Configure RADIUS Directory
A brief introduction of RADIUS
The
configuration procedure of RADIUS
Configure the communication between the router and RADIUS server
Use
RADIUS attributes specially used by the manufacturer to configure the router
Configure
RADIUS authentication
Configure
RADIUS authorization
Examples of RADIUS configuration
Examples
of RADIUS authentication and authorization
Example of applying RADIUS in AAA
This chapter introduces RADIUS(Remote Authentication Dial-In User Service)security system. Define its operation and introduce the network environment suitable or not suitable for using RADIUS. The section “RADIUS configuration procedure” introduces how to use authentication, authorization and accounting (AAA) command collection to configure RADIUS. The last section of this chapter “Examples of RADIUS configuration” provides two examples. For complete description about the command “RADIUS” used in this chapter, please refer to “RADIUS configuration command”.
A brief introduction
of RADIUS
RADIUS
is a distributed client/server system, which protects the network from
disturbance from unauthorized access. The RADIUS client runs on the router, and
sends authentication request to the central RADIUS server, the central server
here includes all the user authentication and network access service
information. We use AAA security mode on the router to support RADIUS, RADIUS
has already been applied to various network environments which require not only
high level security, but also the maintenance of remote user access.
l The network environment with many manufacturer access servers, each supports RADIUS. For example, the access server provided by many factories can use the single RADIUS security database based on the server. In the network based on IP and provided by many factories, the dial-up user makes authentication through RADIUS server.
l In the network where user should only access single service. Use RADIUS may control the user to access a single host, single application(like Telnet) or single protocol (like point-to-point protocol PPP). For example, when user logs on, RADIUS regulates and restricts this user to run PPP using IP address 10.2.3.4, and starts defined access-list.
l The network commands resource accounting. It can use RADIUS accounting which is not related to RADIUS authentication or authorization. RADIUS accounting permits to send data at the start and end of the service, in order to denote the resource volume used while carrying out the dialogue (like time, bytes, etc.).
RADIUS is not suitable for the following network security situations:
l RADIUS does not support the following protocol:
ARA,AppleTalk Remote Access protocol
NBFCP,NetBIOS Frame Control Protocol
l NASI,NetWare Asynchronous Services Interface
l X.25 PAD connections
l The situation from router to router. RADIUS does not provide bilateral authentication. Running RADIUS on the router, can only realize incoming authentication, for outcoming authentication, (which is, local router should pass the authentication of remote router while logging on to the remote router) it is not applicable.
l The network using various services. RADIUS normally bundle the user to a service model.
When the user uses RADIUS to perform logging authentication, the following process occurs:
l
Prompt
the user to input username and password.
l The username and encrypted password is sent to the RADIUS server through the network.
l User receives one of the following responses from RADIUS server:
ACCEPT:the user passes the authentication.
REJECT:the user does not pass the authentication, prompt the user to input the username and password again, or the access will be denied.
CHALLENGE:the
server send “challenge” request . This request collects additional data from
the users.
Response of ACCEPT and REJECT returns with the additional authorization information, for EXEC or NETWORK authorization. Before using RADIUS authorization, it should first complete RADIUS authentication. The additional data included in ACCEPT and REJECT packet is consisted of the following contents:
l The services the user can access, include Telnet, rlogin, PPP, SLIP or EXEC.
l Connection parameters, includes the IP addresses of the host or client, the access-list and timeout setting of the user.
The
configuration procedure of RADIUS
In
order to configure RADIUS on the router or access server, you should execute the
following tasks:
Use
global configuration command “aaa authentication” to define the method list
of using RADIUS authentication method. For more information about using command
“aaa authentication”, please refer to “authentication configuration”.
Users may choose the following configuration task as needed:
If necessary, use aaa authorization global Command to authorize user request. ‑{}‑For more information about aaa authorization Command, see “Authorization Configuration”.
If
necessary, use global command "aaa accounting" to record the service
process to the users. For more information regarding the using of command
"aaa accounting", please refer to "accounting
configuration".
