RADIUS Authentication

Configuring RADIUS

This article assists users in setting up a dial-in RADIUS configuration with authentication to a free RADIUS server - Version 0.9.31.

The router configuration is the same irrespective of the server used.

General Configuration Guidelines

Pre-requisite Configuration

Configure the VLAN interfaces by executing the following commands:

Your Product# configure terminal
Your Product(config)# interface vlan 1
Your Product(config-if)# shutdown
Your Product(config-if)# ip address 20.0.0.1 255.0.0.0
Your Product(config-if)# ipv6 address 2004::1 64
Your Product(config-if)# ipv6 enable
Your Product(config-if)# no shutdown
Your Product(config-if)# exit
Your Product(config)# vlan 1
Your Product(config-vlan)# ports xl-ethernet 0/1 untagged xl-ethernet 0/1
Your Product(config-vlan)# exit
Your Product(config)# interface vlan 2
Your Product(config-if)# shutdown
Your Product(config-if)# ipv6 address 2003::1 64
Your Product(config-if)# ipv6 enable
Your Product(config-if)# no shutdown
Your Product(config-if)# exit
Your Product(config)# vlan 2
Your Product(config-vlan)# ports xl-ethernet 0/2 untagged xl-ethernet 0/2
Your Product(config-vlan)# exit
Your Product(config)# interface xl-ethernet 0/1
Your Product(config-if)# switchport pvid 1
Your Product(config-if)# no shutdown
Your Product(config-if)# exit
Your Product(config)# interface xl-ethernet 0/2
Your Product(config-if)# switchport pvid 2
Your Product(config-if)# no shutdown
Your Product(config-if)# exit

c t 
radius-server host 192.168.1.109 auth-port 1812 timeout 10 retransmit 3 key testing123 
login authentication radius
end

To enable the Strict Radius-Local mode, which refers to the authentication done through RADIUS first and then local only if the RADIUS server is no longer reachable, enter the following commands:

c t 
radius-server host 192.168.1.109 auth-port 1812 timeout 10 retransmit 3 key testing123 
login authentication radius local
end

Configuring RADIUS Client for Remote Login Authentication

Configuration Guidelines

1. To establish communication with the RADIUS server, configure the server IP address and the secret key. The secret key must be specific to the client and the server for establishing communication between them.
2. Authentication method must be explicitly specified as radius.
3. When multiple servers are configured, any one server can be configured as the primary server. This server will be contacted first in case of an authentication event. If the primary server is not reachable, the other servers will be contacted.

Default Configurations

Configuration Steps

At NAS:

1. Execute the following commands to configure the RADIUS client with server-specific parameters such as host, timeout, key, and retransmit interval and to configure RADIUS authentication.
   Enter the Global Configuration mode.

Your Product# configure terminal

Configure the radius-server host as the primary server.

Your Product(config)# radius-server host 13.0.0.20 auth-port 1812 timeout 6 retransmit 6 key AccedianRadius primary

Configure the router to use RADIUS for authentication at the login prompt.

Your Product(config)# login authentication radius

Exit from the Global Configuration mode.

Your Product(config)# end

2. Execute the following command to view the RADIUS server-specific configurations.

Your Product# show radius server

Primary Server : 13.0.0.20
Radius Server Host Information

------------
Index : 1
Server address : 13.0.0.20
Shared secret :
Radius Server Status : Enabled
Response Time : 6
Maximum Retransmission : 6
Authentication Port : 1812
Accounting Port : 1813

3. Execute the following command to view the RADIUS statistics.

Your Product# show radius statistics

Radius Server Statistics

-------------------------
Index : 1
Radius Server Address : 13.0.0.20
UDP port number : 1812
Round trip time : 0
No of request packets : 1
No of retransmitted packets : 0
No of access-accept packets : 1
No of access-reject packets : 0
No of access-challenge packets : 0
No of malformed access responses : 0
No of bad authenticators : 0
No of pending requests : 0
No of time outs : 0
No of unknown types : 0

4. Execute the following command to view the system information.

Your Product# show system information

Hardware Version : 5.2.4
Firmware Version : 5.0.0.0
Switch Name : SKylight Flex
System Contact : info@accedian.com
System Location : ACCEDIAN
Logging Option : Console Logging
Login Authentication Mode : Remote

Config Save Status : Not Initiated
Remote Save Status : Not Initiated
Config Restore Status : Not Initiated

Configure the IPv6 radius-server host and set it as the primary server. The previous configuration:

Your Product(config)# radius-server host 2003::2 auth-port 1812 timeout 6 retransmit 6 key AccedianRadius primary

At RADIUS-Server:

As mentioned earlier, the freeRADIUS server code is used for this configuration. Customize the following sample files available in the raddb directory (available in the path \etc\raddb in Linux):

• users
• clients.conf
• radiusd.conf

An example is shown below:
In the file users include the following line to allow a user named iss with password iss123 and authentication type as PAP.

