RADIUS Client Configuration
Overview
Remote Authentication Dial In User Service (RADIUS) is a remote authentication protocol that is used to communicate with an authentication server. A RADIUS server is responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user.
The OcNOS device, acting as a RADIUS client, sends the user’s credentials to the RADIUS server requesting authentication. The RADIUS server validates the received user’s credentials and authenticates it. After the authentication, it authorizes the user’s privilege level and shares it with the OcNOS. Thus, the user role is decided based on the received privilege level.
The key points for RADIUS authentication are:
• Transactions between client and server are authenticated through the use of a shared key and this key is never sent over the network.
• The password is encrypted before sending it over the network.
• A maximum of eight RADIUS servers can be configured.
Limitation:
• If the privilege level is not specified in the radius server’s user config file, the default role is considered “network-user.”
• By default, the Privileged Exec mode is given to all the users
In OcNOS 6.4.1 release, the RADIUS is not present on radius server or authentication fails from RADIUS server
To implement the above requirements, the existing CLI
aaa authentication login console fallback error is used to enable fallback to local authentication server. This is disabled by default.
By default, the fallback to local authentication is applied when the Radius server is unreachable. For other scenarios, enable the fallback using the CLI.
Note: For invalid secret key there is no fallback local authentication.
Console authentication is not supported for Radius.
Note: In OcNOS 6.4.2 release, the RADIUS Authorization is supported.
RADIUS Authorization Configuration
Benefits
Based on the privilege level received from the RADIUS server user role is determined.
Prerequisites
RADIUS server process must be up and running.
Configuration
Topology
Following is the RADIUS client and server network topology.
RADIUS Server Client Configuration
IPv4 Address
RADIUS server address is configured in IPv4 address format.
RADIUS Client (Host)
(config)#radius-server login host 10.12.33.211 vrf management seq-num 1 key 0 testing123 | Specify the radius server ipv4 address to be configured with shared local key for management vrf. The same key should be present on the server config file. |
(config)#radius-server login host 1.1.1.2 seq-num 1 key 0 testing123 | Specify the radius server ipv4 address to be configured with shared local key for default vrf. The same key should be present on the server config file. |
(config)#aaa authentication login default vrf management group radius | Enable authentication for radius server configured for management VRF. Authorization is also enabled by default. |
(config)#aaa authentication login console group radius | Enable authentication for radius server . Authorization is also enabled by console |
(config)#aaa authentication login default vrf management group radius local | Enable authentication for radius server and fallback to local configured for management VRF. Authorization is also enabled by default |
(config)#aaa authentication login console group radius local | Enable authentication for radius server and fallback to local configured for default vrf. Authorization is also enabled by default |
Specifies privilege level in radius server configuration file. The RADIUS client fetch the network operator privilege level from this file. The Privilege level range is between 0-15.
Validation
To verify the RADIUS authorization process, login from the host machine to Host IP with the authenticating user credentials and provide a RADIUS server password.
Execute following show commands to verify the Radius authorization status.
OcNOS#sh running-config aaa
aaa authentication login default vrf management group radius
aaa authentication login console group radius
aaa authentication login default vrf management group radius local
aaa authentication login console group radius local
OcNOS#sh running-config radius
radius-server login host 10.12.33.211 vrf management seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb
radius-server login host 1.1.1.1 seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb
OcNOS#sh radius-server vrf management
timeout value: 5
Total number of servers:1
VRF: management
Following RADIUS servers are configured:
Radius Server : 10.12.33.211 (*)
Sequence Number : 1
available for authentication on port : 1812
available for accounting on port : 1813
RADIUS shared secret : ********
Failed Authentication count : 3
Successful Authentication count : 13
Failed Connection Request : 3
Last Successful authentication : 2023 November 30, 06:25:07
OcNOS#sh radius-server vrf management
timeout value: 5
Total number of servers:1
VRF: management
Following RADIUS servers are configured:
Radius Server : 1.1.1.1 (*)
Sequence Number : 1
available for authentication on port : 1812
available for accounting on port : 1813
RADIUS shared secret : ********
Failed Authentication count : 3
Successful Authentication count : 10
Failed Connection Request : 0
Last Successful authentication : 2023 November 30, 06:28:07
OcNOS#sh users
Current user : (*). Lock acquired by user : (#).
CLI user : [C]. Netconf users : [N].
Location : Applicable to CLI users.
Session : Applicable to NETCONF users.
