How To Set Up a RADIUS Server for User Authentication



Similar documents
Chapter 29 User Authentication

Configuring CSS Remote Access Methods

netld External Authentication Setup Guide

How To - Implement Clientless Single Sign On Authentication with Active Directory

RADIUS Authentication and Accounting

AlliedTelesis AT-AR700 Series

Teldat Router. RADIUS Protocol

Configuring RADIUS Authentication for Device Administration

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

Using RADIUS Agent for Transparent User Identification

The example in this Note uses Linux for both the access controller (RADIUS server) and the supplicant (client).

TACACS+ Authentication

Ruckus Wireless ZoneDirector Command Line Interface

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Simple Installation of freeradius

AT-S60 Version Management Software for the AT-8400 Series Switch. Software Release Notes

7750 SR OS System Management Guide

FortiAuthenticator - Two-Factor Authentication Agent for Windows VERSION 1.0

How To Configure some basic firewall and VPN scenarios

How to Configure Web Authentication on a ProCurve Switch

Pandora FMS 3.0 Quick User's Guide: Network Monitoring. Pandora FMS 3.0 Quick User's Guide

HOW TO CONFIGURE CISCO FIREWALL PART I

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

- Basic Router Security -

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

HIPAA Compliance Use Case

How To. Configure Microsoft Windows XP ** Virtual Private Network (VPN) client interoperability without NAT-T support.


WhatsUpGold. v3.0. WhatsConnected User Guide

Chapter 46 Terminal Server

How to configure MAC authentication on a ProCurve switch

7450 ESS OS System Management Guide. Software Version: 7450 ESS OS 10.0 R1 February 2012 Document Part Number: * *

Web Authentication Application Note

Configuring Access Service Security

Set up your AT-AR440S ADSL Router for Typical Network Scenarios. Note: The latest documentation can always be downloaded from

Firewall Authentication Proxy for FTP and Telnet Sessions

freesshd SFTP Server on Windows

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Management Software. User s Guide AT-S84. For the AT-9000/24 Layer 2 Gigabit Ethernet Switch. Version Rev. B

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

How To Configure MAC-based port authentication

What information will you find in this document?

Configure A Secure Network Solution For Schools. What information will you find in this document?

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

IIS, FTP Server and Windows

FreeRADIUS server. Defining clients Access Points and RADIUS servers

pfsense Captive Portal: Part One

Integration Guide. SafeNet Authentication Service. Oracle Secure Desktop Using SAS RADIUS OTP Authentication

What information will you find in this document?

Fireware How To Authentication

Innominate mguard Version 6

Lab Organizing CCENT Objectives by OSI Layer

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

Using WhatsUp IP Address Manager 1.0

Lab Configure Basic AP Security through IOS CLI

RemotelyAnywhere. Security Considerations

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Multi-Homing Dual WAN Firewall Router

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

Troubleshooting the Firewall Services Module

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

Integrating with IBM Tivoli TSOM

RADIUS Server Load Balancing

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Cisco Configuring Secure Shell (SSH) on Cisco IOS Router

RADIUS Server Load Balancing

AGLARBRI PROJECT AFRICAN GREAT LAKES RURAL BROADBAND RESEARCH INFRASTRUCTURE. RADIUS installation and configuration

Using IEEE 802.1x to Enhance Network Security

Monitoring DoubleTake Availability

Chapter 21 Terminal Server

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

HP Device Manager 4.7

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

enetworks TM Using the Syslog Feature C.1 Configuring the Syslog Feature

Web Browser Interface User s Guide

Configuration of Cisco Routers. Mario Baldi

Brocade Certified Layer 4-7 Professional Version: Demo. Page <<1/8>>

OCS Training Workshop LAB14. Setup

Troubleshooting for Yamaha router

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

EE Easy CramBible Lab DEMO ONLY VERSION EE F5 Big-Ip v9 Local Traffic Management

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

Lieberman Software. RSA SecurID Ready Implementation Guide. Account Reset Console. Partner Information. Last Modified: March 20 th, 2012

Agent Configuration Guide

LAB THREE STATIC ROUTING

Kepware Technologies Remote OPC DA Quick Start Guide (DCOM)

PRILINK PRI Management System

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series

Configuring Global Protect SSL VPN with a user-defined port

Siteminder Integration Guide

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Transcription:

