RADIUS

Remote authentication dial in user service (RADIUS) is a protocol used for centralized authentication, authorization, and accounting (AAA) for network services. This information covers how to setup a generic RADIUS server, and how to setup a RADIUS client on OpenSwitch OPX.

Setup RADIUS server

1. Install the freeradius package.

apt-get -y install freeradius

2. Edit /etc/freeradius/clients.conf to include the OPX system IP and secret key.

client OPX {
    ipaddr = 10.11.80.34
    secret = test123
}

client OPX {
    ipaddr = 10.11.58.82
    secret = test123
}

client OPX1 {
    ipaddr = 10.11.115.44
    secret = test123
}

3. Add RADIUS users to the /etc/freeradius/users file.

xyzuser  Cleartext-Password := "Password123"
abcuser  Cleartext-Password := "Password123"

4. Restart the freeradius service.

service freeradius restart

5. For debugging, instead of service restart, execute the command freeradius -XXX to run the RADIUS server with verbose logs.

Setup RADIUS client on OPX

1. Install PAM RADIUS authentication package.

apt-get -y install libpam-radius-auth

2. Configure /etc/pam_radius_auth.conf with your RADIUS server IP address and the secret key mentioned in step 2 in Setting up the Radius Server.

# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
other-server    other-secret       3 
10.11.14.42     test123            60

3. Set permissions on the /etc/pam_radius_auth.conf file to root-only read/write.

sudo chmod 0600 /etc/pam_radius_auth.conf

4. Add auth sufficient pam_radius_auth.so to /etc/pam.d/login and then the following as desired just above the line with @include common-auth.

/etc/pam.d/sshd
/etc/pam.d/sudo 
/etc/pam.d/su

5. Add try_first_pass to the auth line in /etc/pam.d/common-auth.

auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass

6. Create the RADIUS user(s) locally with password disabled.

sudo useradd -m xyzuser
sudo useradd -m abcuser