RADIUS is an authentication service often supported by simpler devices such as switches. The servers run a
that the simpler devices can contact for help in logging in users.
The RADIUS daemon uses the
directory to hold its configuration files. After initial setup, the most important one is
. It contains some configuration parameters, but mostly contains a set of username encrypted-password lines. A password entry can be followed by a
key = value
line; we use one to set the CISCO switch privilege level (indented and followed by a blank line):
CharlieBrown SSHA-Password := 'boguspfeBNTE0MjRmYmYwMmVjMjQ1OWM2Nzc4OWRjMDQ0YzYzZWQzM2E4OTc2YmJkMmZhMDk2NTI1ZjkwYjFkNzM2MGFmZGMxMzI4MGM3ODhiNTkyMmViM2M5NjA5MDJl
Cisco-AVPair = 'shell:priv-lvl=15'
There are no linebreaks in the "SSHA-PASSWORD" line above.
together with its helper file
will generate lines suitable for inclusion in this file (any other info such as the CISCO attributes will need to be added manually).
RADIUS service will need to be restarted after update to /etc/radddb/users.
systemctl restart radiusd.service
RADIUS is a fairly old protocol and is built upon some older crypto algorithms that are now considered obsolescent (e.g., SHA1, MD5). Because the servers are running in FIPS mode, a simple SSH command will always fail as the switches and the servers do not support a compatible key eschange algorithm. Fortunately, one can be explicitly authorized by adding
command. An alias,
, is defined for use in logging onto the switches.
It's possible that a future upgrade to the switches will add newer crypto algorithms to it. Part of the problem stems from the fact that RADIUS specified the allowed set, so the standard will have to be updated and then implemented by CISCO; however, given the number of USG switches, it's likely that they may address this problem in the forseeable future. Alternatively, an upgrade to the RHEL software might block the workarounds.