How To Set Up a RADIUS Server for User Authentication Introduction This document provides information on how to set up a RADIUS server to authenticate users who access the device by Telnet or via the console port. It makes use of commands and features modified or added with the release of 2.7.3. and 2.7.4. This example was tested in the lab with an AT-8948 switch and a FreeRADIUS server on Mandrake 10.0. The AT-8948 configuration may easily be set on any one of Allied Telesyn's Layer 3 switches or routers. Throughout this document the term client refers to the Allied Telesyn device. This is the device that the user tries to login to. The term server(s) describes the RADIUS server(s); user is the name entered at the console or Telnet login-prompt. Commands used in this document ADD RADius POrt ACCPort SECret SERVER SET RADius [TIMEOut=1..15] [DEAdtime=0..1440] [RETransmitcount=1..5] SHow RADius [DEBug] ADD USER RSO ADD USEr=login-name LOgin={True False ON OFf Yes No} PAssword=password [RADiusbackup={ON OFF YES NO True False}] [other-options...] What information will you find in this document? This document provides information on how to configure: Single RADIUS server for user authentication page 2 Two RADIUS servers with one for redundancy page 4 Which product and software version does this information apply to? The information provided in this document applies to: Products: AT-AR440S, AT-AR450S, AT-AR700 Series, Rapier Series, AT-8600 Series, AT-8700 Series, AT-8800 Series, AT-8900 Series, AT-9800 Series, AT-9900 Series, SwitchBlade Software release: 2.7.3+ C613-16066-00 REV B www.alliedtelesyn.com

Single RADIUS server for user authentication In this example, we will authenticate all console and Telnet logins through a single RADIUS server. Figure 1: Network configuration for a single RADIUS server.200 192.168.2.0.1 Switch/Router RADIUS Server Configuration The configuration for this setup is very simple. You need to setup the RADIUS server so that it recognises the client (192.168.2.200). For the RADIUS setup configuration, please refer to FreeRADIUS sample configuration (on Mandrake 10.0) page 9. The client will use the key secret to identify its authenticity to the server. Access messages will be sent to port 1812 on the server and accounting packets will be sent to port 1813. Note: There are no accounting processes for Telnet/SSH/console logins. Manager > show config dynamic=ip IP configuration enable ip add ip interface=vlan1 ip=192.168.2.200 Manager > show config dynamic=radius RADIUS configuration add radius server=192.168.2.1 secret="secret" port=1812 accport=1813 Set Up a RADIUS Server for User Authentication 2

Description In this setup, console and Telnet logins will first be checked against the local user database. If the name provided at the login prompt is not a local user then the RADIUS server will be queried. The user manager will still have normal Telnet and console access and will not be checked against the RADIUS server unless you have modified this configuration. If a user fails to authenticate locally and is rejected by the RADIUS server, there will be no indication given to the terminal as to why the user has been denied access. However, an entry will be written to log. 24 08:21:59 3 TLNT AUTH OK Telnet connection accepted from 192.168.2.1 (TTY 17) 24 08:22:06 3 USER USER 00011 allied login failed on TTY17, reason:no such user Helpful information about the status of the RADIUS server can also be seen with the show radius command: Manager > show radius RADIUS Server Parameters ------ Server Retransmit Count... 3 Server Timeout... 6 sec Server Dead Time... 0 min ------ Server Port AccPort Secret LocalInterface Status 192.168.2.1 1812 1813 ****** Not set Alive This information tells us that the RADIUS server is 192.168.2.1. The port to which Access- Requests are sent by the client to the server is 1812. RADIUS Accounting packets are sent to port 1813. The secret password that is shared between the RADIUS server and the client is not displayed for security reasons. A local interface was not set in this example. The status of the RADIUS server is reported as alive. Set Up a RADIUS Server for User Authentication 3

