RADIUS
Various add-on packages enable RADIUS users to log in to NVOS switches in a transparent way with minimal configuration. There is no need to create accounts or directories on the switch. Authentication uses PAM and includes login, ssh, restapi, sudo and su.
RADIUS configuration is made of global configurations and per-server configurations. In general, if per-server configuration is not defined, the configuration will be taken from the global configuration.
All nv radius commands can be found in RADIUS Commands, where global ones are direct under /system/aaa/radius and per-server ones or under /system/aaa/radius/server/<hostname-id>
NVOS supports 3 types of RADIUS users, defined by Management-Privilege-Level configured in radius-server.
Management-Privilege-Level := 15 # admin privileged users (nv set, nv config apply)
Management-Privilege-Level := 7 # monitor privileged users (nv show)
Management-Privilege-Level := 1 # non-privileged users (no nv commands access)
Radius server can be configured either on a remote host, or on the switch itself (for testing or sanity-check).
Basic RADIUS Server Configuration
To conduct a basic RADIUS server configuration, add sections to "users" and "clients.conf" files.
User File Example
radius_user Cleartext-Password := "radius_user_password"
Management-Privilege-Level := <15,7,1>
Client File Example
client client_name {
ipaddr = 10.1.2.3
secret = radius-secret
}
# Or as CIDR block such as:
client 10.0.0.0/8 {
secret = testing-radius
}
How To Set Up Basic FreeRADIUS Server
Run the following command in a Debian machine or other similar Linux distributions.
sudo apt-get update sudo apt-get install freeradius -y
Add your client IP to
/etc/freeradius/3.0/clients.conffile as:client client_name { ipaddr = <CLIENT_IP> secret = mysecret }
or use CIDR block:
client
10.0.0.0/8{ secret = global-secret }Add your required radius users to
/etc/freeradius/3.0/usersfile as:radius_admin_user Cleartext-Password :=
"radius_password"Management-Privilege-Level :=15radius_monitor_user Cleartext-Password :="radius_password"Management-Privilege-Level :=7radius_non_priv_user Cleartext-Password :="radius_password"Management-Privilege-Level :=1Reboot freeRADIUS service (and make sure it is running).
sudo service freeradius restart sudo service freeradius status
Configure RADIUS client to use such server.
admin
@nvos:~$ nv set system aaa radius server <radius-server-ip> secret radius-secret admin@nvos:~$ nv set system aaa authentication order radius,local admin@nvos:~$ nv config apply -yLogin with configured users.
After you install the required RADIUS packages, configure the following required settings on the switch (the RADIUS client):
Set the IP address or hostname of at least one RADIUS server. You can specify a port for the server (optional). The default port number is 1812.
Set the secret key shared between the RADIUS server and client. If you include special characters in the key (such as $), you must enclose the key in single quotes (').
If you use NVUE commands to configure RADIUS, you must also:
Set the priority at which NVOS contacts a RADIUS server for load balancing. You can set a value between 1 and 8. The lower value is the higher priority.
The following example commands set:
The IP address of the RADIUS server to 192.168.0.254 and the port to 42.
The secret to
'myradius$key'.The priority at which NVOS contacts the RADIUS server to 1.
The authentication order so that RADIUS authentication has priority over local.
admin@nvos:~$ nv set system aaa radius server 192.168.0.254 port 42
admin@nvos:~$ nv set system aaa radius server 192.168.0.254 secret 'myradius$key'
admin@nvos:~$ nv set system aaa radius server 192.168.0.254 priority 1
admin@nvos:~$ nv set system aaa authentication order radius,local
admin@nvos:~$ nv config apply
You can configure the following global RADIUS settings and server specific settings.
Setting | Description |
| The maximum number of retransmission attempts allowed for requests when a RADIUS authentication request times out. This is a global option only; you cannot set the number of retransmission attempts for specific RADIUS servers. |
| The timeout value when a server is slow or latencies are high. You can set a value between 1 and 60. The default timeout is 3 seconds. If you configure multiple RADIUS servers, you can set a global timeout for all servers. |
| RADIUS autherntication type to use. |
| Global confiugration to record RADIUS statistics. |
The following example configures global RADIUS settings:
admin@nvos:~$ nv set system aaa radius retransmit 8
admin@nvos:~$ nv set system aaa radius timeout 10
admin@nvos:~$ nv set system aaa radius auth-type chap
admin@nvos:~$ nv set system aaa radius statistics enabled
admin@nvos:~$ nv config apply
The following example configures RADIUS settings for a specific RADIUS server:
admin@nvos:~$ nv set system aaa radius server 192.168.0.254 port 1811
admin@nvos:~$ nv set system aaa radius server 192.168.0.254 retransmit 5
admin@nvos:~$ nv set system aaa radius server 192.168.0.254 auth-type chap
admin@nvos:~$ nv set system aaa radius server 192.168.0.254 timeout 10
admin@nvos:~$ nv config apply
To show global RADIUS configuration, run the nv show system aaa radius command:
admin@nvos:~$ nv show system aaa radius
operational applied
---------- ----------- --------
port 1812 1812
auth-type mschapv2 mschapv2
timeout 5 5
retransmit 0 0
statistics disabled disabled
[server] 192.168.0.254 192.168.0.254
To show all RADIUS configured servers, run the nv show system aaa radius server command:
admin@nvos:~$ nv show system aaa radius server
Server Port Priority Password Timeout
------------- ---- -------- -------- -------
192.168.0.254 42 1 * 10
To show configuration for a specific RADIUS server, run the nv show system aaa radius server <server> command:
admin@nvos:~$ nv show system aaa radius server 192.168.0.254
operational applied
--------- ------------ ------------
port 42 42
timeout 10 10
secret * *
priority 1 1
If two or more RADIUS users log in simultaneously, a UID lookup only returns the user that logs in first. Any process that either user runs applies to both, and all files that either user creates apply to the first name matched. This process is similar to adding two local users to the password file with the same UID and GID, and is an inherent limitation of using the UID for the fixed user from the password file. The current algorithm returns the first name matching the UID from the mapping file, which is either the first or second user that logs in.
When you install both the TACACS+ and the RADIUS AAA client, NVOS does not attempt the RADIUS login. As a workaround, do not install both the TACACS+ and the RADIUS AAA client on the same switch.
When the RADIUS server is reachable outside of the management VRF, such as the default VRF, you might see the following error message when you try to run
sudo:
2008-10-31T07:06:36.191359+00:00 SW01 sudo: pam_radius_auth(sudo:auth): Bind for server 10.1.1.25 failed: Cannot assign requested address
2008-10-31T07:06:36.192307+00:00 sw01 sudo: pam_radius_auth(sudo:auth): No valid server found in configuration file /etc/pam_radius_auth.conf
The error occurs because sudo tries to authenticate to the RADIUS server through the management VRF. Before you run sudo, you must set the shell to the correct VRF:
admin@nvos:~$ vrf exec default bash
admin@nvos:~$ sudo