This guide shows how to configure Cisco devices to authenticate against a FreeRADIUS server. Minimal steps, just working configs.
- Install FreeRADIUS
sudo apt-get update
sudo apt-get install freeradius -y
Go to the config directory:
cd /etc/freeradius/3.0
2. Configure Clients (Cisco device as RADIUS client)
Edit the clients file:
nano clients.conf
Add your Cisco device:
client 192.168.1.1 {
ipaddr = 192.168.1.1
secret = passw0rd
nastype = cisco
}ipaddr — IP of the Cisco router/switch.
secret — shared key (must match on both Cisco and RADIUS).
nastype — specify cisco.
Configure Users
Open the users file:
nano users
Example user entry:
cisco_user Cleartext-Password := "StrongPass"
Service-Type = Framed-User,
Cisco-AVPair = "shell:priv-lvl=3"
cisco_user— login username.
Cleartext-Password— login password.
shell:priv-lvl=3— privilege level (0–15).
Configure Cisco Device
Enter configuration mode:
conf t
aaa new-model
aaa group server radius RadiusGrp
server-private 192.168.1.100 auth-port 1812 acct-port 1813 key passw0rd
exit
aaa authentication login default group RadiusGrp
aaa authorization exec default group RadiusGrp
aaa accounting exec default start-stop group RadiusGrp
aaa accounting system default start-stop group RadiusGrp
line vty 0 4
transport input telnet ssh
login authentication default
192.168.1.100— IP of your FreeRADIUS server.
passw0rd— shared key, must matchclients.conf.
Test Authentication (Required!)
On Cisco:
test aaa group RadiusGrp cisco_user StrongPass legacy
Test Authentication (On Ubuntu/Debian Side)
tail -f /var/log/freeradius/radius.log
If successful, login attempts via SSH/Telnet will be authenticated through FreeRADIUS.
- FreeRADIUS is installed and configured on Ubuntu/Debian.
- Cisco device is pointed to the RADIUS server.
- User management and privilege levels are handled via
/etc/freeradius/3.0/users.