Line User Idle Location/Session PID TYPE Role
(*) 0 con 0 [C]ocnos 0d00h00m ttyS0 5251 Local network-admin
130 vty 0 [C]ocnos 0d00h00m pts/0 5288 Remote network-user
131 vty 1 [C]abc 0d00h00m pts/1 5340 Remote network-engineer
132 vty 2 [C]ipi 0d00h00m pts/2 5350 Remote network-operator
IPv6 Address
RADIUS server address is configured in IPv6 address.
RADIUS Client (Host)
OcNOS(config)#radius-server login host 2001:db8:100::2 vrf management seq-num 1 key 0 testing123 | Configure radius server with IPv6 address |
OcNOS(config)#aaa authentication login default vrf management group radius local | Configure AAA authentication |
(config)#interface eth0 | Navigate to the interface mode |
(config-if)#ipv6 address 2001:db8:100::5/64 | Configure IPv6 address on the eth0 interface |
(config-if)#exit | Exit interface configure mode |
(config)#commit | Commit the configuration |
(config)#exit | Exit configure mode |
Validation
To verify the RADIUS authorization process, login from the host machine to Host IP with the authenticating user credentials and provide a RADIUS server password.
Execute following show commands to verify the Radius authorization status.
#show running-config radius
radius-server login host 2001:db8:100::2 vrf management seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb
#show running-config aaa
aaa authentication login default vrf management group radius
#show ipv6 interface eth0 brief
Interface IPv6-Address Admin-Status
eth0 2001:db8:100::5fe80::218:23ff:fe30:e6ba [up/up]
Implementation Examples
Following is an example for radius-server configuration file:
ipi Cleartext-Password := "ipi123"
Management-Privilege-Level := 12
ocnos Cleartext-Password := "ocnos"
Management-Privilege-Level := 0
abc Cleartext-password :="AC123"
Management-Privilege-Level := 14
RADIUS Server Authentication Configuration
RADIUS Server Host Configuration
Host
#configure terminal | Enter configure mode. |
(config)# radius-server login key testing101 vrf management | Specify the global key for radius servers that are not configured with their respective keys for management vrf. This key should match the one present in the config file of tacacs server. |
(config)# radius-server login key testing101 | Specify the global key for radius servers that are not configured with their respective keys for default vrf. This key should match the one present in the config file of tacacs server |
(config)# radius-server login host 10.16.19.2 vrf management seq-num 1 key testing123 | Specify the radius server ipv4 address to be configured with shared local key for management vrf. The same key should be present on the server config file. |
(config)# radius-server login host 10.16.19.2 seq-num 1 key testing123 | Specify the radius server ipv4 address to be configured with shared local key for default vrf. The same key should be present on the server config file. |
(config)# radius-server login host 10.12.30.86 vrf management seq-num 1 auth-port 1045 | Specify the radius server ipv4 address to be configured with port number for management vrf. The radius server should be started with same port number. |
(config)# radius-server login host 10.12.30.86 seq-num 1 auth-port 1045 | Specify the radius server ipv4 address to be configured with port number for default vrf.The radius server should be started with same port number |
(config)#radius-server login host 10.12.17.11 vrf management seq-num 1 key 7 wawyanb123 auth-port 60000 acct-port 60000 timeout 6 | Specify the radius server ipv4 address to be configured with authentication port number, accounting port number, shared key for management vrf. The radius server should be started with same port number. |
(config)#radius-server login host 10.12.17.11 seq-num 1 key 7 wawyanb123 auth-port 60000 acct-port 60000 timeout 6 | Specify the radius server ipv4 address to be configured with authentication port number, accounting port number, shared key for default vrf. The radius server should be started with same port number. The radius server should be started with same port number |
(config)#radius-server login host Radius-Server-1 vrf management seq-num 2 key 7 wawyanb123 auth-port 60000 acct-port 60000 timeout 2 | Specify the radius server configured with hostname, key authentication port number, accounting port number, for management VRF. The radius server should be started with same port number |
radius-server login host Radius-Server-1 seq-num 2 key 7 wawyanb123 auth-port 60000 acct-port 60000 timeout 2 | Specify the radius server configured with hostname sequence number, key and port number for default VRF. The radius server should be started with same port number. |
(config)#aaa authentication login default vrf management group radius | Enable authentication for radius server configured for management VRF. Authorization is also enabled by default |
(config)#aaa authentication login default group radius | Enable authentication for radius server configured for default vrf. Authorization is also enabled by default. |
(config)#aaa authentication login default vrf management group radius local | Enable authentication for radius server and fallback to local configured for management VRF. Authorization is also enabled by default |
(config)#aaa authentication login default group radius local | Enable authentication for radius server and fallback to local configured for default vrf. Authorization is also enabled by default |
(config)#aaa authentication login default vrf management group radius local none | Enable authentication for radius server, fallback to local followed by fallback to none, configured for management VRF. Authorization is also enabled by default |
(config)#aaa authentication login default radius local none | Enable authentication for radius server, fallback to local followed by fallback to none, configured for default vrf. Authorization is also enabled by default |
(config)#aaa authentication login default vrf management group radius none | Enable authentication for radius, fallback to none, configured for management VRF. Authorization is also enabled by default |
(config)#aaa authentication login default group radius none | Enable authentication for radius, fallback to none, configured for default VRF. Authorization is also enabled by default |
(config)#aaa group server radius G1 vrf management | Create aaa radius group G1 for management vrf |
(config)#aaa group server radius G1 | Create AAA radius group G1 for default VRF |
(config-radius)#server 10.12.30.86 | Make the radius server 10.12.30.86 a part of this group G1 for default VRF |
(config-radius)#server Radius-Server-1 | Make Radius-Server-1 a part of this group G1 |
(config-radius)#exit | Exit radius mode |
(config)#aaa group server radius G1 | Enter radius mode |
(config-radius)#server 10.12.30.86 | Make the radius server 10.12.30.86 a part of this group G1 for default vrf |
(config-radius)#server Radius-Server-1 | Make Radius-Server-1 a part of this group G1 |
(config)#exit | Exit radius mode. |
(config)#aaa authentication login default vrf management group G1 | Authenticate the tacacs+ group G1 with aaa authentication for management vrf |
(config)#aaa authentication login default group G1 | Authenticate the tacacs+ group G1 with aaa authentication for default vrf |
Validation
To verify the RADIUS authentication process, use SSH or Telnet from the host machine to Host IP with the authenticating user created, and provide a RADIUS server password and check whether the client validates the user with the corresponding username and password.
OcNOS#show radius-server vrf management
VRF: management
Global RADIUS shared secret: ********
timeout value: 5
Total number of servers:3
Following RADIUS servers are configured:
10.12.17.11:
available for authentication on port:60000
available for accounting on port:60000
timeout:6
RADIUS shared secret:********
10.12.30.86:
available for authentication on port:1045
available for accounting on port:1813
10.16.19.2:
available for authentication on port:1812
available for accounting on port:1813
RADIUS shared secret:********
#show radius-server vrf all
VRF: management
timeout value: 5
Total number of servers:2
Following RADIUS servers are configured:
100.0.0.1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
Radius-Server-1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
VRF: default
timeout value: 5
Total number of servers:2
Following RADIUS servers are configured:
Radius-Server-1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
100.0.0.1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
#show radius-server
VRF: default
timeout value: 5
Total number of servers:2
Following RADIUS servers are configured:
Radius-Server-1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
100.0.0.1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
#show radius-server vrf management sorted
VRF: management
timeout value: 5
Total number of servers:2
Following RADIUS servers are configured:
100.0.0.1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
Radius-Server-1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
#show radius-server vrf all sorted
VRF: management
timeout value: 5
Total number of servers:2
Following RADIUS servers are configured:
100.0.0.1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
Radius-Server-1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
VRF: default
timeout value: 5
Total number of servers:2
Following RADIUS servers are configured:
100.0.0.1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
Radius-Server-1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
#show radius-server sorted
VRF: default
timeout value: 5
Total number of servers:2
Following RADIUS servers are configured:
100.0.0.1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
Radius-Server-1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
#show radius-server vrf management groups
VRF: management
group radius:
server: all configured radius servers
group rad1:
server Radius-Server-1:
auth_port is 60000
acct_port is 60000
key is ********
