In this section:
Overview
The
- Administrator
- Operator
- FieldService
- Guest
- SecurityAuditor
- Calea
To configure RADIUS authentication for
Obtain Correct Privileges via RADIUS Transaction
When a user is authenticated via RADIUS, the user is assigned to a group provided by the RADIUS server as part of the ACCESS_ACCEPT packet.
For
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Vendor-Id +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor-Id (cont) | Vendor type | Vendor length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attribute-Specific... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
The Vendor-Id is an SMI Network Management Private Enterprise Code of the vendor Ribbon as specified in RFC 2865.
- Vendor ID for Ribbon is "2879".
- Vendor type can be "1" considering this is the first instance of using VSAs. Type "1" can be the identifier for a group name from server.
- Vendor length is the length of the group name itself. This is followed by a string consisting of a case-sensitive group name.
If the RADIUS server does not provide a group or provides a group name which is not present in the
Configure Multiple RADIUS Servers
The
radiusServer
and retryCriteria
parameters to radiusAuthentication
configuration object.When more than one RADIUS server is configured and RADIUS authentication is attempted, the server configured with the least priority value is tried first. If fallback is configured, the inverse priority order is followed to pick the next server for authentication. SBC allows a configurable number of retries and time-outs before retry.
Once the
retryTimer
) before resending the ACCESS_REQUEST. After a configurable number of failed attempts (retryCount
), the RADIUS server is marked as unavailable, or out of service (OOS) for a configured amount of time (oosDuration
), and the SBC includes statistics to check the status of a RADIUS server, as well as the time when an unavailable server automatically becomes available again. See "radiusAuthentication" statistic details at Show Table OAM or Show Status OAM pages.
Enable Remote Authentication
To enable remote authentication:
- Log into the SBC CLI.
Change to Configuration mode:
> configure private
Execute the following command:
% set system admin <system name> localAuthenticationEnabled false externalAuthenticationEnabled true
Configure a RADIUS Server
To configure a remote RADIUS Server:
Log into the
Unable to show "metadata-from": No such page "_space_variables"CLI.
Change to Configuration mode:
> configure private
Execute the following command:
% set oam radiusAuthentication radiusServer <server name> mgmtInterfaceGroup <string> priority <#> radiusNasIp <x.x.x.x> radiusServerIp <x.x.x.x> radiusServerPort <#> radiusSharedSecret <8-128> state <disabled | enabled> retryCriteria oosDuration <# minutes> retryCount <#> retryTimer <# milliseconds>
Each SBC user is provided a private home directory for SFTP and files used by the CLI (refer to "Unique Home Directories" section on the page Managing SBC Core Users and Accounts). When using Radius authentication, users are only known to the Radius server and therefore do not have private home directories on the SBC. To create these home directories, you must also create Radius users on the SBC (refer to Local Authentication - CLI).
Rules to Configure a RADIUS Shared Secret Key
The supports all alphabetical, numeric, and special characters for setting the radiusSharedSecret
key.
The following characters in the key must be escaped while setting a radiusSharedSecret
for configuring a RADIUS server:
- # (hash) anywhere in the key
- \ (backslash) anywhere in the key
- “ (double quotes) at the beginning or end of the key
For example,
- Un-escaped key: ThisIsARadiusKeyWithDoubleQuote”andBackSlash\Hash#andAdoubleQuoteAtTheEnd”
- Escaped string: ThisIsARadiusKeyWithDoubleQuote”andBackSlash\\Hash\#andAdoubleQuoteAtTheEnd\”