RADIUS Client Configuration

Overview

Remote Authentication Dial In User Service (RADIUS Remote Authentication Dial-In User Service) is a remote authentication protocol that is used to communicate with an authentication server.

A RADIUS server is responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user.

The key points for RADIUS authentication are:

•

Transactions between client and server are authenticated through the use of a shared key and this key is never sent over the network.

•

The password is encrypted before sending it over the network.

As part of Radius Client, OcNOS supports authentication and accounting via Radius Server. Authorization is not supported.

RADIUS Server Authentication

IPv4 Address

Radius server address is configured as IPv4 address.

Topology

Figure 8. RADIUS Server Host Configuration

Host

#configure terminal	Enter configure mode.
(config)#radius-server login key 0 testing101 vrf management	Specify the global key for radius servers that are not configured with their respective keys for management vrf. This key should match the one present in the config file of tacacs server.
(config)#radius-server login key 0 testing101	Specify the global key for radius servers that are not configured with their respective keys for default vrf. This key should match the one present in the config file of tacacs server
(config)#radius-server login host 10.12.17.13 vrf management seq-num 1 key 7 testing123	Specify the radius server ipv4 address to be configured with shared local key for management vrf. The same key should be present on the server config file.
(config)#radius-server login host 10.12.17.13 seq-num 2 key 0 testing123	Specify the radius server ipv4 address to be configured with shared local key for default vrf. The same key should be present on the server config file.
(config)#radius-server login host 10.12.17.11 vrf management seq-num 1 auth-port 1045	Specify the radius server ipv4 address to be configured with port number for management vrf. The radius server should be started with same port number.
(config)#radius-server login host 10.12.17.11 seq-num 1 auth-port 1045	Specify the radius server ipv4 address to be configured with port number for default vrf. The radius server should be started with same port number
(config)#radius-server login host 10.12.17.11 vrf management seq-num 1 key 7 wawyanb123 auth-port 60000 acct-port 60000 timeout 6	Specify the radius server ipv4 address to be configured with authentication port number, accounting port number, shared key for management vrf. The radius server should be started with same port number.
(config)#radius-server login host 10.12.17.11 seq-num 1 key 7 wawyanb123 auth-port 60000 acct-port 60000 timeout 6	Specify the radius server ipv4 address to be configured with authentication port number, accounting port number, shared key for default vrf. The radius server should be started with same port number. The radius server should be started with same port number
(config)#radius-server login host Radius-Server-1 vrf management seq-num 2 key 7 wawyanb123 auth-port 60000 acct-port 60000 timeout 2	Specify the radius server configured with hostname, key authentication port number, accounting port number, for management VRF Virtual Routing and Forwarding. The radius server should be started with same port number
(config)#radius-server login host Radius-Server-1 seq-num 2 key 7 wawyanb123 auth-port 60000 acct-port 60000 timeout 2	Specify the radius server configured with hostname sequence number, key and port number for default VRF. The radius server should be started with same port number.
(config)#aaa authentication login default vrf management group radius	Enable authentication for radius server configured for management VRF. Authorization is also enabled by default
(config)#aaa authentication login default group radius	Enable authentication for radius server configured for default vrf. Authorization is also enabled by default.
(config)#aaa authentication login default vrf management group radius local	Enable authentication for radius server and fallback to local configured for management VRF. Authorization is also enabled by default
(config)#aaa authentication login default group radius local	Enable authentication for radius server and fallback to local configured for default vrf. Authorization is also enabled by default
(config)#aaa authentication login default vrf management group radius local none	Enable authentication for radius server, fallback to local followed by fallback to none, configured for management VRF. Authorization is also enabled by default
(config)#aaa authentication login default radius local none	Enable authentication for radius server, fallback to local followed by fallback to none, configured for default vrf. Authorization is also enabled by default
(config)#aaa authentication login default vrf management group radius none	Enable authentication for radius, fallback to none, configured for management VRF. Authorization is also enabled by default
(config)#aaa authentication login default group radius none	Enable authentication for radius, fallback to none, configured for default VRF. Authorization is also enabled by default
(config)#aaa group server radius G1 vrf management	Create aaa radius group G1 for management vrf
(config)#aaa group server radius G1	Create AAA radius group G1 for default VRF
(config-radius)#server 10.12.17.11	Make the radius server 10.12.17.11 a part of this group G1 for default VRF
(config-radius)#server Radius-Server-1	Make Radius-Server-1 a part of this group G1
(config-radius)#exit	Exit radius mode
(config)#commit	Commit the configuration
(config)#aaa group server radius G1	Enter radius mode
(config)#aaa authentication login default vrf management group G1	Authenticate the tacacs+ group G1 with aaa authentication for management vrf
(config)#aaa authentication login default group G1	Authenticate the tacacs+ group G1 with aaa authentication for default vrf
(config)#commit	Commit the configuration

