Top

Category

[Enterprise SONiC] RADIUS for user Authentication Follow

Avatar
andyyl_chen 陳英倫
  • Updated

RADIUS (Remote Authentication Dial-In User Service), Radius uses a shared key to authenticate radius messages to let console and SSH can use the account of the Radius server to log into Edgecore SONiC. Edgecore SONiC password authentication support type of pap, chap, mschapv2. default is pap.

 

Tested model & firmware version:

  • Tested model:
    DCS202(AS5835-54T)
  • Edgecore SONiC version:
    202111.0 ~202111.3

Restriction:

  • Known issue: 
    • [ SONIC-4263 ] To let RADIUS execute the authentication, it must create an account on Edgecore SONiC first. The issue is fixed on 202111.3 version.

RADIUS setting on Switch

Topology:

mceclip0.png

Note:

  • If using version 202111.3, please start from step 2 with the following instructions.

Procedure:

Step 1. create an account on Edgecore SONiC. (Since known issue, it must create an account first.)

admin@sonic:~$ sudo useradd -m -u 8787 -g admin -s /bin/bash wowla

Note: If the account needs to configure settings, that account must be added to the group called "sudo", otherwise that account cannot configure any settings.

admin@sonic:~$ sudo useradd -m -u 8787 -G admin,sudo -s /bin/bash wowla

 

Step 2. Set the management IP on the switch ( [Edgecore SONiC] Management and front port IPv4/IPv6 Address)

Step 3. Add the RADIUS Server host to the switch.    

admin@sonic:~$ sudo config radius add 188.188.87.101

Step 4. Set the RADIUS authentication key ("support" as an example)

admin@sonic:~$ sudo config radius passkey support

Step 5. Uses RADIUS database for user authentication

admin@sonic:~$ sudo config aaa authentication login radius

Result:

admin@sonic:~$ show aaa
AAA authentication login radius
AAA authentication failthrough False (default)
AAA authorization login local (default)
AAA accounting login disable (default)

admin@sonic:~$ show radius
RADIUS global auth_type pap (default)
RADIUS global retransmit 3 (default)
RADIUS global timeout 5 (default)
RADIUS global passkey support

RADIUS_SERVER address 188.188.87.101
auth_port 1812
priority 1

mceclip1.png

Appendix:

RADIUS server configuration: The RADIUS server needs two configurations.

root@console:~# cat users
wowla Cleartext-Password := "wowla"

root@console:~# cat clients.conf
client 188.188.97.6 {
secret = support
}

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more