RADIUS

Various add-on packages enable RADIUS users to log in to NVOS switches in a transparent way with minimal configuration. There is no need to create accounts or directories on the switch. Authentication uses PAM and includes login, ssh, restapi, sudo and su.

RADIUS configuration is made of global configurations and per-server configurations. In general, if per-server configuration is not defined, the configuration will be taken from the global configuration.

All nv radius commands can be found in .RADIUS Commands, where global ones are direct under /system/aaa/radius and per-server ones or under /system/aaa/radius/hostname/<hostname-id>

NVOS supports 3 types of RADIUS users, defined by Management-Privilege-Level configured in radius-server.

• Management-Privilege-Level := 15 # admin privileged users (nv set, nv config apply)

• Management-Privilege-Level := 7 # monitor privileged users (nv show)

• Management-Privilege-Level := 1 # non-privileged users (no nv commands access)

Radius server can be configured either on a remote host, or on the switch itself (for testing or sanity-check).

Basic RADIUS Server Configuration

To conduct a basic RADIUS server configuration, add sections to "users" and "clients.conf" files.

User File Example

            

            
radius_user Cleartext-Password := "radius_user_password"
        Management-Privilege-Level := <15,7,1> 
        

Client File Example

            

            
client client_name {
        ipaddr          = 10.1.2.3
        secret          = radius-secret
}
# Or as  CIDR block such as:
client 10.0.0.0/8 {
        secret          = testing-radius
}
        

How To Set Up Basic FreeRADIUS Server

1. Run the following command in a Debian machine or other similar Linux distributions.

   Copy

   Copied!

               
   
               
   sudo apt-get update
   sudo apt-get install freeradius -y
           

2. Add your client IP to /etc/freeradius/3.0/clients.conf file as:

   Copy

   Copied!

               
   
               
   client client_name {
           ipaddr          = <CLIENT_IP>
           secret          = mysecret
   }
           

   or use CIDR block:

   Copy

   Copied!

               
   
               
   client 10.0.0.0/8 {
           secret          = global-secret
   }
           

3. Add your required radius users to /etc/freeradius/3.0/users file as:

   Copy

   Copied!

               
   
               
   radius_admin_user Cleartext-Password := "radius_password"
           Management-Privilege-Level := 15
    
   radius_monitor_user Cleartext-Password := "radius_password"
           Management-Privilege-Level := 7
    
   radius_non_priv_user Cleartext-Password := "radius_password"
           Management-Privilege-Level := 1
           

4. Reboot freeRADIUS service (and make sure it is running).

   Copy

   Copied!

               
   
               
   sudo service freeradius restart
   sudo service freeradius status
           

5. Configure RADIUS client to use such server.

   Copy

   Copied!

               
   
               
   admin@nvos:~$ nv set system aaa radius hostname <radius-server-ip> secret radius-secret
   admin@nvos:~$ nv set system aaa authentication order radius,local
   admin@nvos:~$ nv config apply -y
           

6. Login with configured users.

• RADIUS Commands