Validation

To verify the RADIUS authentication process, use SSH or Telnet from the host machine to Host IP with the authenticating user created, and provide a RADIUS server password and check whether the client validates the user with the corresponding username and password.

#show radius-server vrf management

VRF: management

timeout value: 5

Total number of servers:2

Following RADIUS servers are configured:

Radius Server : 10.12.17.13

Sequence Number : 1

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

RADIUS shared secret : ********

Failed Authentication count : 0

Successful Authentication count : 2

Failed Connection Request : 2

Last Successful authentication : 2000 January 05, 20:55:44

Radius Server : 10.12.17.11 (*)

Sequence Number : 2

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

RADIUS shared secret : ********

Failed Authentication count : 1

Successful Authentication count : 1

Failed Connection Request : 0

Last Successful authentication : 2000 January 05, 20:58:33

#show radius-server

VRF: default

timeout value: 5

Total number of servers:4

Following RADIUS servers are configured:

Radius Server : 192.168.1.1

Sequence Number : 1

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

RADIUS shared secret : ********

Failed Authentication count : 0

Successful Authentication count : 1

Failed Connection Request : 2

Last Successful authentication : 2000 January 05, 20:45:09

Radius Server : 100.0.0.1 (*)

Sequence Number : 2

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

Radius Server : 100.0.0.1 (*)

Sequence Number : 2

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

RADIUS shared secret : ********

Failed Authentication count : 1

Successful Authentication count : 1

Failed Connection Request : 0

Last Successful authentication : 2000 January 05, 20:46:36

#show radius-server vrf management

VRF: management

timeout value: 5

Total number of servers:2

Following RADIUS servers are configured:

Radius Server : 10.12.17.13

Sequence Number : 1

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

RADIUS shared secret : ********

Failed Authentication count : 0

Successful Authentication count : 2

Failed Connection Request : 2

Last Successful authentication : 2000 January 05, 20:55:44

Radius Server : 10.12.17.11 (*)

Sequence Number : 2

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

RADIUS shared secret : ********

Failed Authentication count : 1

Successful Authentication count : 1

Failed Connection Request : 0

Last Successful authentication : 2000 January 05, 20:58:33

#show radius-server

VRF: default

timeout value: 5

Total number of servers:4

Following RADIUS servers are configured:

Radius Server : 192.168.1.1

Sequence Number : 1

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

RADIUS shared secret : ********

Failed Authentication count : 0

Successful Authentication count : 1

Failed Connection Request : 2

Last Successful authentication : 2000 January 05, 20:45:09

Radius Server : 100.0.0.1 (*)

Sequence Number : 2

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

Radius Server : 100.0.0.1 (*)

Sequence Number : 2

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

RADIUS shared secret : ********

Failed Authentication count : 1

Successful Authentication count : 1

Failed Connection Request : 0

Last Successful authentication : 2000 January 05, 20:46:36

#show radius-server vrf all

VRF: management

timeout value: 5

Total number of servers:2

Following RADIUS servers are configured:

