RADIUS Authorization Configuration
Benefits
Based on the privilege level received from the RADIUS server user role is determined.
Prerequisites
RADIUS server process must be up and running.
Configuration
Topology
Following is the RADIUS client and server network topology.
Figure 2. RADIUS Server Client Configuration
IPv4 Address
RADIUS server address is configured in IPv4 address format.
RADIUS Client (Host)
|
(config)#radius-server login host 10.12.33.211 vrf management seq-num 1 key 0 testing123 |
Specify the radius server ipv4 address to be configured with shared local key for management vrf. The same key should be present on the server config file. |
|
(config)#radius-server login host 1.1.1.2 seq-num 1 key 0 testing123 |
Specify the radius server ipv4 address to be configured with shared local key for default vrf. The same key should be present on the server config file. |
|
(config)#aaa authentication login default vrf management group radius |
Enable authentication for radius server configured for management VRF. Authorization is also enabled by default. |
|
(config)#aaa authentication login console group radius |
Enable authentication for radius server . Authorization is also enabled by console |
|
(config)#aaa authentication login default vrf management group radius local |
Enable authentication for radius server and fallback to local configured for management VRF. Authorization is also enabled by default |
|
(config)#aaa authentication login console group radius local |
Enable authentication for radius server and fallback to local configured for default vrf. Authorization is also enabled by default |
Specifies privilege level in radius server configuration file. The RADIUS client fetch the network operator privilege level from this file. The Privilege level range is between 0-15.
|
Role |
Privilege level |
|
Network-admin |
15 |
|
Network engineer |
14 |
| RBAC-customized-role | 13 |
|
Network operator |
1 to 12 |
|
Network user |
0 or any other values (>15 or negative values or any character) |
Validation
To verify the RADIUS authorization process, login from the host machine to Host IP with the authenticating user credentials and provide a RADIUS server password.
Execute following show commands to verify the Radius authorization status.
OcNOS#sh running-config aaa
aaa authentication login default vrf management group radius
aaa authentication login console group radius
aaa authentication login default vrf management group radius local
aaa authentication login console group radius local
OcNOS#sh running-config radius
radius-server login host 10.12.33.211 vrf management seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb
radius-server login host 1.1.1.1 seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb
OcNOS#sh radius-server vrf management
timeout value: 5
Total number of servers:1
VRF: management
Following RADIUS servers are configured:
Radius Server : 10.12.33.211 (*)
Sequence Number : 1
available for authentication on port : 1812
available for accounting on port : 1813
RADIUS shared secret : ********
Failed Authentication count : 3
Successful Authentication count : 13
Failed Connection Request : 3
Last Successful authentication : 2023 November 30, 06:25:07
OcNOS#sh radius-server vrf management
timeout value: 5
Total number of servers:1
VRF: management
Following RADIUS servers are configured:
Radius Server : 1.1.1.1 (*)
Sequence Number : 1
available for authentication on port : 1812
available for accounting on port : 1813
RADIUS shared secret : ********
Failed Authentication count : 3
Successful Authentication count : 10
Failed Connection Request : 0
Last Successful authentication : 2023 November 30, 06:28:07
OcNOS#sh users
Current user : (*). Lock acquired by user : (#).
CLI user : [C]. Netconf users : [N].
Location : Applicable to CLI users.
Session : Applicable to NETCONF users.
Line User Idle Location/Session PID TYPE Role
(*) 0 con 0 [C]ocnos 0d00h00m ttyS0 5251 Local network-admin
130 vty 0 [C]ocnos 0d00h00m pts/0 5288 Remote network-user
131 vty 1 [C]abc 0d00h00m pts/1 5340 Remote network-engineer
132 vty 2 [C]ipi 0d00h00m pts/2 5350 Remote network-operatorIPv6 Address
RADIUS server address is configured in IPv6 address.
RADIUS Client (Host)
|
OcNOS(config)#radius-server login host 2001:db8:100::2 vrf management seq-num 1 key 0 testing123 |
Configure radius server with IPv6 address |
|
OcNOS(config)#aaa authentication login default vrf management group radius local |
Configure AAA authentication |
|
(config)#interface eth0 |
Navigate to the interface mode |
|
(config-if)#ipv6 address 2001:db8:100::5/64 |
Configure IPv6 address on the eth0 interface |
|
(config-if)#exit |
Exit interface configure mode |
|
(config)#commit |
Commit the configuration |
|
(config)#exit |
Exit configure mode |
Validation
To verify the RADIUS authorization process, login from the host machine to Host IP with the authenticating user credentials and provide a RADIUS server password.
Execute following show commands to verify the Radius authorization status.
#show running-config radius
radius-server login host 2001:db8:100::2 vrf management seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb
#show running-config aaa
aaa authentication login default vrf management group radius
#show ipv6 interface eth0 brief
Interface IPv6-Address Admin-Status
eth0 2001:db8:100::5fe80::218:23ff:fe30:e6ba [up/up]Implementation Examples
Following is an example for radius-server configuration file:
ipi Cleartext-Password := "ipi123"
Management-Privilege-Level := 12
ocnos Cleartext-Password := "ocnos"
Management-Privilege-Level := 0
abc Cleartext-password :="AC123"
Management-Privilege-Level := 14