- Print
- PDF
Configuring RADIUS
This article assists users in setting up a dial-in RADIUS configuration with authentication to a free RADIUS server - Version 0.9.31.
The router configuration is the same irrespective of the server used.
Note: To log in, enter your username (default is root) and password (default is admin123).
General Configuration Guidelines
Pre-requisite Configuration
Configure the VLAN interfaces by executing the following commands:
Your Product# configure terminal
Your Product(config)# interface vlan 1
Your Product(config-if)# shutdown
Your Product(config-if)# ip address 20.0.0.1 255.0.0.0
Your Product(config-if)# ipv6 address 2004::1 64
Your Product(config-if)# ipv6 enable
Your Product(config-if)# no shutdown
Your Product(config-if)# exit
Your Product(config)# vlan 1
Your Product(config-vlan)# ports xl-ethernet 0/1 untagged xl-ethernet 0/1
Your Product(config-vlan)# exit
Your Product(config)# interface vlan 2
Your Product(config-if)# shutdown
Your Product(config-if)# ipv6 address 2003::1 64
Your Product(config-if)# ipv6 enable
Your Product(config-if)# no shutdown
Your Product(config-if)# exit
Your Product(config)# vlan 2
Your Product(config-vlan)# ports xl-ethernet 0/2 untagged xl-ethernet 0/2
Your Product(config-vlan)# exit
Your Product(config)# interface xl-ethernet 0/1
Your Product(config-if)# switchport pvid 1
Your Product(config-if)# no shutdown
Your Product(config-if)# exit
Your Product(config)# interface xl-ethernet 0/2
Your Product(config-if)# switchport pvid 2
Your Product(config-if)# no shutdown
Your Product(config-if)# exit
Notes:
To enable the Radius mode, which refers to user authentication restricted to RADIUS only, enter the following commands:
c t
radius-server host 192.168.1.109 auth-port 1812 timeout 10 retransmit 3 key testing123
login authentication radius
end
To enable the Strict Radius-Local mode, which refers to the authentication done through RADIUS first and then local only if the RADIUS server is no longer reachable, enter the following commands:
c t
radius-server host 192.168.1.109 auth-port 1812 timeout 10 retransmit 3 key testing123
login authentication radius local
end
Configuring RADIUS Client for Remote Login Authentication
Configuration Guidelines
- To establish communication with the RADIUS server, configure the server IP address and the secret key. The secret key must be specific to the client and the server for establishing communication between them.
- Authentication method must be explicitly specified as radius.
- When multiple servers are configured, any one server can be configured as the primary server. This server will be contacted first in case of an authentication event. If the primary server is not reachable, the other servers will be contacted.
Default Configurations
Feature | Default Setting |
---|---|
Radius-server timeout | 10 |
Radius-server retransmit | 3 |
Radius-server encryption key | AccedianRADIUS |
login authentication | Local |
Configuration Steps
At NAS:
- Execute the following commands to configure the RADIUS client with server-specific parameters such as host, timeout, key, and retransmit interval and to configure RADIUS authentication.
Enter the Global Configuration mode.
Your Product# configure terminal
Configure the radius-server host as the primary server.
Your Product(config)# radius-server host 13.0.0.20 auth-port 1812 timeout 6 retransmit 6 key AccedianRadius primary
Configure the router to use RADIUS for authentication at the login prompt.
Your Product(config)# login authentication radius
Exit from the Global Configuration mode.
Your Product(config)# end
- Execute the following command to view the RADIUS server-specific configurations.
Your Product# show radius server
Primary Server : 13.0.0.20
Radius Server Host Information
------------
Index : 1
Server address : 13.0.0.20
Shared secret :
Radius Server Status : Enabled
Response Time : 6
Maximum Retransmission : 6
Authentication Port : 1812
Accounting Port : 1813
- Execute the following command to view the RADIUS statistics.
Your Product# show radius statistics
Radius Server Statistics
-------------------------
Index : 1
Radius Server Address : 13.0.0.20
UDP port number : 1812
Round trip time : 0
No of request packets : 1
No of retransmitted packets : 0
No of access-accept packets : 1
No of access-reject packets : 0
No of access-challenge packets : 0
No of malformed access responses : 0
No of bad authenticators : 0
No of pending requests : 0
No of time outs : 0
No of unknown types : 0
- Execute the following command to view the system information.
Your Product# show system information
Hardware Version : 5.2.4
Firmware Version : 5.0.0.0
Switch Name : Skylight Flex
System Contact : info@accedian.com
System Location : ACCEDIAN
Logging Option : Console Logging
Login Authentication Mode : Remote
Config Save Status : Not Initiated
Remote Save Status : Not Initiated
Config Restore Status : Not Initiated
Configure the IPv6 radius-server host and set it as the primary server. The previous configuration:
Your Product(config)# radius-server host 2003::2 auth-port 1812 timeout 6 retransmit 6 key AccedianRadius primary
At RADIUS-Server:
As mentioned earlier, the freeRADIUS server code is used for this configuration. Customize the following sample files available in the raddb directory (available in the path \etc\raddb in Linux):
- users
- clients.conf
- radiusd.conf
An example is shown below:
In the file users include the following line to allow a user named iss with password iss123 and authentication type as PAP.
