Radius Configuration FSOS

Transcription

1 FSOS Radius Configuration

2 Contents 1. RADIUS Configuration Radius Overview AAA Overview AAA Realization RADIUS Overview RADIUS Configuration RADIUS Server Configuration Radius Master Server & Radius Slave Server Shift Configure Local User Configure Domain Configure RADIUS Features RADIUS Display and Maintenance RADIUS Configuration Example Configure the networking and requirements Configuration steps Result validation... 12

3 1. RADIUS Configuration 1.1 Radius Overview AAA Overview AAA stands for Authentication, Authorization and Accounting. AAA is actually a management of network security. Here, the network security mainly refers to the access control, including the users who can access the network server; what services are available to users with access rights; and how users are using network resources for billing. AAA generally adopts the client / server structure: the client runs on the managed resource side, and the server stores the user information centrally. Therefore, the AAA framework has good scalability, and easy to achieve the centralized management of user information AAA Realization AAA frame diagram is as shown in figure 1-1: Figure 1-1 AAA frame diagram There are two ways to realize AAA: 1

4 via NAS; via R ADIUS, TACACS +, etc RADIUS Overview RADIUS creates a unique user database, stores the user name and password of the user to authenticate, and stores the service type and corresponding configuration information that is passed to the user to complete the authorization. After the user is authorized, the RADIUS server performs the function of accounting for user accounts. RADIUS stands for Remote Authentication Dial in User Service. RADIUS is an AAA protocol for applications such as Network Access or IP Mobility. It works in both situations, Local and Mobile. It uses Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Extensible Authentication Protocol (EAP) protocols to authenticate users. It looks in text file, LDAP Servers, Database for authentication. After authentication services parameters passed back to NAS. It notifies when a session starts and stop. This data is used for Billing or Statistics purposes. SNMP is used for remote monitoring. It can be used as a proxy. Here is a list of all the key features of Radius: 1. Client/Server Model NAS works as a client for the Radius server. Radius server is responsible for getting user connection requests, authenticating the user, and then returning all the configuration information necessary for the client to deliver service to the user. A Radius server can act as a proxy client to other Radius servers. 2. Network Security 2

5 Transactions between a client and a server are authenticated through the use of a shared key. This key is never sent over the network. Password is encrypted before sending it over the network. 3. Flexible Authentication Mechanisms Point-to-Point Protocol - PPP Password Authentication Protocol - PAP Challenge Handshake Authentication Protocol - CHAP Simple UNIX Login 4. Extensible Protocol Radius is extensible; most vendors of Radius hardware and software implement their own dialects. 1.2 RADIUS Configuration RADIUS Server Configuration RADIUS server saves valid user s identity. When authentication, system transfers user s identity to RADIUS server and transfers the validation to user. User accessing to system can access LAN resources only after authentication of RADIUS server. Configure RADIUS server Operation Command Remarks Enter global configuration mode configure terminal - Enter AAA mode aaa - Create and enter RAIDUS configuration schemes radius host name required Configure primary RADIUS primary-auth-ip ipaddr port required Configure second RADIUS second-auth-ip ipaddr port Configure primary accounting server primary-acct-ip ipaddr port Configure second accounting second-acct-ip ipaddr port 3

6 server Configure shared key of primary RADIUS Configure shared key of second RADIUS Configure NAS-RAIDUS address Set whether the user name is to be carried with the domain name when the system passes the packet to the current RADIUS server Configure the realtime accounting Configure the realtime accounting interval auth-secret-key keystring acct -secret-key keystring nas-ipaddress ipaddr username-format { with-domain without-domain } realtime-account realtime-account interval time required Optional If there is no configurati on, the equipment IP address will also be OK Radius Master Server & Radius Slave Server Shift RADIUS offers master/slave server redundancy function, that is: if both the master server and slave server can be able to perform the regular work, it can only perform the authentication via master server; if there is something wrong with the master server, the slave server will be enabled; if the master server recovers normal again, the slave server will be disabled, and then the master server will be enabled. Realization Mechanisms: 4