Radius Server : 10.12.17.13

Sequence Number : 1

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

RADIUS shared secret : ********

Failed Authentication count : 0

Successful Authentication count : 2

Failed Connection Request : 2

Last Successful authentication : 2000 January 05, 20:55:44

Radius Server : 10.12.17.11 (*)

Sequence Number : 2

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

RADIUS shared secret : ********

Failed Authentication count : 1

Successful Authentication count : 1

Failed Connection Request : 0

Last Successful authentication : 2000 January 05, 20:58:33

VRF: default

timeout value: 5

Total number of servers:4

Following RADIUS servers are configured:

Radius Server : 192.168.1.1

Sequence Number : 1

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

RADIUS shared secret : ********

Failed Authentication count : 0

Successful Authentication count : 1

Failed Connection Request : 2

Last Successful authentication : 2000 January 05, 20:45:09

Radius Server : 100.0.0.1 (*)

Sequence Number : 2

available for authentication on port : 60000

available for accounting on port : 60000

timeout : 2

RADIUS shared secret : ********

Failed Authentication count : 1

Successful Authentication count : 1

Failed Connection Request : 0

Last Successful authentication : 2000 January 05, 20:46:36

#show running-config radius

radius-server login key 7 0x6f32ba3f9e05a3db vrf management

radius-server login host 10.12.17.13 vrf management seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb

#show running-config aaa

aaa authentication login default vrf management group radius

aaa group server radius rad1 vrf management

server Radius-Server-1 vrf management

server 100.0.0.1 vrf management

aaa authentication login default group radius

aaa group server radius rad1

server Radius-Server-1

server 100.0.0.1

#show running-config aaa all

aaa authentication login default vrf management group radius

aaa authentication login console local

aaa accounting default vrf management local

no aaa authentication login default fallback error local vrf management

no aaa authentication login console fallback error local

no aaa authentication login error-enable vrf management

aaa local authentication attempts max-fail 3

aaa local authentication unlock-timeout 1200

aaa group server radius rad1 vrf management

server Radius-Server-1 vrf management

server 100.0.0.1 vrf management

aaa authentication login default group radius

aaa authentication login console local

aaa accounting default local

no aaa authentication login default fallback error local

no aaa authentication login console fallback error local

no aaa authentication login error-enable

aaa local authentication attempts max-fail 3

aaa local authentication unlock-timeout 1200

aaa group server radius rad1

server Radius-Server-1

server 100.0.0.1

IPv6 Address

Radius server address is configured as IPv6 address. Authentication messages are transmitted to radius server from the Router using IPv6 address.

Topology

Figure 9. RADIUS topology shows the sample configuration of Radius server.

Figure 9. RADIUS topology

R1

#configure terminal	Enter configure mode.
(config)#radius-server login host 2001:db8:100::2 vrf management seq-num 1 key 0 testing123	Configure radius server with IPv6 address
(config)#aaa authentication login default vrf management group radius	Configure AAA authentication
(config)#aaa authentication login error-enable vrf management	Configure AAA authentication login error-enable
(config)#interface eth0	Navigate to the interface mode
(config-if)#ipv6 address 2001:db8:100::5/64	Configure IPv6 address on the eth0 interface
(config-if)#exit	Exit interface configure mode
(config)#commit	Commit the configuration
(config)#exit	Exit configure mode

Validation

Perform TELNET to the Router R1. Provide the username mentioned in the radius server "users" file as telnet username. Check that R1 sends radius request to the radius server using IPv6 address.

#show running-config radius

radius-server login host 2001:db8:100::2 vrf management seq-num 1 key 7 0x67efdb

4ad9d771c3ed8312b2bc74cedb

#show running-config aaa

aaa authentication login default vrf management group radius

aaa authentication login error-enable vrf management

#show ipv6 interface eth0 brief

Interface IPv6-Address Admin-Sta

tus

eth0 2001:db8:100::5

fe80::218:23ff:fe30:e6ba [up/up]

RADIUS Server Accounting

You can configure accounting to measure the resources that another user consumes during access.

