RADIUS Fundamentals

Remote Access Dial-In User Services (RADIUS) is a distributed client/server system that assists in securing networks against unauthorized access, allowing a number of communication servers and clients to authenticate users identity through a central database. The database within the RADIUS server stores information about clients, users, passwords, and access privileges including the use of shared secret.

RADIUS is a fully open and standard protocol, defined by two Requests for Comments (RFC) (Authentication: RFC2865, Accounting: RFC2866). You use RADIUS authentication to get secure access to the system (console/Telnet/SSH/EDM), and RADIUS accounting to track the management sessions (CLI only).

RADIUS Server Support for IPv6

RADIUS supports both IPv4 and IPv6 with no differences in functionality or configuration in all but the following case. When you add or update a RADIUS server in Enterprise Device Manager (EDM) you must specify if the address type is an IPv4 or an IPv6 address.

How RADIUS Works

A RADIUS application has two components:

  • RADIUS server

A computer equipped with server software (for example, a UNIX workstation) that is located at a central office or campus. The server has authentication and access information in a form that is compatible with the client. Typically, the database in the RADIUS server stores client information, user information, password, and access privileges, including the use of a shared secret. A network can have one server for both authentication and accounting, or one server for each service.

  • RADIUS client

A device, router, or a remote access server, equipped with client software, that typically resides on the same local area network (LAN) segment as the server. The client is the network access point between the remote users and the server.

The two RADIUS processes are

Configuration of the RADIUS Server and Client

For more information about how to configure a RADIUS server, see the documentation that came with the server software.

The switch software supports BaySecure Access Control (BSAC) and the Merit Network servers. To use these servers, you must first obtain the software for the server you will use. Also, you must make changes to one or more configuration files for these servers.

RADIUS Authentication

You can use RADIUS authentication to use a remote server to authenticate logons. The RADIUS server also provides access authority. RADIUS assists network security and authorization by managing a database of users. The device uses this database to verify user names and passwords as well as information about the type of access priority available to the user.

When the RADIUS client sends an authentication request requesting additional information such as a SecurID number, it sends it as a challenge-response. Along with the challenge-response, it sends a reply-message attribute. The reply-message is a text string, such as Please enter the next number on your SecurID card:. The RFC defined maximum length of each reply-message attribute is 253 characters. If you have multiple instances of reply-message attributes that together form a large message that displays to the user, the maximum length is 2000 characters.

You can use additional user names to access the device, in addition to the six existing user names of ro, L1, L2, L3, rw, and rwa. The RADIUS server authenticates the user name and assigns one of the existing access priorities to that name. Unauthenticated user names are denied access to the device. You must add user names ro, L1, L2, L3, rw, and rwa to the RADIUS server if you enable authentication. Users not added to the server are denied access.

The limitation on the number of characters in a username for users logging into CLI or EDM configured with RADIUS authentication is 64 chararcters.

Note

Note

RADIUS server used‐by snmp does not support authentication.

The following list shows the user configurable options of the RADIUS feature:

Note

Note

If you enable enhanced secure mode with the boot config flags enhancedsecure-mode command, you enable different access levels, along with stronger password complexity, length, and minimum change intervals. With enhanced secure mode enabled, the switch supports the following access levels for RADIUS authentication:
  • Administrator

  • Privilege

  • Operator

  • Auditor

  • Security

The switch associates each username with a certain role and appropriate authorization rights to view and configure commands. For more information on system access fundamentals and configuration, see System Access.

Use of RADIUS to Modify User Access to CLI Commands

The switch provides CLI command access based on the configured access level of a user. However, you can use RADIUS to override CLI command access provided by the switch.

To override user access to CLI commands, you must configure the command-access-attribute on the switch and on the RADIUS server. (The switch uses decimal value 194 as the default for this parameter.) On the RADIUS server, you can then define the commands that the user can or cannot access.

Important

Important

When you enable RADIUS on the switch and configure a RADIUS server to be used by CLI or EDM, the server authenticates the connection, whether it is FTP, HTTPs, SSH, or TELNET. However, in the event that the RADIUS server is unresponsive or is unreachable, the switch fall backs to the local authentication, so that you can access the switch using your local login credentials.

Regardless of the RADIUS server configuration, you must configure the user‘s access on the switch based on the six platform access levels.

RADIUS Accounting

RADIUS accounting logs all of the activity of each remote user in a session on the centralized RADIUS accounting server.

Session-IDs for each RADIUS account generate as 12-character strings. The first four characters in the string form a random number in hexadecimal format. The last eight characters in the string indicate the number of user sessions started since the last restart, in hexadecimal format.

