RADIUS Authentication, Authorization, and Accounting

advertisement
Emerson Network Power | Infrastructure Management
ACS 6000 Advanced Console Server | IT Console
RADIUS Authentication, Authorization, and Accounting
Prepared by Charkkrit Wattananusit
Jan 17, 2014
Background:
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote
access servers to communicate with a central server to authenticate dial-in users and authorize their access to the
requested system or service.
Environment/ Setup:




Operational FreeRadius Server version 2.2.3 or higher.
Authentication Server and Accounting Server are configured on a single machine.
Cyclades ACS6000 Advance Console Server Firmware 2.5.0.7 or higher.
Privilege access to both Radius Server and ACS6000 Advance Console Server as root user.
Objectives:


To configure Cyclades ACS6000 Advance Console Server external authentication using RADIUS protocol
To limit/allow all access to serial port(s) using a group authorization
Step #1: FreeRadius Basic Configuration for Cyclades ACS6000
Once the FreeRADIUS server is operational, you can configure the following items:
1) Define a Client IP
Ensure the ACS6000 IP Address and secret properly defines in the /etc/raddb/clients.conf file.
For this example, the ASC6000 IP Address is 10.207.60.140 and the secret is acs6000pass.
iii) Once, the change completed, it is recommended to restart the RADIUS server.
i)
ii)
2) Define a User/Password with an Attribute
Ensure the Radius user/password properly defines in the /etc/raddb/users file with the following
guideline.
ii) For this example, we use the Framed-Filter-Id attribute.
iii) Once, the change completed, it is recommended to restart the RADIUS server.
i)
chark
Cleartext-Password := "pass4radius!"
Auth-Type := EAP,
Framed-Filter-Id = ":group_name=RemoteAdmin;"
Note: the RemoteAdmin is a group existing in the ACS6000.
http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx
Emerson Network Power | Infrastructure Management
Step#2: Configure ACS6000 to Use a RADIUS Authentication with Group Authorization
The next step is the do the following procedures.
1) Login to the ACS6000 WebGUI as root user
2) To confirm the firmware level to be at least 2.5.0.7 version, go to System | Information
Figure 1: System | Information
3) Change the Security Profile to use Port Access by Controlled by authorizations assigned to user groups.
Figure 2: System | Security Profile
4) Configure the Authentication Type to RADIUS/LOCAL in the Appliance Authentication.
http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx
Emerson Network Power | Infrastructure Management
Note: The Enable fallback to Local type for root user in appliance console (setup) port is optional, but it
is strongly recommended.
Figure 3: Authentication | Appliance Authentication | Authentication Type
5) Configure Authentication Servers to use RADIUS Server and enter necessary parameters, and then, SAVE. In
this example, the Authentication Server and Accounting Server is the same machine.
Note: There is no need to enable the Service Type Attribute since the Group Authorization will be set.
Figure 4: Authentication | Authentication Servers | RADIUS
http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx
Emerson Network Power | Infrastructure Management
6) Create a new Authorization Group to control serial access and permissions.
Note: In this example, we named the Authorization Group as ‘RemoteAdmin’.
Figure 5: Users | Authorization | Groups
7) Open the newly created group name, RemoteAdmin, to configure the Access Rights -- Serial, Power, and
Appliance.
a) Add a Serial (Port) by assigning the Available Target for the list and SAVE.
Figure 6: Groups | Access Rights | Serial
Note: Accept the prompted message “This configuration will be valid only if the Security Profile is
configured to required authorization to allow access to serial devices”. It has been enabled in Step 3.
b) Add (Rack) PDU and Outlets if connected and configured and SAVE.
http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx
Emerson Network Power | Infrastructure Management
c) Assign Appliance Access Rights as necessary to the group and SAVE.
Figure 7: Group | Access Rights | Appliance Access Rights
8) Now the FreeRadius Server will handle the Cyclades ACS6000 login requests and Deny/Grant necessary
authorizations to the authenticated account.
Example A: Testing Configuration
From the configuration shown above, a Radius user authenticated and granted to access to Serial Port#25 to