User

#configure terminal	Enter configure mode.
(config)#radius-server login host 10.12.17.11 vrf management key 7 seq-num 1 wawyanb123 auth-port 60000 acct-port 60000 timeout 6	Specify the radius server ipv4 address to be configured with authentication port number, accounting port number, shared key for management vrf. The radius server should be started with same port number.
(config)#radius-server login host 10.12.17.11 seq-num 2 key 7 wawyanb123 auth-port 60000 acct-port 60000 timeout 6	Specify the radius server ipv4 address to be configured with port number for default vrf.The radius server should be started with same port number
(config)#aaa accounting default vrf management group radius	Enable accounting for radius server configured for vrf management
(config)#aaa accounting default group radius	Enable accounting for radius server configured for default vrf
(config)#commit	Commit the candidate configuration to the running configuration

Validation

#show aaa accounting vrf management

VRF: management

default: group radius

#show aaa accounting vrf all

VRF: management

default: group radius

VRF: default

default: group radius

#show aaa accounting

VRF: default

default: group radius

#show running-config aaa

aaa authentication login default vrf management group radius

aaa accounting default vrf management group radius

aaa group server radius rad1 vrf management

server Radius-Server-1 vrf management

server 100.0.0.1 vrf management

aaa authentication login default group radius

aaa accounting default group radius

aaa group server radius rad1

server Radius-Server-1

server 100.0.0.1

RADIUS Server Accounting

You can configure accounting to measure the resources that another user consumes during access.

User

#configure terminal	Enter configure mode.
(config)#radius-server login host 10.12.17.11 seq-num 1 key 7 wawyanb123 auth-port 60000 acct-port 60000 timeout 6	Specify the radius server ipv4 address to be configured with authentication port number, accounting port number, shared key for Default vrf. The radius server should be started with same port number.
(config)#radius-server login host 10.12.17.11 seq-num 1 key 7 wawyanb123 auth-port 60000 acct-port 60000 timeout 6	Specify the radius server ipv4 address. The radius server should be started with same port number
(config)#aaa accounting default group radius	Enable accounting for radius server configured for vrf Default.
(config)#commit	Commit the configuration

Validation

#show aaa accounting

default: group radius

#show aaa accounting vrf all

default: group radius

VRF: default default: group radius

#show aaa accounting

VRF: default default: group radius

#show running-config aaa

aaa authentication login default group radius aaa accounting default group radius

aaa group server radius rad1 server Radius-Server-1 server 100.0.0.1

aaa authentication login default group radius aaa accounting default group radius

aaa group server radius rad1 server Radius-Server-1 server 100.0.0.1

Sample Radius Clients.conf File

client 10.12.58.20 {

secret = testing123

shortname = localhost

}

client 192.168.1.2 {

secret = testing123

shortname = localhost

}

client 10.12.37.196 {

secret = testing123

}

client 100.0.0.2 {

secret = testing123

shortname = localhost

}

# IPv6 Client

#client ::1 {

# secret = testing123

# shortname = localhost

# All IPv6 Site-local clients

#client fe80::/16 {

# secret = testing123

# shortname = localhost

Sample Radius Users Configuration File

#DEFAULT

# Service-Type = Login-User,

# Login-Service = Rlogin,

# Login-IP-Host = shellbox.ispdomain.com

# #

# # Last default: shell on the local terminal server.

# #

# DEFAULT

# Service-Type = Administrative-User

# On no match, the user is denied access.

selftest Cleartext-Password := "password"

testuser1 Cleartext-Password := "user1@101"

testuser2 Cleartext-Password := "user2@202"

testuser3 Cleartext-Password := "user3@303"