server 100.0.0.1:
auth_port is 60000
acct_port is 60000
key is ********
#show radius-server vrf all groups
VRF: management
group radius:
server: all configured radius servers
group rad1:
server Radius-Server-1:
auth_port is 60000
acct_port is 60000
key is ********
server 100.0.0.1:
auth_port is 60000
acct_port is 60000
key is ********
VRF: default
group radius:
server: all configured radius servers
group rad1:
server Radius-Server-1:
auth_port is 60000
acct_port is 60000
key is ********
server 100.0.0.1:
auth_port is 60000
acct_port is 60000
key is ********
#show radius-server groups
VRF: default
group radius:
server: all configured radius servers
group rad1:
server Radius-Server-1:
auth_port is 60000
acct_port is 60000
key is ********
server 100.0.0.1:
auth_port is 60000
acct_port is 60000
key is ********
#show radius-server vrf management groups rad1
VRF: management
group rad1:
server Radius-Server-1
auth_port is 60000
acct_port is 60000
key is ********
server 100.0.0.1
auth_port is 60000
acct_port is 60000
key is ********
#show radius-server vrf all groups rad1
VRF: management
group rad1:
server Radius-Server-1
auth_port is 60000
acct_port is 60000
key is ********
server 100.0.0.1
auth_port is 60000
acct_port is 60000
key is ********
VRF: default
group rad1:
server Radius-Server-1
auth_port is 60000
acct_port is 60000
key is ********
server 100.0.0.1
auth_port is 60000
acct_port is 60000
key is ********
#show radius-server groups rad1
VRF: default
group rad1:
server Radius-Server-1
auth_port is 60000
acct_port is 60000
key is ********
server 100.0.0.1
auth_port is 60000
acct_port is 60000
key is ********
#show radius vrf management
VRF: management
timeout value: 5
Total number of servers:2
Following RADIUS servers are configured:
100.0.0.1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
Radius-Server-1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
#show radius vrf all
VRF: management
timeout value: 5
Total number of servers:2
Following RADIUS servers are configured:
100.0.0.1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
Radius-Server-1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
VRF: default
timeout value: 5
Total number of servers:2
Following RADIUS servers are configured:
Radius-Server-1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
100.0.0.1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
#show radius
VRF: default
timeout value: 5
Total number of servers:2
Following RADIUS servers are configured:
Radius-Server-1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
100.0.0.1:
available for authentication on port:60000
available for accounting on port:60000
RADIUS shared secret:********
#show aaa authentication vrf management
VRF: management
default: group radius
console: local
#show aaa authentication vrf all
VRF: management
default: group radius
console: local
VRF: default
default: group radius
console: local
#show aaa authentication
VRF: default
default: group radius
console: local
#show aaa groups vrf management
VRF: management
radius
rad1
rad1
#show aaa groups vrf all
VRF: management
radius
rad1
VRF: default
radius
rad1
#show aaa groups
VRF: default
radius
rad1
#show running-config radius
radius-server login host 100.0.0.1 vrf management seq-num 1 key 7 wawyanb123 auth-port 600
00 acct-port 60000
radius-server login host Radius-Server-1 vrf management seq-num 1 key 7 wawyanb123 auth-po
rt 60000 acct-port 60000
radius-server login host Radius-Server-1 seq-num 1 key 7 wawyanb123 auth-port 60000 acct-
port 60000
radius-server login host 100.0.0.1 seq-num 1 key 7 wawyanb123 auth-port 60000 acct-port 6
000
#show running-config aaa
aaa authentication login default vrf management group radius
aaa group server radius rad1 vrf management
server Radius-Server-1 vrf management
server 100.0.0.1 vrf management
aaa authentication login default group radius
aaa group server radius rad1
server Radius-Server-1
server 100.0.0.1
#show running-config aaa all
aaa authentication login default vrf management group radius
aaa authentication login console local
aaa accounting default vrf management local
no aaa authentication login default fallback error local vrf management
no aaa authentication login console fallback error local
no aaa authentication login error-enable vrf management
aaa local authentication attempts max-fail 3
aaa local authentication unlock-timeout 1200
aaa group server radius rad1 vrf management
server Radius-Server-1 vrf management
server 100.0.0.1 vrf management
aaa authentication login default group radius
aaa authentication login console local
aaa accounting default local
no aaa authentication login default fallback error local
no aaa authentication login console fallback error local
no aaa authentication login error-enable
aaa local authentication attempts max-fail 3
aaa local authentication unlock-timeout 1200
aaa group server radius rad1
server Radius-Server-1
server 100.0.0.1
RADIUS Server Accounting
You can configure accounting to measure the resources that another user consumes during access.
User
#configure terminal | Enter configure mode. |
(config)#radius-server login host 10.12.17.11 vrf management seq-num 1 key 7 wawyanb123 auth-port 60000 acct-port 60000 timeout 6 | Specify the radius server ipv4 address to be configured with authentication port number, accounting port number, shared key for management vrf. The radius server should be started with same port number. |
(config)#radius-server login host 10.12.17.11 seq-num 1 key 7 wawyanb123 auth-port 60000 acct-port 60000 timeout 6 | Specify the radius server ipv4 address to be configured with port number for default vrf.The radius server should be started with same port number |
(config)#aaa accounting default vrf management group radius | Enable accounting for radius server configured for vrf management |
(config)#aaa accounting default group radius | Enable accounting for radius server configured for default vrf |
Validation
#show aaa accounting vrf management
VRF: management
default: group radius
#show aaa accounting vrf all
VRF: management
default: group radius
VRF: default
default: group radius
#show aaa accounting
VRF: default
default: group radius
#
#show running-config aaa
aaa authentication login default vrf management group radius
aaa accounting default vrf management group radius
aaa group server radius rad1 vrf management
server Radius-Server-1 vrf management
server 100.0.0.1 vrf management
aaa authentication login default group radius
aaa accounting default group radius
aaa group server radius rad1
server Radius-Server-1
server 100.0.0.1
Sample Radius Clients.conf File
client 10.12.58.20 {
secret = testing123
shortname = localhost
}
client 192.168.1.2 {
secret = testing123
shortname = localhost
}
client 10.12.37.196 {
secret = testing123
}
client 100.0.0.2 {
secret = testing123
shortname = localhost
}
# IPv6 Client
#client ::1 {
# secret = testing123
# shortname = localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
# secret = testing123
# shortname = localhost
Sample Radius Users Configuration File
#
#DEFAULT
# Service-Type = Login-User,
# Login-Service = Rlogin,
# Login-IP-Host = shellbox.ispdomain.com
# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# Service-Type = Administrative-User
# On no match, the user is denied access.
selftest Cleartext-Password := "password"
testuser1 Cleartext-Password := "user1@101"
testuser2 Cleartext-Password := "user2@202"
testuser3 Cleartext-Password := "user3@303"
Fall Back Option for RADIUS Authentication
Currently, the Remote Authentication Dial-In User Service (RADIUS) server authentication fallback to the local authentication server only when the RADIUS server is not reachable.
This behavior is modified to forward the authentication request to the local authentication server when the RADIUS authentication is failed or not reachable.
Feature Characteristics
The RADIUS authentication mechanism is enhanced to fallback to local authentication server when the user
• is not present on RADIUS server or
• authentication fails from RADIUS server
To implement the above requirements, the existing CLI aaa authentication login default fallback error local non-existent-user vrf management is used to enable fallback to local authentication server. This is disabled by default.
Note: For invalid secret key there is no fallback local authentication.
Console authentication is not supported for RADIUS.
Benefits
By default, the fallback to local authentication is applied when the RADIUS server is unreachable. For other scenarios, enable the fallback using the CLI.
Configuration
Below is the existing CLI used to enable the fallback local authentication server.
aaa authentication login default fallback error local non-existent-user vrf management
Refer to Authentication, Authorization and Accounting section in the OcNOS System Management Configuration Guide, Release 6.4.1.
Validation
Configure aaa authentication console and verify console authentication:
OcNOS#con t
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#radius-server login host 1.1.1.2 seq-num 1 key 0 kumar
OcNOS(config)#commit
OcNOS(config)#aaa authentication login console group radius
OcNOS(config)#commit
OcNOS(config)#exit
OcNOS#exit
OcNOS#show users
Current user : (*). Lock acquired by user : (#).
CLI user : [C]. Netconf users : [N].
Location : Applicable to CLI users.
Session : Applicable to NETCONF users.
Line User Idle Location/Session PID TYPE Role
(*) 0 con 0 [C]ocnos 0d00h00m ttyS0 5531 Remote network-admin
Enabled RADIUS local fallback and verify the authentication:
OcNOS(config)#aaa authentication login console group radius local
OcNOS(config)#commit
OcNOS(config)#exit
OcNOS#exit
OcNOS>exit
OcNOS>enable
OcNOS#show users
Current user : (*). Lock acquired by user : (#).
CLI user : [C]. Netconf users : [N].
Location : Applicable to CLI users.
Session : Applicable to NETCONF users.
Line User Idle Location/Session PID TYPE Role
(*) 0 con 0 [C]test 0d00h00m ttyS0 5713 Local network-engineer
130 vty 0 [C]test 0d00h01m pts/0 5688 Local network-engineer
OcNOS#