Thursday, May 12, 2011

FreeRadius Server Configuration for Enterasys management access & Switch Configuration

Access management to Switches/Routers is very tedious when you are managing 100's of network devices with ever changing passwords for exacting Security. Solution to this is to deploy Radius server for management access to switches like Telnet,SSH or Console access. Free-Radius is open source Radius server for implementation on Linux. Open-Source Goodness. :)

Note - This configuration is only for Management access control to switches/routers, i.e. for telnet,SSH or Console access to switch. This has nothing to do with clients connecting through switch, hence not meant for Client authentication.

Activity flow -

1) Network Switch with Radius server IP, Port & secret key set & management access realm setting
2) Radius Server with authorized client entries in "clients.conf" & respective secret keys
3) "users" file at Radius server with common credential specified to use accross all devices, Filter-id has to be set here for Enterasys profile
4) Radius timeout & Switch Lockout entries
5) Local credential setting at network devices in case the Radius server is not reachable.

Configuration -
Test switch IP - 192.168.1.1
Radius Server IP - 192.168.1.200

Free-Radius version - freeradius-server-2.1.10
L2/L3 Switch - Enterasys C3 switch

FreeRadius Configuration on Linux -

Files involved in configuration & there changes
Default path to find all these files will be /usr/local/etc/raddb

1) clients.conf
add the following into the file

client 192.168.1.1
{
secret = secret!23
shortname = private_switch
}
or for subnet

client 192.168.1.1/24
{
secret = secret!23
shortname = private_switch
}

2) users
add following user into the file

"admin"   Cleartext-Password := "rdpassword"
Filter-id = "Enterasys:version=1:mgmt=su"
OR
admin Auth-Type := Local, User-Password == "rdpassword"
Filter-id = "Enterasys:version=1:mgmt=su"

Here add the username used for login in the quotes. Password specified in present there as "rdpassword". Now the Filter-id for Enterasys needs to be specified there. For management access the policy profile is specified as following string. The Filter-ID attribute is simply the string sent back to switch in Access-Accept packet. This decides the level of access given to user in return such as su,rw or ro. Same can also be used to specify Policy & Level of access.Also check the proxy.conf for any realm related settings. RADIUS proxying can be used to forward the Access-Request to another RADIUS server.
Shortname is only for the purpose of logging.
Run the Radius in Debug mode for first time using

radiusd -X

It will wait for request after successfull start-up.
By default the radius server will listen on port 1812 for request. Check the port by using

lsof -i :1812

you will find it on UDP portocol.

Switch Configuration on Enterasys C3 -

Add the Radius server details

C3(su)->set radius server 1 192.168.1.200 1812 secret!23
C3(su)->set radius realm management-access 1
C3(su)->set radius enable
C3(su)->show radius
RADIUS status: Enabled
RADIUS retries: 10
RADIUS timeout: 5 seconds
RADIUS       Server IP Address Auth-Port   Realm-Type
--------------            ----------            ---------     -----------------
1                         192.168.1.200        1812    management-access
C3(su)->set radius timeout 30
C3(su)->show radius timeout
RADIUS timeout: 30 seconds
C3(su)->show radius
RADIUS status: Enabled
RADIUS retries: 10
RADIUS timeout: 30 seconds
RADIUS       Server IP Address Auth-Port   Realm-Type
--------------            ----------            ---------     -----------------
1                         192.168.1.200        1812    management-access
C3(su)->
Here the radius server index is 1 for this entry.
Management access is enabled for this entry, not network-access.

If the Radius server is not reachable then the Authentication will fall back to local switch authentication, after specific time interval. If the Radius server does not reply within this time-frame then we have to use local credentials to login into the switch. It depends upon the precedence provided. By Default it is TACACS+, Radius & then Local.
Now you can use the password defined "rdpassword" on all switches for Admin login.

No comments:

Post a Comment