RADIUS
Various add-on packages enable RADIUS users to log in to NVOS switches in a transparent way with minimal configuration. There is no need to create accounts or directories on the switch. Authentication uses PAM and includes login, ssh, restapi, sudo and su.
RADIUS configuration is made of global configurations and per-server configurations. In general, if per-server configuration is not defined, the configuration will be taken from the global configuration.
All nv radius commands can be found in RADIUS Commands, where global ones are direct under /system/aaa/radius and per-server ones or under /system/aaa/radius/server/<hostname-id>
NVOS supports 3 types of RADIUS users, defined by Management-Privilege-Level configured in radius-server.
Management-Privilege-Level := 15 # admin privileged users (nv set, nv config apply)
Management-Privilege-Level := 7 # monitor privileged users (nv show)
Management-Privilege-Level := 1 # non-privileged users (no nv commands access)
Radius server can be configured either on a remote host, or on the switch itself (for testing or sanity-check).
Basic RADIUS Server Configuration
To conduct a basic RADIUS server configuration, add sections to "users" and "clients.conf" files.
User File Example
radius_user Cleartext-Password := "radius_user_password"
Management-Privilege-Level := <15,7,1>
Client File Example
client client_name {
ipaddr = 10.1.2.3
secret = radius-secret
}
# Or as CIDR block such as:
client 10.0.0.0/8 {
secret = testing-radius
}
How To Set Up Basic FreeRADIUS Server
Run the following command in a Debian machine or other similar Linux distributions.
sudo apt-get update sudo apt-get install freeradius -y
Add your client IP to
/etc/freeradius/3.0/clients.conffile as:client client_name { ipaddr = <CLIENT_IP> secret = mysecret }
or use CIDR block:
client
10.0.0.0/8{ secret = global-secret }Add your required radius users to
/etc/freeradius/3.0/usersfile as:radius_admin_user Cleartext-Password :=
"radius_password"Management-Privilege-Level :=15radius_monitor_user Cleartext-Password :="radius_password"Management-Privilege-Level :=7radius_non_priv_user Cleartext-Password :="radius_password"Management-Privilege-Level :=1Reboot freeRADIUS service (and make sure it is running).
sudo service freeradius restart sudo service freeradius status
Configure RADIUS client to use such server.
admin
@nvos:~$ nv set system aaa radius server <radius-server-ip> secret radius-secret admin@nvos:~$ nv set system aaa authentication order radius,local admin@nvos:~$ nv config apply -yExample:
admin
@nvos:~$ nv set system aaa radius server192.168.0.254port42admin@nvos:~$ nv set system aaa radius server192.168.0.254secret'myradius$key'admin@nvos:~$ nv set system aaa radius server192.168.0.254priority1admin@nvos:~$ nv set system aaa authentication order radius,local admin@nvos:~$ nv config applyLogin with configured users.
You can configure the following global RADIUS settings and server specific settings.
Setting | Description |
| The maximum number of retransmission attempts allowed for requests when a RADIUS authentication request times out. This is a global option only; you cannot set the number of retransmission attempts for specific RADIUS servers. |
| The timeout value when a server is slow or latencies are high. You can set a value between 1 and 60. The default timeout is 3 seconds. If you configure multiple RADIUS servers, you can set a global timeout for all servers. |
| RADIUS autherntication type to use. |
| Global confiugration to record RADIUS statistics. |
The following example configures global RADIUS settings:
admin@nvos:~$ nv set system aaa radius retransmit 8
admin@nvos:~$ nv set system aaa radius timeout 10
admin@nvos:~$ nv set system aaa radius auth-type chap
admin@nvos:~$ nv set system aaa radius statistics enabled
admin@nvos:~$ nv config apply
The following example configures RADIUS settings for a specific RADIUS server:
admin@nvos:~$ nv set system aaa radius server 192.168.0.254 port 1811
admin@nvos:~$ nv set system aaa radius server 192.168.0.254 retransmit 5
admin@nvos:~$ nv set system aaa radius server 192.168.0.254 auth-type chap
admin@nvos:~$ nv set system aaa radius server 192.168.0.254 timeout 10
admin@nvos:~$ nv config apply
To show global RADIUS configuration, run the nv show system aaa radius command:
admin@nvos:~$ nv show system aaa radius
operational applied
---------- ----------- --------
port 1812 1812
auth-type mschapv2 mschapv2
timeout 5 5
retransmit 0 0
statistics disabled disabled
[server] 192.168.0.254 192.168.0.254
To show all RADIUS configured servers, run the nv show system aaa radius server command:
admin@nvos:~$ nv show system aaa radius server
Server Port Priority Password Timeout
------------- ---- -------- -------- -------
192.168.0.254 42 1 * 10
To show configuration for a specific RADIUS server, run the nv show system aaa radius server <server> command:
admin@nvos:~$ nv show system aaa radius server 192.168.0.254
operational applied
--------- ------------ ------------
port 42 42
timeout 10 10
secret * *
priority 1 1
If two or more RADIUS users log in simultaneously, a UID lookup only returns the user that logs in first. Any process that either user runs applies to both, and all files that either user creates apply to the first name matched. This process is similar to adding two local users to the password file with the same UID and GID, and is an inherent limitation of using the UID for the fixed user from the password file. The current algorithm returns the first name matching the UID from the mapping file, which is either the first or second user that logs in.