Port#30 as well as granted to be Appliance Administrator.
Figure 8: Successfully authenticated RADIUS user and authorized access to the Cyclades ACS6000.
http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx
Emerson Network Power | Infrastructure Management
Example B: Log of Successfully Started RADIUS Server for Service
[Output Omit]
.
..
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
server inner-tunnel
Fri Jan 17 12:23:15
Fri Jan 17 12:23:15
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
2014
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
Debug:
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipv6addr = :: IPv6 address [::]
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipv6addr = :: IPv6 address [::]
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 61904
Listening on authentication address * port 1812
Listening on authentication address :: port 1812
Listening on accounting address * port 1813
Listening on accounting address :: port 1813
Listening on authentication address 127.0.0.1 port 18120 as
2014 : Debug: Listening on proxy address * port 1814
2014 : Info: Ready to process requests.
http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx
Emerson Network Power | Infrastructure Management
Example C: Log of Successfully Authentication
Fri Jan 17 12:23:52 2014 : Debug: Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.207.60.140 port 33782, id=24, length=92
User-Name = "chark"
NAS-IP-Address = 10.207.60.140
NAS-Identifier = "ACS6048-0270012345"
NAS-Port = 32757
NAS-Port-Type = Virtual
Acct-Status-Type = Stop
Acct-Session-Id = "00032757"
Acct-Authentic = RADIUS
Acct-Session-Time = 0
Fri Jan 17 12:23:52 2014 : Info: # Executing section preacct from file ../etc/raddb/sitesenabled/default
Fri Jan 17 12:23:52 2014 : Info: +group preacct {
Fri Jan 17 12:23:52 2014 : Info: ++[preprocess] = ok
Fri Jan 17 12:23:52 2014 : Info: [acct_unique] Hashing 'NAS-Port = 32757,NAS-Identifier =
"ACS6048-0270012345",NAS-IP-Address = 10.207.60.140,Acct-Ses
sion-Id = "00032757",User-Name = "chark"'
Fri Jan 17 12:23:52 2014 : Info: [acct_unique] Acct-Unique-Session-ID = "ffcecbfddb702c7a".
Fri Jan 17 12:23:52 2014 : Info: ++[acct_unique] = ok
Fri Jan 17 12:23:52 2014 : Info: [suffix] No '@' in User-Name = "chark", looking up realm NULL
Fri Jan 17 12:23:52 2014 : Info: [suffix] No such realm "NULL"
Fri Jan 17 12:23:52 2014 : Info: ++[suffix] = noop
Fri Jan 17 12:23:52 2014 : Info: ++[files] = noop
Fri Jan 17 12:23:52 2014 : Info: +} # group preacct = ok
Fri Jan 17 12:23:52 2014 : Info: # Executing section accounting from file ../etc/raddb/sitesenabled/default
Fri Jan 17 12:23:52 2014 : Info: +group accounting {
Fri Jan 17 12:23:52 2014 : Info: [detail]
expand: %{Packet-Src-IP-Address} -> 10.207.60.140
Fri Jan 17 12:23:52 2014 : Info: [detail]
expand: ../var/log/radius/radacct/%{%{Packet-SrcIP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%
d -> ../var/log/radius/radacct/10.207.60.140/detail-20140117
Fri Jan 17 12:23:52 2014 : Info: [detail] ../var/log/radius/radacct/%{%{Packet-Src-IP-Address}:%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to .
./var/log/radius/radacct/10.207.60.140/detail-20140117
Fri Jan 17 12:23:52 2014 : Info: [detail]
expand: %t -> Fri Jan 17 12:23:52 2014
Fri Jan 17 12:23:52 2014 : Info: ++[detail] = ok
Fri Jan 17 12:23:52 2014 : Info: [radutmp]
expand: ../var/log/radius/radutmp ->
../var/log/radius/radutmp
Fri Jan 17 12:23:52 2014 : Info: [radutmp]
expand: %{User-Name} -> chark
Fri Jan 17 12:23:52 2014 : Info: ++[radutmp] = ok
Fri Jan 17 12:23:52 2014 : Info: ++[exec] = noop
Fri Jan 17 12:23:52 2014 : Info: [attr_filter.accounting_response]
expand: %{User-Name} ->
chark
Fri Jan 17 12:23:52 2014 : Debug: attr_filter: Matched entry DEFAULT at line 12
Fri Jan 17 12:23:52 2014 : Info: ++[attr_filter.accounting_response] = updated
Fri Jan 17 12:23:52 2014 : Info: +} # group accounting = updated
Sending Accounting-Response of id 24 to 10.207.60.140 port 33782
Fri Jan 17 12:23:52 2014 : Info: Finished request 2.
Fri Jan 17 12:23:52 2014 : Info: Cleaning up request 2 ID 24 with timestamp +37
Fri Jan 17 12:23:52 2014 : Debug: Going to the next request
Fri Jan 17 12:23:52 2014 : Debug: Waking up in 4.7 seconds.
Fri Jan 17 12:23:57 2014 : Info: Cleaning up request 0 ID 194 with timestamp +37
Fri Jan 17 12:23:57 2014 : Info: Ready to process requests.
http://www.emersonnetworkpower.com/en-US/Products/InfrastructureManagement/SerialConsoles/Pages/AvocentACS6000AdvancedConsoleServer.aspx
Download