Configure RADIUS Directory

A brief introduction of RADIUS

Operation of RADIUS protocol

The configuration procedure of RADIUS

Configure the communication between the router and RADIUS server

Use RADIUS attributes specially used by the manufacturer to configure the router

Configure RADIUS authentication

Configure RADIUS authorization

Configure RADIUS accounting

Examples of RADIUS configuration

Examples of RADIUS authentication and authorization

Example of applying RADIUS in AAA

 

This chapter introduces RADIUSRemote Authentication Dial-In User Servicesecurity system. Define its operation and introduce the network environment suitable or not suitable for using RADIUS. The section “RADIUS configuration procedure” introduces how to use authentication, authorization and accounting (AAA) command collection to configure RADIUS. The last section of this chapter “Examples of RADIUS configuration” provides two examples. For complete description about the command “RADIUS” used in this chapter, please refer to “RADIUS configuration command”.

A brief introduction of RADIUS

RADIUS is a distributed client/server system, which protects the network from disturbance from unauthorized access. The RADIUS client runs on the router, and sends authentication request to the central RADIUS server, the central server here includes all the user authentication and network access service information. We use AAA security mode on the router to support RADIUS, RADIUS has already been applied to various network environments which require not only high level security, but also the maintenance of remote user access.

RADIUS can be used in the network environments, which have the following security requirements:

l        The network environment with many manufacturer access servers, each supports RADIUS. For example, the access server provided by many factories can use the single RADIUS security database based on the server. In the network based on IP and provided by many factories, the dial-up user makes authentication through RADIUS server.

l        In the network where user should only access single service. Use RADIUS may control the user to access a single host, single application(like Telnet) or single protocol (like point-to-point protocol PPP). For example, when user logs on, RADIUS regulates and restricts this user to run PPP using IP address 10.2.3.4, and starts defined access-list.

l        The network commands resource accounting. It can use RADIUS accounting which is not related to RADIUS authentication or authorization. RADIUS accounting permits to send data at the start and end of the service, in order to denote the resource volume used while carrying out the dialogue (like time, bytes, etc.).

 

RADIUS is not suitable for the following network security situations:

l        RADIUS does not support the following protocol:

ARAAppleTalk Remote Access protocol

NBFCPNetBIOS Frame Control Protocol

l        NASINetWare Asynchronous Services Interface

l       X.25 PAD connections

l        The situation from router to router. RADIUS does not provide bilateral authentication. Running RADIUS on the router, can only realize incoming authentication, for outcoming authentication, (which is, local router should pass the authentication of remote router while logging on to the remote router) it is not applicable.

l        The network using various services. RADIUS normally bundle the user to a service model.

Operation of RADIUS protocol

When the user uses RADIUS to perform logging authentication, the following process occurs:

l        Prompt the user to input username and password.

l        The username and encrypted password is sent to the RADIUS server through the network.

l        User receives one of the following responses from RADIUS server:

ACCEPTthe user passes the authentication.

REJECTthe user does not pass the authentication, prompt the user to input the username and password again, or the access will be denied.

CHALLENGEthe server send “challenge” request . This request collects additional data from the users.

 

Response of ACCEPT and REJECT returns with the additional authorization information, for EXEC or NETWORK authorization. Before using RADIUS authorization, it should first complete RADIUS authentication. The additional data included in ACCEPT and REJECT packet is consisted of the following contents:

l        The services the user can access, include Telnet, rlogin, PPP, SLIP or EXEC.

l        Connection parameters, includes the IP addresses of the host or client, the access-list and timeout setting of the user.

The configuration procedure of RADIUS

In order to configure RADIUS on the router or access server, you should execute the following tasks:

Use global configuration command “aaa authentication” to define the method list of using RADIUS authentication method. For more information about using command “aaa authentication”, please refer to “authentication configuration”.

Use “line” and “interface” command to quote the defined method list, for more information, please refer to “authentication configuration”.

Users may choose the following configuration task as needed:

If necessary, use aaa authorization global Command to authorize user request. ‑{}‑For more information about aaa authorization Command, see “Authorization Configuration”.

If necessary, use global command "aaa accounting" to record the service process to the users. For more information regarding the using of command "aaa accounting", please refer to "accounting configuration".

Configure the communication between the router and RADIUS server

 RADIUS server normally runs multi-user system of RADIUS server software provided by Livingston, Merit, Microsoft or other software providers, RADIUS server and router use shared key to encrypt passwords and exchange responses. Use command “radius server” to define RADIUS server, use command “radius key” to designate shared secret. While configuring, use the following commands under global configuration status:

 

Step

command

Objective

1

radius server ip-address [auth-port port-number][acct-port portnumber]

Designate IP address of remote RADIUS server, designate the service port number of authentication and accounting

2

radius key string

Designate the shared secret used between the router and RADIUS server

 In addition, in order to define the communication between the router and RADIUS server, please use the following optional radius global configuration command: 

Step

command

Objective

1

radius retransmit retries

Designate the times for the router to retransmit every RADIUS request to the server before giving up retrying.

2

radius timeout seconds

The waiting seconds before re-transmittance of RADIUS request

3

radius deadtime minutes

The duration of the server to be tagged dead when RADIUS server does not respond to the authentication request

 

Use RADIUS attributes specially used by the manufacturer to configure the router

Internet Engineering Task Force (IETF) drafts standards passes to use vendor-specific attributes (attribute26), which provide a method for the network access server and RADIUS server to exchange special extension attributes based on the manufacturer. VSA allows manufacturer to support the extended attributes belonging to them yet not suitable for general usages. For more information about related manufacturer ID and VSA, please refer to RFC 2138: RADIUS. To configure the mode which enables the network server to identify and use VSA, please use the following commands under global configuration status:

command

Objective

radius vsa send [authentication]

Enable the network access server to identify and use VSA defined in RADIUS IETF attribute 26.

Configure RADIUS authentication

After configured RADIUS server and defined RADIUS authentication key, you should define a method list for RADIUS authentication. As RADIUS authentication is carried out through AAA, so you need to input command “aaa authentication”, and designate RADIUS as the authentication method. For more related information, please refer to “authentication configuration”.

Configure RADIUS authorization

Using AAA authorization we could set parameters and restrict the network access of the user. Using the authorization of RADIUS provides a method for remote access control, includes once authorization or the authorization of every service. Because RADIUS authorization is carried out through AAA, so you need to use command “ aaa authorization” to designate RADIUS as the authorization method. For more related information, please refer to “authorization configuration”.

Configure RADIUS accounting

AAA accounting feature enables us to trace the services the user accessed and their occupation of the network resource. As the RADIUS accounting feature is provided through AAA, you need to use command “aaa accounting”, designate RADIUS as the accounting method. For more related information, please refer to “Accounting configuration”.

Examples of RADIUS configuration

The examples regarding RADIUS configuration in this section contain the following contents:

l        Examples of RADIUS authentication and authorization

l        Example of applying RADIUS in AAA

Examples of RADIUS authentication and authorization

The following example illustrates the way to configure the router so that RADIUS may be used for authentication:

aaa authentication login use-radius radius local

aaa authentication ppp use-radius if-needed radius

aaa authorization exec radius

aaa authorization network radius

In this example, the meaning of each command line is:

Command “aaa authentication login use-radius radius local” configures the router to use RADIUS to make authentication during the login process. If RADIUS server has no response, use local database to authenticate then. In this example, use-radius is the name of the method list, it designates to perform RADIUS authentication first, followed by local authentication.

Command “aaa authentication ppp use-radius if-needed radius” enables the CHAP or PAP authentication process for PPP runs through RADIUS server before the user is authenticated. If the user has already been authenticated before the provision of EXEC service, no more RADIUS authentication needs to be carried out then. In this example, use-radius is the name of method list, it defines an authentication method to carry out only if needed.

aaa authorization exec radiusCommand configuration has authorize EXEC request.

aaa authorization network radiusCommand configuration has authorize NETWORK (PPPSLIP) service.

Example of applying RADIUS in AAA

This is an example of using AAA command collection to define general configuration:

radius server 1.2.3.4

radius key myRaDiUSpassWoRd

username root password AlongPassword

aaa authentication ppp dialins radius local

aaa authentication login admins local

line 1 16

login authentication admins

interface async0/0

encap ppp

ppp authentication pap dialins

 

In this example, the meaning of each command line is:

Command “radius server” defines the IP address of RADIUS server;

Command “ radius key defines the shared secret between the network access server and RADIUS server host;

Command “aaa authentication ppp dialins radius local” defines authentication method list “dialins”, it designates that it should first make authentication through RADIUS, and followed by local authentication (if RADIUS server does not respond);

Command “ppp authentication pap dialins” applies authentication method list “dialins” to the designated lines;

Command “aaa authentication login admins local” defines another method list “admins” for login authentication;

Command “login authentication admins” designates to use method list “admins” in login authentication;