"Your Product" Auth-Type := PAP, User-Password == "Your Product123"

In the file clients.conf, specify the RADIUS client information.

client 13.0.0.5 {
secret = AccedianRadius
shortname = Rad
}

In the file radiusd.conf, specify the encryption scheme for PAP.

. pap {
encryption_scheme = clear
}

Either Ipv4 of Ipv6 can be enabled in the server at the same time. When the IP v4 server is to be used, comment out the IPv6 server by adding a “#” at the front and vice versa.

ipaddr = *
ipv6addr = ::

From the root mode, start RADIUS Server Daemon.

# radiusd –X -A

At Host:
Telnet the router from the host

#telnet 20.0.0.1

Accedian Intelligent Switch Solution
Flex login: iss
Password: iss123
Your Product>

Configuring RADIUS Client for Dot1x Authentication

Configuration Guidelines

1. To establish communication with the RADIUS server, configure the server IP address and the secret key. The secret key must be specific to the client and the server for establishing communication between them.
2. Authentication method must be explicitly specified as radius.

Default Configurations

Configuration Steps

At NAS:

1. Execute the following commands to configure the RADIUS client with server-specific parameters such as host, timeout, key, and retransmit interval and to enable dot1x authentication.
   Enter the Global Configuration mode.

Your Product# configure terminal

Configure the radius-server host.

Your Product(config)# radius-server host 13.0.0.20 auth-port 1812 timeout 6 retransmit 6 key AccedianRadius primary

Enable 802.1x authentication on the switch.

Your Product(config)# dot1x system-auth-control

Configure the router to use RADIUS server-based remote authentication method for all ports.

Your Product(config)# aaa authentication dot1x default group radius

Exit from the Global Configuration mode.

Your Product(config)# exit

Specify the port (client/supplicant) that is to be enabled for 802.1x authentication.

Your Product(config)# interface xl-ethernet 0/1

Enable 802.1x authentication on that port.

Your Product(config-if)# dot1x port-control auto

Exit from the Interface Configuration mode.

Your Product(config)# end

2. Execute the following command to view the server-specific configurations.

Your Product# show radius server

Primary Server : 13.0.0.20
Radius Server Host Information

------------------------------
Index : 1
Server address : 13.0.0.20
Shared secret :
Radius Server Status : Enabled
Response Time : 6
Maximum Retransmission : 6
Authentication Port : 1812
Accounting Port : 1813

3. Execute the following command to View the RADIUS statistics.

Your Product# show radius statistics

Radius Server Statistics

-----------------------------
Index : 1
Radius Server Address : 13.0.0.20
UDP port number : 1812
Round trip time : 0
No of request packets : 1
No of retransmitted packets : 0
No of access-accept packets : 1
No of access-reject packets : 0
No of access-challenge packets : 1
No of malformed access responses : 0
No of bad authenticators : 0
No of pending requests : 0
No of time outs : 0
No of unknown types : 0

--------------------------------
4. Execute the following command to view the dot1x information for the interface xl-ethernet 0/1. Supplicant State Machine will be Authenticated only after running the supplicant on the host.

Your Product# show dot1x interface xl-ethernet 0/1

Dot1x Info for Gi0/1

---------------------
PortStatus = AUTHORIZED

AccessControl = INACTIVE
AuthSM State = AUTHENTICATED
SuppSM State = AUTHENTICATED
BendSM State = IDLE
AuthPortStatus = AUTHORIZED
SuppPortStatus = AUTHORIZED
AdminControlDirection = BOTH
OperControlDirection = BOTH
MaxReq = 2
Port Control = Auto
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
Tx Period = 30 Seconds

5. Execute the following command to view the global dot1x information.

Your Product# show dot1x

Sysauthcontrol = Enabled
Module Oper Status = Enabled
Dot1x Protocol Version = 2
Dot1x Authentication Method = Radius
Nas ID = fsNas1

At RADIUS-Server:

Assume that the freeRADIUS server code is used for this configuration. Customize the following sample files available in the raddb directory (available in the path \etc\raddb in Linux).

• users
• clients.conf
• radiusd.conf

An example is shown below.

In the file users include the following line to allow a user named iss@accedian.com with password iss123 and authentication type as EAP.

"iss@accedian.com" Auth-Type := EAP, User-Password == "iss123"

In the file clients.conf, specify the RADIUS client information.

client 13.0.0.5 {
secret = AccedianRadius
shortname = Rad
nastype = other
}

In the file radiusd.conf, specify the encryption scheme for EAP.

eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
leap {
}
}
chap {
authtype = CHAP
}

At root:

Start RADIUS on the server.

#radiusd –X -A

At Host:

Specify the secret for authentication using CHAP with Meetinghouse Data Communications SecureSupplicant (mdc-ssd)2 in the file mdc-ssd/chap-secrets (available in the path \etc\mdc-ssd in Linux).

Run the Meetinghouse Data Communications SecureSupplicant (802.1x protocol supplicant daemon).

#mdc-ssd logfd 1 nodetach ifname eth0 identity iss@accedian.com