb/clients.conf

client 0.0.0.0/0 {
secret = cisco123
shortname = all_subnets
nastype = cisco
}

b) Users configuration

They are 3 block of commands configured here for support different level authentication.

Privilege level 1 - user exec mode.  Username is admin and password is cisco for this level. You get to this mode after you are successfully authenticated by Radius server during your telnet or console session.

Privilege level 15 - this is privileged  exec mode (enable mode).  Password is cisco

Privilege level 15 for Telnet;  mainly used by  lazy administrators who want to jump directly to level 15 . Username is admin15 and password cisco15.

Note: You need to configure the command aaa authorization exec default group radius in Cisco switch IOS to get level 15 for vty users.

vi /etc/raddb/users

#Privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt

"admin" Auth-Type == Local , User-Password == "cisco"
Service-Type = "NAS-Prompt-User"

#Privilege level 15 — Includes all enable-level commands at the router# prompt.

$enab15$ Auth-Type == Local , User-Password == "cisco"

#Privilege level 15 for Telnet; vty users get the router# prompt
#The Command bellow is needed in IOS to get level 15 privilege working for vty users:
#aaa authorization exec default group radius

"admin15"  Auth-Type == Local , User-Password == "cisco15"
Service-Type = "NAS-Prompt-User",
cisco-avpair = "shell:priv-lvl=15"

4) Start Radius deamon (restart deamon after each change in Free Radius configuration)

/etc/init.d/radiusd start

Allow Radius deamon to be started during startup:

a) Get info about actual runlevel

runlevel
N 3

b) Enable Radius deamon for runlevel 3

chkconfig --level 3 radiusd on

Free Radius and Ccore Linux configuration for dot1x port-based authentication with EAP-MD5

If a Cisco switch is correctly configured for Radius server with credentials mentioned above, users who try to login to the switch are authenticated by Radius server instead of switch.

But we can go even further and make our dot1x CCNP Switch lab being emulated in GNS3.  We have already installed Free Radius server on CentOS LiSa Qemu image but we need to configure it for dot1x port-based authentication. Also dot1x client must be installed and configured on host.  For this purpose I installed WPA_supplicant on to Linux Microcore Qemu image which is widely used by GNS3 community.

1) Microcore -  Dot1x Client installation

a) Start Microcore Linux

qemu ./linux-microcore.img -m 128

2) Install wpa_supplicant extension to Microcore

tce-load -iw wpa_supplicant.tcz

Note: Wpa_supplicant.tcz extension is automaticaly added to the list loaded extension /mnt/hda1/tce/onboot.lst during Micocore startup

2) Microcore -  Dot1x Client configuration

a) Wpa_supplicant.conf doesn't exist so we must create it

vi /etc/wpa_supplicant.conf

ctrl_interface=/var/run/wpa_supplicant

ap_scan=0

network={
key_mgmt=IEEE8021X
eap=MD5
identity="CiscoClient"
password="cisco"
eapol_flags=0
}

This configuration works for EAP-MD5 authentication. Before the switch allows dot1x client (Microcore) access to the network client needs to be authenticated with username CiscoClient and password cisco on Radius.

b) Make file /etc/wpa_supplicant.conf to be saved

echo"/etc/wpa_supplicant.conf" >> /opt/.filetool.lst

c) Start wpa_supplicant for wired ethernet eth0 and let  it be loaded during startup

echo "wpa_supplicant -ieth0 -Dwired -c /etc/wpa_supplicant.conf" >> /opt/bootlocal.sh

d) Save bootlocal.sh and .filetool.lst

/usr/bin/filetool.sh backup

 

3) Dot1x Free radius configuration

Files users, clients.conf and radiusd.conf in /etc/raddb/ directory needs to be modified.

Note: We don't need to configure file /etc/raddb/clients.conf because it was previously configured in Local user authentication with AAA part of this tutorial.

a) Configure dot1x users credentials on Freeradius

vi /etc/raddb/users

#Dot1x users configuration

"CiscoClient"  User-Password == "cisco"

b) Configure /etc/raddb/radius.conf

Note:  Required configuration for  point b) was configured by default so check it only.

vi /etc/raddb/radius.conf

#In oder to configure freeradius for EAP-MD5 , in the /etc/raddb/radiusd.conf file the authorized section must have eap :

authorize {

preprocess
files
eap
}

#In the authenticate section must have eap uncommented:

authenticate {
eap
}

c) Finally,configure the  EAP module under /etc/raddb/eap.conf  to support eap-md5

/etc/raddb/eap.conf

eap {
md5 {
}
}

Qemu image with LiSA 2.0.1 and  Radius 1.1.3 download:

http://www.4shared.com/file/i5Wlmyr8/lisa-centos-202part01.html
http://www.4shared.com/file/bA88xQnF/lisa-centos-202part02.html
http://www.4shared.com/file/fhIJ7whO/lisa-centos-202part03.html
http://www.4shared.com/file/5SjtImZb/lisa-centos-202part04.html

Qemu image with Microcore 2.11.5 and wpa_supplicant installed (console is Working in GNS3):

http://www.4shared.com/file/OeNcUh_0/linux-microcore-2115.html

End.

One thought on “CCNP SWITCH and GNS3 – part 2.2 FreeRadius and WPA supplicant installation and configuration

  1. CCNP SWITCH and GNS3 – part 2.2 FreeRadius and WPA supplicant installation and configuration
    can you do this on Windows 7 or Xp

Leave a Reply to goranko Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.