The Network Address Server (NAS) IP address for a session is the address of the device interface to which the remote session is connected over the network. For a console session, modem session, and sessions running on debug ports, this value is set to 0.0.0.0, as is the case with RADIUS authentication.

The following table summarizes the events and associated accounting information logged at the RADIUS accounting server.

Table 1. Accounting Events and Logged Information

Event

Accounting information logged at server

Accounting is turned on at router

  • Accounting on request: NAS IP address

Accounting is turned off at router

  • Accounting off request: NAS IP address

User logs on

  • Accounting start request: NAS IP address

  • Session ID

  • User name

More than 40 CLI commands are executed

  • Accounting interim request: NAS IP address

  • Session ID

  • CLI commands

  • User name

User logs off

  • Accounting stop request: NAS IP address

  • Session ID

  • Session duration

  • User name

  • Number of input octets for session

  • Number of octets output for session

  • Number of packets input for session

  • Number of packets output for session

  • CLI commands

When the device communicates with the RADIUS accounting server, the following actions occur:

  1. If the server sends an invalid response, the response is silently discarded and the server does not make an attempt to resend the request.

  2. User-specified number of attempts are made if the server does not respond within the user-configured timeout interval. If a server does not respond to any of the retries, requests are sent to the next priority server (if configured). You can configure up to 10 RADIUS servers for redundancy.

Note

Note

RADIUS server used‐by endpoint‐tracking does not support accounting.

RFC 4675 RADIUS Attributes: Egress VLAN

Egress VLAN controls egress traffic. Egress VLAN supports two standard RADIUS attributes as defined in RFC 4675:

RADIUS attributes control the 802.1Q tagging for traffic egressing a port where RADIUS authentication is performed for a connected EAP or NEAP client.

Egress VLANs are standard attributes, therefore the RADIUS server supports the attributes by default and offer the ability to configure the attributes. Each attribute has two parts:
  1. Indicates if the frames on the VLAN egress must be tagged or untagged

  2. Specifies the VLAN name or VLAN ID

The switch applies the VLAN received in the Egress-VLAN attributes to the port where the client is authenticated through RADIUS and then sets the tagging rules (tagged or untagged) accordingly.

The switch processes the Egress-VLAN attributes when decoding the RADIUS packet, therefore the switch adds the port to the VLANs first and then sets the proper tagging for the VLANs. You must create VLANs in advance on the switch.

In the MultiVlan operation mode, the EAP applies ingress hardware rules to ensure untagged traffic from each authenticated client goes into its own VLAN. The unauthenticated clients send traffic to the Guest VLAN, which matches the default VLAN ID.

For more information, see RADIUS Attributes.

RADIUS Server Reachability

Configure up to 10 EAP RADIUS servers on the switch to manage fault tolerance. Each server is assigned a priority and is contacted in the priority order. If the first server is unavailable, the switch tries the second server, and so on, until the switch establishes a successful connection. Higher priority means lower integer value.

RADIUS server reachability prevents clients from trying to establish a connection with non reachable servers. RADIUS server reachability runs a periodic check in the background to identify the available servers. The switch is aware of the first available EAP RADIUS server without going through each of the servers and wait for time-outs.

Use RADIUS server reachability to configure the switch to use RADIUS requests to determine the reachability of the RADIUS server. The switch regularly performs the reachability test to determine if the switch should fail over to the secondary RADIUS server or activate the Fail Open VLAN, if configured on the switch.

Use one of the following modes to configure RADIUS reachability:
  • status-server mode: Status-Server packets provide a standard-compliant alternative to configuring dummy RADIUS requests. You can configure the switch to send status-server packets when the keep-alive timer or the unreachable timer expires. In order to use status-server mode, the configured RADIUS servers must support RFC5997.

  • use-radius mode: Configure user-radius mode if any of the RADIUS servers do not support RFC5997. In user-radius mode, the switch regularly generates a dummy RADIUS request with the username reachme and password reachme. The switch interprets either Request Accept or Request Reject responses as a confirmation for server reachability, therefore it is not necessary to add the credentials on the server to test server reachability. You can configure the username and password for the dummy account through CLI. Use-radius is the default mode for RADIUS reachablility.

You can configure the RADIUS reachability mode in either CLI or EDM.

Note

Note

RADIUS server reachability is enabled on the switch and is not a configurable option. The reachability process starts when at least one RADIUS server used by EAP is configured, and RADIUS is enabled globally.