Two RADIUS servers with one for redundancy To ensure that authentication on your network does not stop when the primary RADIUS server dies, you may choose to configure backup RADIUS servers. In this example, we will use one backup server. We will change the RADIUS retransmit count, timeout period and server dead time on the client to speed up or slow down the wait period before the client decides that the primary server is dead and moves on to query the secondary server. We will also set the client to use a Local IP as the source address for the packets it sends to the server. Figure 2: Network configuration for two RADIUS servers 192.168.2.0.1 Local IP = 192.168.2.100 RADIUS Server 1.2 RADIUS Server 2 Configuration The configuration for this setup is also quite straightforward. You need to setup the RADIUS server so that it recognises the client (192.168.2.100). For the RADIUS setup configuration, please refer to FreeRADIUS sample configuration (on Mandrake 10.0) page 9. The client will use the key secret to identify its authenticity to the server. Access messages will be sent to port 1812 on the server and accounting messages will be sent to port 1813. Note: In the case of Telnet/SSH/console logins there are no accounting processes. In this example we need to add more than one RADIUS server and in the right order. The first server added will always be consulted first. If that server fails to respond to an Access-Request then the next server will be consulted after a retransmit count and timeout period. Set Up a RADIUS Server for User Authentication 4

Manager > show conf dynamic=ip IP configuration enable ip add ip interface=vlan1 ip=192.168.2.200 add ip local=1 ip=192.168.2.100 Manager > show conf dynamic=radius RADIUS configuration add radius server=192.168.2.1 secret="secret" port=1812 accport=1813 local=1 add radius server=192.168.2.2 secret="secret" port=1812 accport=1813 local=1 Description Your client will now send Access-Request messages to 192.168.2.1 via the local interface (192.168.2.100). Manager > show radius RADIUS Server Parameters ---- Server Retransmit Count... 3 Server Timeout... 6 sec Server Dead Time... 0 min ----- Server Port AccPort Secret LocalInterface Status 192.168.2.1 1812 1813 ****** local1 Alive 192.168.2.2 1812 1813 ****** local1 Alive This information tells us that the first RADIUS server is 192.168.2.1 and the second is 192.168.2.2. The port to which Access-Requests are sent by the client to the server is 1812. RADIUS Accounting packets are sent to port 1813. The secret password that is shared between the server and the client is not displayed for security reasons. Here you see that the LocalInterface value is set to local1 IP 192.168.2.100, this is the source address of RADIUS packets. Both RADIUS servers are reported as being alive. In this configuration, if the server 192.168.2.1 fails to respond to RADIUS packets sent by the client then the Status will not be marked as dead because of the Server Dead Time value of zero. Server Dead Time can be configured with the DEAdtime command. DEAdtime is the length of time for which the server should be considered dead. The default is 0 minutes. When a RADIUS server cannot be contacted, it is considered 'dead' for a period of time. Configuring this will stop the client from continually trying to contact a server that it has already determined as dead. Set Up a RADIUS Server for User Authentication 5

set radius DEAdtime=1 This command tells the client not to send any RADIUS packets for one minute after determining that it is dead. As a result, the status will be changed appropriately. Manager > show radius RADIUS Server Parameters ---- Server Retransmit Count... 3 Server Timeout... 6 sec Server Dead Time... 1 min ----- Server Port AccPort Secret LocalInterface Status 192.168.2.1 1812 1813 ****** local1 Dead (< 1 min) 192.168.2.2 1812 1813 ****** local1 Alive If a user attempts to log into this client while the first server is marked as dead, then the client will not send Access-Request packets to the dead server. Instead, the client will try the next server that is marked as alive. The problem of long wait times for dead servers can be resolved by either changing the Server Retransmit Count, the Server Timeout Count or both. The Server Retransmit Count value is the number of attempts after the first attempt that the client makes to contact the server. The default value is 3, which means that after 4 unsuccessful attempts to contact a RADIUS server the client will decide that the server is dead, and will move on to the next server that it believes is alive. The Server Timeout default is 6 seconds. This is the time that the client waits between each unanswered transmit to the server. If the server has not responded in the specified timeout period then the client assumes that communication has failed. Set Up a RADIUS Server for User Authentication 6