Configure the communication between the router and RADIUS server
RADIUS server normally runs multi-user system of RADIUS server software provided by Livingston, Merit, Microsoft or other software providers, RADIUS server and router use shared key to encrypt passwords and exchange responses. Use command “radius server” to define RADIUS server, use command “radius key” to designate shared secret. While configuring, use the following commands under global configuration status:
Step |
command |
Objective |
1 |
radius server ip-address [auth-port port-number][acct-port portnumber] |
Designate IP address of remote RADIUS server, designate the service port number of authentication and accounting |
2 |
radius key string |
Designate the shared secret used between the router and RADIUS server |
In addition, in order to define the communication between the router and
RADIUS server, please use the following optional radius global configuration
command:
Step |
command |
Objective |
1 |
radius retransmit retries |
Designate the times for the router to retransmit every RADIUS request to the server before giving up retrying. |
2 |
radius timeout seconds |
The waiting seconds before re-transmittance of RADIUS request |
3 |
radius deadtime minutes |
The duration of the server to be tagged “dead” when RADIUS server does not respond to the authentication request |
Use
RADIUS attributes specially used by the manufacturer to configure the router
Internet Engineering Task Force (IETF) drafts standards passes to use vendor-specific attributes (attribute26), which provide a method for the network access server and RADIUS server to exchange special extension attributes based on the manufacturer. VSA allows manufacturer to support the extended attributes belonging to them yet not suitable for general usages. For more information about related manufacturer ID and VSA, please refer to RFC 2138: RADIUS. To configure the mode which enables the network server to identify and use VSA, please use the following commands under global configuration status:
command |
Objective |
radius vsa send [authentication] |
Enable the network access server to identify and use VSA defined in RADIUS IETF attribute 26. |
Configure RADIUS
authentication
After
configured RADIUS server and defined RADIUS authentication key, you should
define a method list for RADIUS authentication. As RADIUS authentication is
carried out through AAA, so you need to input command “aaa authentication”,
and designate RADIUS as the authentication method. For more related information,
please refer to “authentication configuration”.
Configure
RADIUS authorization
Using
AAA authorization we could set parameters and restrict the network access of the
user. Using the authorization of RADIUS provides a method for remote access
control, includes once authorization or the authorization of every service.
Because RADIUS authorization is carried out through AAA, so you need to use
command “ aaa authorization” to designate RADIUS as the authorization
method. For more related information, please refer to “authorization
configuration”.
AAA accounting
feature enables us to trace the services the user accessed and their occupation
of the network resource. As the RADIUS accounting feature is provided through
AAA, you need to use command “aaa accounting”, designate RADIUS as the
accounting method. For more related information, please refer to “Accounting
configuration”.
Examples of RADIUS configuration
The examples regarding RADIUS configuration in this section contain the following contents:
l Examples of RADIUS authentication and authorization
l Example of applying RADIUS in AAA
Examples
of RADIUS authentication and authorization
The
following example illustrates the way to configure the router so that RADIUS may
be used for authentication:
aaa authentication login use-radius radius local
aaa authentication ppp use-radius if-needed radius
aaa
authorization exec radius
aaa
authorization network radius
In this example, the meaning of each command line is:
Command “aaa authentication login use-radius radius local” configures the router to use RADIUS to make authentication during the login process. If RADIUS server has no response, use local database to authenticate then. In this example, use-radius is the name of the method list, it designates to perform RADIUS authentication first, followed by local authentication.
Command “aaa authentication ppp use-radius if-needed radius” enables the CHAP or PAP authentication process for PPP runs through RADIUS server before the user is authenticated. If the user has already been authenticated before the provision of EXEC service, no more RADIUS authentication needs to be carried out then. In this example, use-radius is the name of method list, it defines an authentication method to carry out only if needed.
aaa
authorization exec radiusCommand configuration has authorize EXEC request.
aaa
authorization network radiusCommand configuration has authorize NETWORK (PPP、SLIP)
service.
This
is an example of using AAA command collection to define general configuration:
radius server 1.2.3.4
radius key myRaDiUSpassWoRd
username root password AlongPassword
aaa authentication ppp dialins radius local
aaa authentication login admins local
line 1 16
login authentication admins
interface
async0/0
encap ppp
ppp authentication pap dialins
In this example, the meaning of each command line is:
Command “radius server” defines the IP address of RADIUS server;
Command “ radius key defines the shared secret between the network access server and RADIUS server host;
Command “aaa authentication ppp dialins radius local” defines authentication method list “dialins”, it designates that it should first make authentication through RADIUS, and followed by local authentication (if RADIUS server does not respond);
Command
“ppp authentication pap dialins” applies authentication method list
“dialins” to the designated lines;
Command “aaa authentication login admins local” defines another method list “admins” for login authentication;
Command “login authentication admins” designates to use method list “admins” in login authentication;