Based on the number of EAP RADIUS servers configured, the switch performs the following:
  • If the highest priority EAP RADIUS server is reachable, the server status is updated to reachable and further authentication will use this server. As long as the highest priority EAP RADIUS server is reachable, the rest of the EAP RADIUS servers are not tested for reachability.

  • If the highest priority EAP RADIUS server is not reachable, then the switch tests the rest of the EAP RADIUS servers for reachability. The servers are checked one by one for reachability based on their priority from highest to lowest. The first server that is reachable is used for authentication and the rest of the lower priority EAP RADIUS servers if any, are skipped from the reachability test.

  • If all the EAP RADIUS servers are unreachable, then no further authentication occurs until the next successful reachability check.

The intervals between two consecutive reachability checks can be configured. The default values are as follows:
  • one minute, if the last check result was unreachable

  • three minutes, if the last check result was reachable

A server is marked as unreachable after a number of retries and time-outs. The default number of retries is 1 and the default time-out value is 8 seconds, but you can also configure these values in CLI.

RFC 3580 RADIUS Attributes: IEEE 802.1X Remote Authentication Dial In User Service

RFC 3580 provides support for EAP and NEAP clients for the following RADIUS attributes:
  • Called-Station ID attribute: For IEEE 802.1X authenticators, the Called-Station ID stores the bridge or access point MAC address in upper case ASCII format, with octet values separated by a hyphen (-). For example: 00-10-A4-23-19-C0.

    In IEEE 802.11, where the SSID is known, the SSID must be appended to the access point MAC address and separated from the MAC address with a colon (:). For example: 00-10-A4-23-19-C0:AP1.

  • Calling-Station ID: For IEEE 802.1X authenticators, the Calling-Station ID is used to store the supplicant MAC address in upper case ASCII format, with octet values separated by a hyphen (-). For example: 00-10-A4-23-19-C0.

  • NAS-Port ID: The NAS-Port ID is used to identify the IEEE 802.1X Authenticator port which authenticates the Supplicant. The NAS-Port-Id differs from the NAS-Port in that it is a string of variable length whereas the NAS-Port is a 4 octet value.

RFC 5176 — Dynamic Session Change

RFC 5176 allows you to dynamically change the following user session characteristics:
  • You can disconnect an authenticated user on a port and remove all associated session context.

    If the RADIUS server issues a disconnect command to the switch and the switch identifies a user (that satisfies all attributes of the RADIUS server request) on a port that has enabled RADIUS dynamic extensions commands, the switch performs the following actions:
    • Notify the user of the disconnect by sending an 802.1x disconnect message to the client.

    • Remove all session context from the port.

    • Remove the port from the RADIUS-assigned VLAN, if applicable.

    • Send the disconnect response Disconnect-ACK to the RADIUS server if the user session is disconnected and all steps successfully performed.

    • Send the Disconnect-NAK response to the RADIUS server if the user session is not found or if the Network Access Server (NAS) cannot disconnect the session and discard the session context.

  • You can use the Change of Authorization command to dynamically change the VLAN used by the RADIUS server.

    If the RADIUS server issues a Change of Authorization command to the switch and the switch identifies a user (that satisfies all attributes of the RADIUS server request) on a port that has enabled RADIUS dynamic extensions commands, the switch performs the following actions:

    • If the Change of Authorization command specifies a valid VLAN ID for a port, the port is removed from the VLAN specified by RADIUS and added to the VLAN specified in the request.

    • A CoA-ACK response is sent to the RADIUS server.

    • If the user session is not found or an error is encountered in processing the Change of Authorization command, then a CoA-NAK response is sent to the RADIUS server.

    • If the Change of Authorization request specifies a VLAN that is not port-based, a CoA-NAK response is sent to the RADIUS server.

  • You can dynamically initiate client re-authentication.

    Re-authenticate requests can be made with Change of Authorization or Disconnect packet IDs, but they must have the Re-authentication Request Vendor-Specific Attributes (VSA) set to True.

Dynamic session changes are directed to specific user sessions, as identified by RADIUS attributes.

To enable dynamic session changes, configure the following:
  • You must enable EAP or Endpoint Tracking globally and at the port level.

  • You must enable RADIUS dynamic extensions commands at the port level.

You can use the show radius dynamic-server statistics command to view statistics about dynamic session changes.

Switch:1#enable
Switch:1#show radius dynamic-server statistics

================================================================================
                 RADIUS Dynamic Authorization Global Statistics
================================================================================
Disconnects From Invalid Client Addresses:     0
CoAs From Invalid Client Addresses:            0
--------------------------------------------------------------------------------