Step 4: Edit the default configuration files

Edit /etc/raddb/clients.conf

Add at the bottom add the following 5 lines:

client 192.168.1.0/24 {

secret = YoUrSeCrEtLdApKeY

shortname = "at the company network"

nastype = cisco

}

This will set the sevret radius key for your devices.







Edit /etc/raddb/radiusd.conf

* Find 'auth = no' and change it to 'auth = yes'

* Find '# msg_goodpass = ""' and change it to: 'msg_goodpass = "Host %n"'

* Find '# msg_badpass = ""' and change it to: 'msg_badpass = "Host %n"'







Edit /etc/raddb/users:

At the bottom add the following 4 lines:

DEFAULT LDAP-Group == "SG_Network_Operators"

Service-Type = Administrative-User,

cisco-avpair = "shell:priv-lvl=15"

DEFAULT LDAP-Group != "SG_Network_Operators", Auth-Type := Reject

This will give the users that are member of 'SG_Network_Operators' level 15 access to the switch. Other users will be denied access.







Edit /etc/raddb/modules/ldap to make Radius use the AD/LDAP:

Change the default to something like this:

server = "dc.domain.local"

identity = "cn=LdapUser,ou=Service Accounts,dc=domain,dc=local"

password = LdApUsErPaSsWoRd

basedn = "dc=domain,dc=local"

filter = "(&(objectclass=user)(objectcategory=user)(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}*))"

groupmembership_attribute = "memberOf"

Uncomment the followinf two lines:

# chase_referrals = yes

# rebind = yes







Edit /etc/raddb/sites-available/default:

Find:

# The ldap module will set Auth-Type to LDAP if it has not

# already been set

# ldap

And change it to:

# The ldap module will set Auth-Type to LDAP if it has not

# already been set

ldap

Find:

# Uncomment it if you want to use ldap for authentication

#

# Note that this means "check plain-text password against

# the ldap database", which means that EAP won't work,

# as it does not supply a plain-text password.

# Auth-Type LDAP {

# ldap

# }

And change it to:

# Uncomment it if you want to use ldap for authentication

#

# Note that this means "check plain-text password against

# the ldap database", which means that EAP won't work,

# as it does not supply a plain-text password.

Auth-Type LDAP {

ldap

}