RADIUS Service

RADIUS is an authentication service often supported by simpler devices such as switches. The servers run a systemd service named radiusd that the simpler devices can contact for help in logging in users.

User Maintenance

The RADIUS daemon uses the /etc/raddb directory to hold its configuration files. After initial setup, the most important one is users. It contains some configuration parameters, but mostly contains a set of username encrypted-password lines. A password entry can be followed by a key = value line; we use one to set the CISCO switch privilege level (indented and followed by a blank line):

CharlieBrown SSHA-Password := 'boguspfeBNTE0MjRmYmYwMmVjMjQ1OWM2Nzc4OWRjMDQ0YzYzZWQzM2E4OTc2YmJkMmZhMDk2NTI1ZjkwYjFkNzM2MGFmZGMxMzI4MGM3ODhiNTkyMmViM2M5NjA5MDJl
ODJiNzdiNmVmNzgxN2I2OTE3Zjg1NQ=='
        Cisco-AVPair = 'shell:priv-lvl=15'
There are no linebreaks in the "SSHA-PASSWORD" line above.

The script /opt/services/bin/makeRadiusPassword together with its helper file makeRadiusPassword.pl will generate lines suitable for inclusion in this file (any other info such as the CISCO attributes will need to be added manually).

Access

RADIUS is a fairly old protocol and is built upon some older crypto algorithms that are now considered obsolescent (e.g., SHA1, MD5). Because the servers are running in FIPS mode, a simple SSH command will always fail as the switches and the servers do not support a compatible key eschange algorithm. Fortunately, one can be explicitly authorized by adding -oKexAlgorithms=+diffie-hellman-group14-sha1 to the ssh command. An alias, switch-logon, is defined for use in logging onto the switches.

It's possible that a future upgrade to the switches will add newer crypto algorithms to it. Part of the problem stems from the fact that RADIUS specified the allowed set, so the standard will have to be updated and then implemented by CISCO; however, given the number of USG switches, it's likely that they may address this problem in the forseeable future. Alternatively, an upgrade to the RHEL software might block the workarounds.

-- JimJacobs - 2020-11-13
Topic revision: r1 - 2020-11-13, JimJacobs
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding NRAO Public Wiki? Send feedback