Setting both the Server Retransmit Count and Timeout values can substantially reduce, or increase, the wait time at the login prompt. With the default values of Server Retransmit Count = 3 and Timeout = 6 and two RADIUS servers, if the first server is dead then the minimum time to establish a connection with the second server will be 24 seconds. transmits (1+t) multiplied by timeout equals time in seconds (1+3) x 6 = 24 24 seconds would be regarded by many network administrators and users to be far too slow. Therefore, the ability to set Deadtime, Server Retransmit and Server Timeout was introduced in software release 2.7.3 to give the network administrator greater control over these times. If you were to reduce the Server Retransmit Count to 1 (minimum) and Timeout to 1 (minimum) then the wait time will be reduced significantly. transmits (1+t) multiplied by timeout equals time in seconds (1+1) x 1 = 2 Implementing the minimum values would require the reliability of your network to be such that latency and error rates were very low. Change the order that authentication is done The use of the radiusbackup command changes the approach that the router or switch uses when it authenticates users from RADIUS and the User Authentication Database (the local users configured on the device). Software releases before 2.7.4 search the User Authentication Database before contacting the RADIUS server. Software releases 2.7.4 and above permit the addition of Radius Unreachable (RU) users. As soon as the radiusbackup is set on a user, the switch or router will query the RADIUS server first. If the RADIUS server is unreachable and RU users exist, then the router or switch will consult this database after it ascertains the RADIUS server is dead. You can add any radiusbackup command to any user, for example: add user=telnet password=telnet priv=manager login=yes radiusbackup=true It is important to realise that all the other users will not be allowed to log in when the radius server is down unless you add: Set user=<login-name> radiusbackup=true to each user you require to authenticate from the User Authentication Database. Set Up a RADIUS Server for User Authentication 7

The show user command will show you details that includes information about RADIUS backup users: Number of logged in Security Officers currently active...1 Number of Radius-backup users... 2 User Authentication Database ------ Username: dave () Status: enabled Privilege: Sec Off Telnet: yes Login: yes RBU: yes Callback number: 0061393546786 Calling number: 5554491 Logins: 2 Fails: 0 Sent: 0 Rcvd: 0 Authentications: 0 Fails: 0 Username: manager (Manager Account) Status: enabled Privilege: manager Telnet: yes Login: yes RBU: no Logins: 4 Fails: 0 Sent: 0 Rcvd: 0 Authentications: 0 Fails: 0 ------ Active (logged in) Users ------------------------ User Port/Device Login Time Location --------------------------------------------------------------------- manager Asyn 0 14:33:22 18-Apr-2002 local manager Telnet 1 14:33:22 18-Apr-2002 10.1.1.1 --------------------------------------------------------------------- Tightening your Telnet security by restricting IP access The act of reading this document shows that you are interested in securing your system. The system administrator should favour SSH logins over Telnet. Although Telnet traffic is insecure, Telnet can have some tightening of security with the restriction of IP access. If, for example, your administrator has the IP address10.33.27.16 you may add Remote Security Officer (RSO) access restrictions to permit only that IP address. add user=secoff pass=secoff priv=securityofficer login=yes set user=secoff telnet=yes netmask=255.255.255.255 enable user rso add user rso ip=10.33.27.16 ena system security A security officer has been added and system security has been turned on. While system security is on, the secoff user has greater powers than the manager user. With that power comes great responsibility, so remote connections for security officers have been limited to only connections from the IP address 10.33.27.16. Normal users, including the manager, may still connect from any IP. Note: RSO settings do not control any aspect of SSH. If you want IP-level access-control to your device then the specific SSH user is set with this information. SSH users cannot be checked against a RADIUS database. Set Up a RADIUS Server for User Authentication 8

FreeRADIUS sample configuration (on Mandrake 10.0) In /etc/raddb/clients.conf client 192.168.2.200 { secret = secret shortname = allied } In /etc/raddb/users allied Auth-Type := Local, User-Password == "telesyn" Service-Type = Login-User, Login-Service = Telnet With this configuration, your user allied should have limited Telnet and console access. In fact, allied should have these base commands at his/her disposal: Connect Disconnect FINGer Help PING Reconnect SSH TELnet RTElnet TRAce LOGIN LOGON LOgoff LOgout To give allied Security Officer privileges set the Service-Type to 6. To give allied Manager privileges then set the Service-Type to 7. These privilege levels should be set with extreme caution. Ensure that you give your users only enough access to fulfil the tasks they are expected to perform. For the second example, it is necessary to change the client ip to 192.168.2.100 in the file /etc/ raddb/clients.conf General log messages from RADIUS are normally written to /var/log/radius/radius.log, It is useful to watch this file when debugging, you might use this command on your Linux server: tail -vf /var/log/radius/radius.log Set Up a RADIUS Server for User Authentication 9

Set Up a RADIUS Server for User Authentication 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information