LiSA is Linux Multilayer switch developed by Romanian developers and can do L2 switching and L3 routing between virtual switch interfaces.
I made Qemu images of LISA installed on Centos 5.4 and you can use this image for building your virtual network in GNS3 environment. GNS3 also supports Dynamips emulator which can emulate older Cisco routers.
Thanks to Qemu emulator support in GNS3 it is possible to use various Qemu images as network devices (VyOS, Juniper) , servers or hosts (Core Linux).
I decided to install Free Radius server in to existing CentOS 5.4 Qemu LiSA image. This LiSA-Radius Qemu image keeps L2/L3 forwarding capabilities and thanks to Radius can acts as AAA server. We can perfectly use it for AAA part of CCNP Switch exam, forcing emulated routers pass authentication to Radius server.
You can read my article about AAA here:
I wrote the steps bellow for Free Radius installation and configuration On CetOS 5.4 Qemu image with LiSA.
FreeRadius Configuration for local user authentication with AAA
1) Start Qemu image and login to CentOS
Note: LiSA Qemu image can be downloaded at the end of this tutorial:
/usr/local/bin/qemu -m 128 ./lisa-centos-2.0.2.img
username/password = root/password
2) Install FreeRadius from repository
yum install freeradius.i386
Note: This version of Radius (1.1.3) is older than actual Radius version but sufficient for our goal.
3) FreeRadius Configuration
You need to modify two files - clients.conf and users in /etc/raddb/ directory. Use vi editor, for online manual visit:
http://www.linuxconfig.org/Vim_Tutorial
a) Client configuration (subnet, radius key)
In this configuration we choose radius server key (cisco123) and access from authenticator (switch) to Radius from all subnets (0.0.0.0/0).
vi /etc/raddb/clients.conf
client 0.0.0.0/0 {
secret = cisco123
shortname = all_subnets
nastype = cisco
}
b) Users configuration
They are 3 block of commands configured here for support different level authentication.
Privilege level 1 - user exec mode. Username is admin and password is cisco for this level. You get to this mode after you are successfully authenticated by Radius server during your telnet or console session.
Privilege level 15 - this is privileged exec mode (enable mode). Password is cisco
Privilege level 15 for Telnet; mainly used by lazy administrators who want to jump directly to level 15 . Username is admin15 and password cisco15.
Note: You need to configure the command aaa authorization exec default group radius in Cisco switch IOS to get level 15 for vty users.
vi /etc/raddb/users
#Privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt
"admin" Auth-Type == Local , User-Password == "cisco"
Service-Type = "NAS-Prompt-User"#Privilege level 15 — Includes all enable-level commands at the router# prompt.
$enab15$ Auth-Type == Local , User-Password == "cisco"
#Privilege level 15 for Telnet; vty users get the router# prompt
#The Command bellow is needed in IOS to get level 15 privilege working for vty users:
#aaa authorization exec default group radius"admin15" Auth-Type == Local , User-Password == "cisco15"
Service-Type = "NAS-Prompt-User",
cisco-avpair = "shell:priv-lvl=15"
4) Start Radius deamon (restart deamon after each change in Free Radius configuration)
/etc/init.d/radiusd start
Allow Radius deamon to be started during startup:
a) Get info about actual runlevel
runlevel
N 3
b) Enable Radius deamon for runlevel 3
chkconfig --level 3 radiusd on
Free Radius and Ccore Linux configuration for dot1x port-based authentication with EAP-MD5
If a Cisco switch is correctly configured for Radius server with credentials mentioned above, users who try to login to the switch are authenticated by Radius server instead of switch.
But we can go even further and make our dot1x CCNP Switch lab being emulated in GNS3. We have already installed Free Radius server on CentOS LiSa Qemu image but we need to configure it for dot1x port-based authentication. Also dot1x client must be installed and configured on host. For this purpose I installed WPA_supplicant on to Linux Microcore Qemu image which is widely used by GNS3 community.
1) Microcore - Dot1x Client installation
a) Start Microcore Linux
qemu ./linux-microcore.img -m 128
2) Install wpa_supplicant extension to Microcore
tce-load -iw wpa_supplicant.tcz
Note: Wpa_supplicant.tcz extension is automaticaly added to the list loaded extension /mnt/hda1/tce/onboot.lst during Micocore startup
2) Microcore - Dot1x Client configuration
a) Wpa_supplicant.conf doesn't exist so we must create it
vi /etc/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=MD5
identity="CiscoClient"
password="cisco"
eapol_flags=0
}
This configuration works for EAP-MD5 authentication. Before the switch allows dot1x client (Microcore) access to the network client needs to be authenticated with username CiscoClient and password cisco on Radius.
b) Make file /etc/wpa_supplicant.conf to be saved
echo"/etc/wpa_supplicant.conf" >> /opt/.filetool.lst
c) Start wpa_supplicant for wired ethernet eth0 and let it be loaded during startup
echo "wpa_supplicant -ieth0 -Dwired -c /etc/wpa_supplicant.conf" >> /opt/bootlocal.sh
d) Save bootlocal.sh and .filetool.lst
/usr/bin/filetool.sh backup
3) Dot1x Free radius configuration
Files users, clients.conf and radiusd.conf in /etc/raddb/ directory needs to be modified.
Note: We don't need to configure file /etc/raddb/clients.conf because it was previously configured in Local user authentication with AAA part of this tutorial.
a) Configure dot1x users credentials on Freeradius
vi /etc/raddb/users
#Dot1x users configuration
"CiscoClient" User-Password == "cisco"
b) Configure /etc/raddb/radius.conf
Note: Required configuration for point b) was configured by default so check it only.
vi /etc/raddb/radius.conf
#In oder to configure freeradius for EAP-MD5 , in the /etc/raddb/radiusd.conf file the authorized section must have eap :
authorize {
preprocess
files
eap
}#In the authenticate section must have eap uncommented:
authenticate {
eap
}
c) Finally,configure the EAP module under /etc/raddb/eap.conf to support eap-md5
/etc/raddb/eap.conf
eap {
md5 {
}
}
Qemu image with LiSA 2.0.1 and Radius 1.1.3 download:
http://www.4shared.com/file/i5Wlmyr8/lisa-centos-202part01.html
http://www.4shared.com/file/bA88xQnF/lisa-centos-202part02.html
http://www.4shared.com/file/fhIJ7whO/lisa-centos-202part03.html
http://www.4shared.com/file/5SjtImZb/lisa-centos-202part04.html
Qemu image with Microcore 2.11.5 and wpa_supplicant installed (console is Working in GNS3):
http://www.4shared.com/file/OeNcUh_0/linux-microcore-2115.html
End.
CCNP SWITCH and GNS3 – part 2.2 FreeRadius and WPA supplicant installation and configuration
can you do this on Windows 7 or Xp