"Your Product" Auth-Type := PAP, User-Password == "Your Product123"
In the file clients.conf, specify the RADIUS client information.
client 13.0.0.5 {
secret = AccedianRadius
shortname = Rad
}
In the file radiusd.conf, specify the encryption scheme for PAP.
. pap {
encryption_scheme = clear
}
Either Ipv4 of Ipv6 can be enabled in the server at the same time. When the IP v4 server is to be used, comment out the IPv6 server by adding a “#” at the front and vice versa.
ipaddr = *
ipv6addr = ::
From the root mode, start RADIUS Server Daemon.
# radiusd –X -A
At Host:
Telnet the router from the host
#telnet 20.0.0.1
Accedian Intelligent Switch Solution
Flex login: iss
Password: iss123
Your Product>
Configuring RADIUS Client for Dot1x Authentication
Configuration Guidelines
- To establish communication with the RADIUS server, configure the server IP address and the secret key. The secret key must be specific to the client and the server for establishing communication between them.
- Authentication method must be explicitly specified as radius.
Default Configurations
Feature | Default Setting |
---|---|
Radius-server timeout | 10 |
Radius-server retransmit | 3 |
Radius-server encryption key | AccedianRADIUS |
dot1x system-auth-control | enabled |
aaa authentication dot1x default | local |
dot1x port-control | force-authorized |
Configuration Steps
At NAS:
- Execute the following commands to configure the RADIUS client with server-specific parameters such as host, timeout, key, and retransmit interval and to enable dot1x authentication.
Enter the Global Configuration mode.
Your Product# configure terminal
Configure the radius-server host.
Your Product(config)# radius-server host 13.0.0.20 auth-port 1812 timeout 6 retransmit 6 key AccedianRadius primary
Enable 802.1x authentication on the switch.
Your Product(config)# dot1x system-auth-control
Configure the router to use RADIUS server-based remote authentication method for all ports.
Your Product(config)# aaa authentication dot1x default group radius
Exit from the Global Configuration mode.
Your Product(config)# exit
Specify the port (client/supplicant) that is to be enabled for 802.1x authentication.
Your Product(config)# interface xl-ethernet 0/1
Enable 802.1x authentication on that port.
Your Product(config-if)# dot1x port-control auto
Exit from the Interface Configuration mode.
Your Product(config)# end
- Execute the following command to view the server-specific configurations.
Your Product# show radius server
Primary Server : 13.0.0.20
Radius Server Host Information
------------------------------
Index : 1
Server address : 13.0.0.20
Shared secret :
Radius Server Status : Enabled
Response Time : 6
Maximum Retransmission : 6
Authentication Port : 1812
Accounting Port : 1813
- Execute the following command to View the RADIUS statistics.
Your Product# show radius statistics
Radius Server Statistics
-----------------------------
Index : 1
Radius Server Address : 13.0.0.20
UDP port number : 1812
Round trip time : 0
No of request packets : 1
No of retransmitted packets : 0
No of access-accept packets : 1
No of access-reject packets : 0
No of access-challenge packets : 1
No of malformed access responses : 0
No of bad authenticators : 0
No of pending requests : 0
No of time outs : 0
No of unknown types : 0
--------------------------------
4. Execute the following command to view the dot1x information for the interface xl-ethernet 0/1. Supplicant State Machine will be Authenticated only after running the supplicant on the host.
Your Product# show dot1x interface xl-ethernet 0/1
Dot1x Info for Gi0/1
---------------------
PortStatus = AUTHORIZED
AccessControl = INACTIVE
AuthSM State = AUTHENTICATED
SuppSM State = AUTHENTICATED
BendSM State = IDLE
AuthPortStatus = AUTHORIZED
SuppPortStatus = AUTHORIZED
AdminControlDirection = BOTH
OperControlDirection = BOTH
MaxReq = 2
Port Control = Auto
QuietPeriod = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
Tx Period = 30 Seconds
- Execute the following command to view the global dot1x information.
Your Product# show dot1x
Sysauthcontrol = Enabled
Module Oper Status = Enabled
Dot1x Protocol Version = 2
Dot1x Authentication Method = Radius
Nas ID = fsNas1
At RADIUS-Server:
Assume that the freeRADIUS server code is used for this configuration. Customize the following sample files available in the raddb directory (available in the path \etc\raddb in Linux).
- users
- clients.conf
- radiusd.conf
An example is shown below.
In the file users include the following line to allow a user named iss@accedian.com with password iss123 and authentication type as EAP.
"iss@accedian.com" Auth-Type := EAP, User-Password == "iss123"
In the file clients.conf, specify the RADIUS client information.
client 13.0.0.5 {
secret = AccedianRadius
shortname = Rad
nastype = other
}
In the file radiusd.conf, specify the encryption scheme for EAP.
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
leap {
}
}
chap {
authtype = CHAP
}
At root:
Start RADIUS on the server.
#radiusd –X -A
At Host:
Specify the secret for authentication using CHAP with Meetinghouse Data Communications SecureSupplicant (mdc-ssd)2 in the file mdc-ssd/chap-secrets (available in the path \etc\mdc-ssd in Linux).
Identity | Server | Secret |
---|---|---|
iss@accedian.com | * | iss123 |
Run the Meetinghouse Data Communications SecureSupplicant (802.1x protocol supplicant daemon).
#mdc-ssd logfd 1 nodetach ifname eth0 identity iss@accedian.com
© 2024 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks