Emerson Network Power | Infrastructure Management ACS 6000 Advanced Console Server | IT Console RADIUS Authentication, Authorization, and Accounting Prepared by Charkkrit Wattananusit Jan 17, 2014 Background: Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. Environment/ Setup: Operational FreeRadius Server version 2.2.3 or higher. Authentication Server and Accounting Server are configured on a single machine. Cyclades ACS6000 Advance Console Server Firmware 2.5.0.7 or higher. Privilege access to both Radius Server and ACS6000 Advance Console Server as root user. Objectives: To configure Cyclades ACS6000 Advance Console Server external authentication using RADIUS protocol To limit/allow all access to serial port(s) using a group authorization Step #1: FreeRadius Basic Configuration for Cyclades ACS6000 Once the FreeRADIUS server is operational, you can configure the following items: 1) Define a Client IP Ensure the ACS6000 IP Address and secret properly defines in the /etc/raddb/clients.conf file. For this example, the ASC6000 IP Address is 10.207.60.140 and the secret is acs6000pass. iii) Once, the change completed, it is recommended to restart the RADIUS server. i) ii) 2) Define a User/Password with an Attribute Ensure the Radius user/password properly defines in the /etc/raddb/users file with the following guideline. ii) For this example, we use the Framed-Filter-Id attribute. iii) Once, the change completed, it is recommended to restart the RADIUS server. i) chark Cleartext-Password := "pass4radius!" Auth-Type := EAP, Framed-Filter-Id = ":group_name=RemoteAdmin;" Note: the RemoteAdmin is a group existing in the ACS6000. http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx Emerson Network Power | Infrastructure Management Step#2: Configure ACS6000 to Use a RADIUS Authentication with Group Authorization The next step is the do the following procedures. 1) Login to the ACS6000 WebGUI as root user 2) To confirm the firmware level to be at least 2.5.0.7 version, go to System | Information Figure 1: System | Information 3) Change the Security Profile to use Port Access by Controlled by authorizations assigned to user groups. Figure 2: System | Security Profile 4) Configure the Authentication Type to RADIUS/LOCAL in the Appliance Authentication. http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx Emerson Network Power | Infrastructure Management Note: The Enable fallback to Local type for root user in appliance console (setup) port is optional, but it is strongly recommended. Figure 3: Authentication | Appliance Authentication | Authentication Type 5) Configure Authentication Servers to use RADIUS Server and enter necessary parameters, and then, SAVE. In this example, the Authentication Server and Accounting Server is the same machine. Note: There is no need to enable the Service Type Attribute since the Group Authorization will be set. Figure 4: Authentication | Authentication Servers | RADIUS http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx Emerson Network Power | Infrastructure Management 6) Create a new Authorization Group to control serial access and permissions. Note: In this example, we named the Authorization Group as ‘RemoteAdmin’. Figure 5: Users | Authorization | Groups 7) Open the newly created group name, RemoteAdmin, to configure the Access Rights -- Serial, Power, and Appliance. a) Add a Serial (Port) by assigning the Available Target for the list and SAVE. Figure 6: Groups | Access Rights | Serial Note: Accept the prompted message “This configuration will be valid only if the Security Profile is configured to required authorization to allow access to serial devices”. It has been enabled in Step 3. b) Add (Rack) PDU and Outlets if connected and configured and SAVE. http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx Emerson Network Power | Infrastructure Management c) Assign Appliance Access Rights as necessary to the group and SAVE. Figure 7: Group | Access Rights | Appliance Access Rights 8) Now the FreeRadius Server will handle the Cyclades ACS6000 login requests and Deny/Grant necessary authorizations to the authenticated account. Example A: Testing Configuration From the configuration shown above, a Radius user authenticated and granted to access to Serial Port#25 to Port#30 as well as granted to be Appliance Administrator. Figure 8: Successfully authenticated RADIUS user and authorized access to the Cyclades ACS6000. http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx Emerson Network Power | Infrastructure Management Example B: Log of Successfully Started RADIUS Server for Service [Output Omit] . .. Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 server inner-tunnel Fri Jan 17 12:23:15 Fri Jan 17 12:23:15 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 2014 : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: Debug: radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "auth" ipv6addr = :: IPv6 address [::] port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "acct" ipv6addr = :: IPv6 address [::] port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 61904 Listening on authentication address * port 1812 Listening on authentication address :: port 1812 Listening on accounting address * port 1813 Listening on accounting address :: port 1813 Listening on authentication address 127.0.0.1 port 18120 as 2014 : Debug: Listening on proxy address * port 1814 2014 : Info: Ready to process requests. http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx Emerson Network Power | Infrastructure Management Example C: Log of Successfully Authentication Fri Jan 17 12:23:52 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 10.207.60.140 port 33782, id=24, length=92 User-Name = "chark" NAS-IP-Address = 10.207.60.140 NAS-Identifier = "ACS6048-0270012345" NAS-Port = 32757 NAS-Port-Type = Virtual Acct-Status-Type = Stop Acct-Session-Id = "00032757" Acct-Authentic = RADIUS Acct-Session-Time = 0 Fri Jan 17 12:23:52 2014 : Info: # Executing section preacct from file ../etc/raddb/sitesenabled/default Fri Jan 17 12:23:52 2014 : Info: +group preacct { Fri Jan 17 12:23:52 2014 : Info: ++[preprocess] = ok Fri Jan 17 12:23:52 2014 : Info: [acct_unique] Hashing 'NAS-Port = 32757,NAS-Identifier = "ACS6048-0270012345",NAS-IP-Address = 10.207.60.140,Acct-Ses sion-Id = "00032757",User-Name = "chark"' Fri Jan 17 12:23:52 2014 : Info: [acct_unique] Acct-Unique-Session-ID = "ffcecbfddb702c7a". Fri Jan 17 12:23:52 2014 : Info: ++[acct_unique] = ok Fri Jan 17 12:23:52 2014 : Info: [suffix] No '@' in User-Name = "chark", looking up realm NULL Fri Jan 17 12:23:52 2014 : Info: [suffix] No such realm "NULL" Fri Jan 17 12:23:52 2014 : Info: ++[suffix] = noop Fri Jan 17 12:23:52 2014 : Info: ++[files] = noop Fri Jan 17 12:23:52 2014 : Info: +} # group preacct = ok Fri Jan 17 12:23:52 2014 : Info: # Executing section accounting from file ../etc/raddb/sitesenabled/default Fri Jan 17 12:23:52 2014 : Info: +group accounting { Fri Jan 17 12:23:52 2014 : Info: [detail] expand: %{Packet-Src-IP-Address} -> 10.207.60.140 Fri Jan 17 12:23:52 2014 : Info: [detail] expand: ../var/log/radius/radacct/%{%{Packet-SrcIP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m% d -> ../var/log/radius/radacct/10.207.60.140/detail-20140117 Fri Jan 17 12:23:52 2014 : Info: [detail] ../var/log/radius/radacct/%{%{Packet-Src-IP-Address}:%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to . ./var/log/radius/radacct/10.207.60.140/detail-20140117 Fri Jan 17 12:23:52 2014 : Info: [detail] expand: %t -> Fri Jan 17 12:23:52 2014 Fri Jan 17 12:23:52 2014 : Info: ++[detail] = ok Fri Jan 17 12:23:52 2014 : Info: [radutmp] expand: ../var/log/radius/radutmp -> ../var/log/radius/radutmp Fri Jan 17 12:23:52 2014 : Info: [radutmp] expand: %{User-Name} -> chark Fri Jan 17 12:23:52 2014 : Info: ++[radutmp] = ok Fri Jan 17 12:23:52 2014 : Info: ++[exec] = noop Fri Jan 17 12:23:52 2014 : Info: [attr_filter.accounting_response] expand: %{User-Name} -> chark Fri Jan 17 12:23:52 2014 : Debug: attr_filter: Matched entry DEFAULT at line 12 Fri Jan 17 12:23:52 2014 : Info: ++[attr_filter.accounting_response] = updated Fri Jan 17 12:23:52 2014 : Info: +} # group accounting = updated Sending Accounting-Response of id 24 to 10.207.60.140 port 33782 Fri Jan 17 12:23:52 2014 : Info: Finished request 2. Fri Jan 17 12:23:52 2014 : Info: Cleaning up request 2 ID 24 with timestamp +37 Fri Jan 17 12:23:52 2014 : Debug: Going to the next request Fri Jan 17 12:23:52 2014 : Debug: Waking up in 4.7 seconds. Fri Jan 17 12:23:57 2014 : Info: Cleaning up request 0 ID 194 with timestamp +37 Fri Jan 17 12:23:57 2014 : Info: Ready to process requests. http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx