FAQ

Configuring Director to use RADIUS authentication against a Freeradius server.

FAQ ID:    FAQ337
Version:    9.0
Status:    Published
Published date:    08/05/2009
Updated:    02/07/2014
 

Answer

NOTE:Freeradius is not a supported server. For a list of supported servers, see the end of this article.

Radius Server configuration for Users

In this example, we will be using the FreeRADIUS software from  www.freeradius.net.   The below are examples of how to configure this type of server. At the end of this article, user use a commonly available open source, and free, program, called Putty, to test the configuration out.

Example of admin users and their service type:

admin1                 User-Password == "admin1"

                                Service-Type = Administrative-User

 admin2                 User-Password == "admin2"

                                Service-Type = Login-User

NOTE: Usernames and passwords for these Radius should be  restricted to 16 bytes. Usernames longer than 16 bytes will cause the authentication/login attempt to fail

Seting up the Radius Priviledge levels.

1: On the Radius server.

Each service type you want supported must be mapped to one of the below privilege levels. On SGME versions earlier than 5.5.1.1., only three service types can be supported, one for each Director privilege level. All other service types are ignored. If the service type found in the mapping does not match one of the configured service types, the privilege of the user cannot be decided and the login is rejected. 

RADIUS Service Type            

Director Mapping

Login (1)

Standard user (1)

NAS-Prompt  (7)

Enable user (7)

Administrative (6)

Configuration user (15)

Callback NAS-Pormpt (9) Delegate user (10)

NOTE: The last service type is only available in the SGME versions 5.5.1.1 and above.

 

2: On the Director appliance.

You do not need to configure service types on  Director unless you want to change the default mappings. By default or on a new system, the following services types are mapped, which we suggested you map above.

RADIUS Service Type            

Director Mapping

Login (1)

Standard user (1)

NAS-Prompt  (7)

Enable user (7)

Administrative (6)

Configuration user (15)

Callback NAS-Pormpt (9) Delegate user (10)

 .

Configuring Director to use a Radius server.

 Note: By default  Radius is not configured on Director.  

You will need to login, to Director, using SSH, and follow these command line steps.

1: To show if Director is configured for Radius:

  • director > en
  • Password:
  • director # conf t    
  • director (config) # show radius

Radius server configuration:

   Global timeout:

   Global number of retransmission attempts:

   Global key:

   Global request-stype:

   Global privilege-response mapping:

      Privilege 1 :

      Privilege 7 :

      Privilege 15 :

 NOTES: As you can see , from the 'show radius command, there are currently no Radius servers configured.

2: To configure Director for Radius: 

NOTE: Ensure you are logged in to the command line, by the SSH protocol.

  • director (config) # aaa authentication login default radius local
  • director (config) # radius-server host xx.xx.xx.xx -----> Server IP
  • director (config) # show radius

Radius server configuration:

   Global timeout:

   Global number of retransmission attempts:

   Global key:

   Global request-stype:

   Global privilege-response mapping:

      Privilege 1 :

      Privilege 7 :

      Privilege 15 :

   Server xx.xx.xx.xx: -----> Server IP

      Accounting port: 1813

      Authorization port: 1812

      Timeout:

      Number of retransmission attempts:

      Key:

      request-stype:

      privilege-response mapping:

         Privilege 1 :

         Privilege 7 :

         Privilege 15 :

 

3: Setting up your Authentication and Encryption keys.

To configure the key ( password) for your Radius authentication and encryption, follow these steps in the command line.

 

  • director (config) # radius-server host xx.xx.xxxx key secret     -----> xx.xx.xx.xx is Server IP
  • director (config) # show radius

Radius server configuration:

   Global timeout:

   Global number of retransmission attempts:

   Global key:

   Global request-stype:

   Global privilege-response mapping:

      Privilege 1 :

      Privilege 7 :

      Privilege 15 :

   Server xx.xx.xx.xx: -----> Server IP

      Accounting port: 1813

      Authorization port: 1812

      Timeout:

      Number of retransmission attempts:

      Key: Yk8HyLY5bwQFqaLYKKtA2A==

      request-stype:

      privilege-response mapping:

         Privilege 1 :

         Privilege 7 :

         Privilege 15 :

 

4: Testing it out.

You can test out this configuration now, using a commonly available program that enables you to use SSH- Putty.  For more information on putty, see how to download Putty.

 1: First, see if you can login, to Director, using the Radius user admin1 which  set Service Type up as "Administrative User" in the first step above.  Here is an example of what commands to use in Putty. You should check that the privilege for this user maximum allowed is level 15.  With this level allowed, this user will be able to enter the “enable” password.

 

 

 


2: Now, login using user admin2 which have Service Type of Login User.  You should also check that this user now logins to Director only have maximum allowed privilege level of 1.

When tries to enter “enable” password, it will be prompt with the warning “Your user account does not have the required privilege to enter enable mode”

Radius Server configuration for Users

 

 

 

NOTE1: For information on how to troubleshoot Director using journals and logs, see KB4143

NOTE2: For more information on how to configure TACACS+ on Director, see  FAQ2879.

NOTE3: For more details on other CLI commands, see KB4178

NOTE4:  For a list of supported RADIUS servers, see FAQ1125

 

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question