7 When in radius authentication, if the master server cannot perform the regular work, just configure the master server as down, then the slave server will begin to work; if the master server is found had recovered the regular work, preemption timer will be enabled(time is configured as preemption-time). When the timer timeout, the master server will be configured as up, that is to say, you can perform the authentication operations via master server. Radius Master Server & Radius Slave Server Shift Operation Command Remarks Enter global configuration mode Enter AAA configuration mode Create and enter RAIDUS configuration schemes Configure the preemption timer configure terminal - AAA - radius host name Value range< >, the unit is preemption-time Preemption-time minute; 0 by default, not preemptio n Configure Local User Client needs to configure local user name, password, etc. 5

8 Configure Local User Operation Command Remarks Enter global configuration mode configure terminal - Enter AAA mode AAA - Configure local user local-user username name password pwd [ vlan vid ] Configure Domain Client needs to provide username and password during authentication. Username usually contains the corresponding user s ISP information, domain and ISP. The most important information of the domain is the RADIUS server authentication and accounting for the users in the domain. Configure Domain Operation Command Remarks Enter global configuration mode configure terminal - Enter AAA mode aaa - Configure the default domain- name default domain-name enable domain-name Disable the default domain-name default domain-name disable Create and enter a domain scenario domain name required Configure to use radius server authentication scheme radius 6

9 Configure to use local user authentication Configure to use local authentication after the radius authentication fails Select the RADIUS server for the current domain Enable the number limit of authentication users in the domain and set the number limit of allowed users Disable the number limit of authentication users in the domain Activate the current domain Deactivate the current domain scheme local scheme radius loca radius host binding radius-name access-limit enable number access-limit disable state active required state block Configure RADIUS Features Configure RADIUS some compatible or special features as below: Configure RADIUS features Operation Command Remarks Enter global configuration mode configure terminal - Enter AAA mode aaa - 7

10 Configure accounting-on function accounting-on { enable sen-num disable } Configure H3C Cams compatibility h3c-cams { enable disable } Enable accounting function radius accounting If the accounting packet does not respond, the user radius server-disconnect drop 1x is shut down Configure RADIUS to distribute port priority radius 8021p enable Configure RADIUS to distribute port PVID radius vlan enable Configure RADIUS to distribute number limit of radius mac-address-number enable MAC address Configure RADIUS to distribute bandwidth control radius bandwidth-limit enable Note: accounting-on: After the device reboots, it sends an Accounting-On packet to the RADIUS server to notify the RADIUS server to force the user of the device to go offline. H3C Cams compatibility feature: In this feature, you can use the command of radius attribute client-version to forward the version information of the client to the RADIUS server. In this feature, you can use the command of uprate-value / dnrate-value to configure the attribute number of the upstream bandwidth / downstream bandwidth in the Vendor Specific. RADIUS distributes port priority: After this function is enabled, if the user authenticates, the priority of the port where the user is located is modified. This function is carried out through the 77 attribute number in the Vendor Specific by default, which can be modified by using the radius config-attribute. RADIUS distributes port PVID: After this function is enabled, if the user passes the authentication, the PVID of the port where the user is located will be modified. This function is carried out by using the tunnel-pvt-group-id. The value of this attribute is a string. Use this string to find the VLAN name descriptor that matches the VLAN value. 8

11 RADIUS distributes number limit of MAC address: After this function is enabled, if the user passes the authentication, the MAC address learning limit of the port where the user resides is modified. This function is carried out through the 50 attribute number in the Vendor Specific by default, which can be modified by using the radius config-attribute. RADIUS distributes bandwidth control: After this function is enabled, if the user passes the authentication, the bandwidth control of the port where the user is located will be modified. The uplink bandwidth control is carried out through the 75 attribute number in the Vendor Specific by default, which can be modified by using theradius config-attribute; the downlink bandwidth control is carried out through the 76 attribute number in the Vendor Specific by default, which can be modified by using the radius config-attribute. The unit value defaults to kbps and can be modified through the radius config-attribute access-bandwidth unit. RADIUS distributes ACL: This function has no control commands. It is enabled by default. Configure via 11 attributes of Filter-Id RADIUS Display and Maintenance RADIUS Display and Maintenance Operation Command Remarks Display the radius attribute Display the radius attribute Display the radius service configuration information Enable the radius debugging function show radius attribute - show radius config-attribute - show radius host hostname debug radius 9

12 1.3 RADIUS Configuration Example Configure the networking and requirements As shown below, user PC is connected to Switch 0/0/1 port, Switch 0/0/4 port is connected to radius server (radius server integrated with Windows 2003), and 802.1x authentication is enabled on 0/1. Specific requirements are as follows: 1. Use radius authentication; 2. The user PC must be authenticated before accessing the internet; 3. After the user passes the authentication, the ACL is distributed through the radius server. In this case, the user can access the Internet but cannot access the FTP server; 4. After the user passes the authentication, distribute the bandwidth control via the RADIUS server to limit the uplink bandwidth to be 2M and the downstream bandwidth to be 1M. networking diagram for radius configuration example 10

13 1.3.2 Configuration steps 一 initial preparation work: 1). Install the 802.1X client on the PC, here adopts H3C Inode; 2). Switch configuration user interface IP / 24 to ensure to PING radius server; Switch(config-if-vlanInterface-1)#interface vlan-interface 1 Switch(config-if-vlanInterface-1)#ip address This ipaddress will be the primary ipaddress of this interface. Config ipaddress successfully! Switch(config-if-vlanInterface-1)# Switch(config-if-vlanInterface-1)# Switch(config-if-vlanInterface-1)#exit Switch(config)#ping PING : with 32 bytes of data: reply from : bytes=32 time<10ms TTL=128 reply from : bytes=32 time<10ms TTL= PING Statistics packets transmitted, 2 packets received, 0% packet loss round-trip (ms) min/avg/max = 0/0/0 Control-C 3). radius server adds NAS IP, and the shared key is ; 4).Configure the 802.1x client authentication username (test) and password (123456) on the radius server. 5). The attribute value of the 75 attribute in the Vendor Specific on the radius server is set to 2048 Kbps, and the attribute value of the 76 attribute in the Vendor Specific is set to 1024 Kbps. 6). The attribute value of the 11 attribute of the Filter-Id on the radius server is set to 100; 二 Access the switch 0/0/1 port to enable dot1x, configure the related service of RADIUS, and configure ACLs Switch(config)#dot1x method portbased interface ethernet 0/0/1 // enable 802.1X 11

14 Switch(config)#aaa Switch(config-aaa)#radius host ngn Switch(config-aaa-radius-ngn)#primary-auth-ip // Configure accounting function, authentication IP, and port number Switch(config-aaa-radius-ngn)#primary-acct-ip Switch(config-aaa-radius-ngn)#auth-secret-key // Configure to share the key Switch(config-aaa-radius-ngn)#acct-secret-key Switch(config-aaa-radius-ngn)#exit Switch(config-aaa)#radius bandwidth-limit enable // Enable the bandwidth sending function Switch(config-aaa)#domain ngn.com Switch(config-aaa-domain-ngn.com)#radius host binding ngn Switch(config-aaa-domain-ngn.com)#state active Switch(config-aaa-domain-ngn.com)#exit Switch(config-aaa)#default domain-name enable ngn.com Switch(config)#access-list 100 deny any // Configure the ACL to deny access to the destination network segment Switch(config)#access-list 100 permit any any Result validation Use the Inode client on the PC, and then enter the user name and password for authentication After the authentication succeeds, the user can access the external network normally. The information of the online users can be found on the Switch. The command of show dot1x radius-acl displays the status of the acl100 as enable, and the bandwidth of the ingress direction of the 0/ 0/1 port is limited to 2048 while the egress direction is limited to Switch(config)#show dot1x session port vid mac username login time e0/0/1 1 c8:3a:35:d3:e3:99 test@ngn.com 2000/12/11 15:07:00 Total [1] item(s). 12

15 Switch(config)#show dot1x radius-acl The format of radius acl is string. The prefix of radius acl is assignacl-. Port acl Status e0/0/1 100 enable Total entries: 1. Switch(config)#show bandwidth-control interface ethernet 0/0/1 port Ingress bandwidth control Egress bandwidth control e0/0/ kbps 1024 kbps Total entries: 1. 13