RADIUS Service
RADIUS is an authentication service often supported by simpler devices such as switches. The servers run a
systemd
service named
radiusd
that the simpler devices can contact for help in logging in users.
User Maintenance
The RADIUS daemon uses the
/etc/raddb
directory to hold its configuration files. After initial setup, the most important one is
users
. It contains some configuration parameters, but mostly contains a set of username encrypted-password lines. A password entry can be followed by a
key = value
line; we use one to set the CISCO switch privilege level (indented and followed by a blank line):
CharlieBrown SSHA-Password := 'boguspfeBNTE0MjRmYmYwMmVjMjQ1OWM2Nzc4OWRjMDQ0YzYzZWQzM2E4OTc2YmJkMmZhMDk2NTI1ZjkwYjFkNzM2MGFmZGMxMzI4MGM3ODhiNTkyMmViM2M5NjA5MDJl
ODJiNzdiNmVmNzgxN2I2OTE3Zjg1NQ=='
Cisco-AVPair = 'shell:priv-lvl=15'
There are no linebreaks in the "SSHA-PASSWORD" line above.
The script
/opt/services/bin/makeRadiusPassword
together with its helper file
makeRadiusPassword.pl
will generate lines suitable for inclusion in this file (any other info such as the CISCO attributes will need to be added manually).
Access
RADIUS is a fairly old protocol and is built upon some older crypto algorithms that are now considered obsolescent (e.g., SHA1, MD5). Because the servers are running in FIPS mode, a simple SSH command will always fail as the switches and the servers do not support a compatible key eschange algorithm. Fortunately, one can be explicitly authorized by adding
-oKexAlgorithms=+diffie-hellman-group14-sha1
to the
ssh
command. An alias,
switch-logon
, is defined for use in logging onto the switches.
It's possible that a future upgrade to the switches will add newer crypto algorithms to it. Part of the problem stems from the fact that RADIUS specified the allowed set, so the standard will have to be updated and then implemented by CISCO; however, given the number of USG switches, it's likely that they may address this problem in the forseeable future. Alternatively, an upgrade to the RHEL software might block the workarounds.
--
JimJacobs - 2020-11-13