Configuring RADIUS Client for Remote Login Authentication

Table 1. Default Configuration
Feature	Default Setting
RADIUS-server timeout	10
RADIUS-server retransmit	3
RADIUS-server encryption key	IS5ComRadius
login authentication	local

CLI Configuration Steps

For topology setup, refer to Figure 1.

Execute the following commands to configure the RADIUS client with server-specific parameters such as host, timeout, key, and retransmit interval and to configure RADIUS authentication.

Type the following:

Enter the Global Configuration Mode.

iS5comm# configure terminal

Configure the RADIUS-server host as primary server.

iS5comm(config)# set radius enable

iS5comm(config)# radius-server host 13.0.0.20 auth-port 1812 timeout 6 retransmit 6 key IS5ComRadius primary

Configure the router to use RADIUS for authentication at the login prompt..

iS5comm(config)# login authentication radius

Exit from the Global Configuration mode.

iS5comm(config)# exit

Execute the following command to view the RADIUS server-specific configurations.

iS5comm# show radius server

Primary Server           : 13.0.0.20

Radius Server Host Information

------------------------------

Index                    : 1

Server address           : 13.0.0.20

Shared secret            :

Response Time            : 6

Maximum Retransmission   : 6

Authentication Port      : 1812

Accounting Port          : 1813

--------------------------------------------

Execute the following command to view the RADIUS statistics.

Perform the following:

iS5comm# show radius statistics

Radius Server Statistics

-------------------------

Index                            : 1

Radius Server Address            : 13.0.0.20

UDP port number                  : 1812

Round trip time                  : 0

No of request packets            : 1

No of retransmitted packets      : 0

No of access-accept packets      : 1

No of access-reject packets      : 0

No of access-challenge packets   : 0

No of malformed access responses : 0

No of bad authenticators         : 0

No of pending requests           : 0

No of time outs                  : 0

No of unknown types              : 0

--------------------------------------------

Execute the following command to view the system information.

Perform the following:

iS5comm# show system information

Hardware Version                  : 5.2.4

Firmware Version                  : 5.0.0.0

Switch Name                       : ISS

System Contact                    : [email protected]

System Location                   : is5Com

Logging Option                    : Console Logging

Login Authentication Mode         : Remote

Config Save Status                : Not Initiated

Remote Save Status                : Not Initiated

Config Restore Status             : Not Initiated

Configure the IPv6 radius-server host and set it as the primary server. The previous configuration

iS5comm(config)# radius-server host 2003::2 auth-port 1812 timeout 6 retransmit 6 key IS5ComRadius primary

At RADIUS Server

There are 3 ways to configure RADIUS Server.

A. Single Mode RADIUS Authentication

The freeRADIUS server code is used for this configuration. Customize the following sample files available in the raddb directory (available in the path \etc\raddb in Linux). Execute the following command to view the system information:

users
clients.conf
radiusd.conf

An example is shown below.

In the file users, include the following line to allow a user named iS5comm with password iss123 and authentication type as PAP.
Perform the following:
```
"iS5comm" Auth-Type := PAP, User-Password == "iss123"
```
In the file clients.conf, specify the RADIUS client information.
Perform the following:
```
client 13.0.0.5 {
```
```
secret      = IS5ComRadius
```
```
shortname   = Rad
```
```
}
```
In the file radiusd.conf, specify the encryption scheme for PAP.
Perform the following:
```
. pap {
```
```
encryption_scheme = clear
```
```
}
```
Either IPv4 of IPv6 can be enabled in the server at the same time. When IPv4 server is to be used, comment out IPv6 server by adding a “#” at the front and vice versa
Perform the following:
```
ipaddr = *
```
```
ipv6addr = ::
```
From the root mode, start RADIUS Server Daemon.
Perform the following:
```
# radiusd –X -A
```
At Host:
Perform the following:
- Telnet the router from the host
```
#telnet 20.0.0.1
```
```
ISS login: iS5comm
```
```
Password: iss123
```
```
iS5comm>
```
The packet flow between the host, RADIUS client, and the RADIUS Server is illustrated in the figure below.

Figure 1. Packet Flow between Host, RADIUS CLIENT, and RADIUS server

B. Multiple Level Role-Based Authentication (RBAC) - FreeRadius

Role-based access control (RBAC) restricts network access based on a users' role in a network.The methods of authentication as shown below are Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and MS-CHAPv2.

PAP

For PAP, when logging into a network resource, the user has to supply a username and a password which are sent in clear text format.

After completing the installation of ubuntu-20.04.2.0-desktop-amd64 system (the image can be downloaded from https://ubuntu.com/download) on Vmware player and integrating it (bridging it) with your network, implement the following steps to install, configure, and test RBAC

To install and configure a free RADIUS with a new dictionary file, implement the following configuration steps

Install free RADIUS server.
Type the following:
```
Sudo su
```
```
apt-get install freeradius
```
Go to the directory of free RADIUS.
Type the following:
```
Cd /etc/freeradius/3.0
```
Execute nano dictionary command to replace the old dictionary file with a new one. Don’t remove the original file—just modify it.
Delete the contents of the old dictionary file and copy/paste the contents of the new dictionary file.
The following commands are available in the nano editor:
- To save, press Control + O.
- To exit the nano editor, press Control + X.
- To search in the nano editor, press Control + W and comment (add #) to the following libraries:
  - dictionary.jradius
  - dictionary.redback
Save by pressing Control + O. Exit the nano editor by pressing Control + X.
Browse through the graphic interface to /usr/share/freeradius and copy all libraries from the free RADIUS server into the directory of /freeradius /etc/freeradius/3.0. Don’t replace the original dictionary file.
Execute nano users command to replace the old user file with a new one. Don’t remove the original file—just modify it.
Delete the contents of the old user file, then, copy/paste the contents of the new user file. Save by pressing Control + O. Exit the nano editor by pressing Control + X.
Perform the nano client.conf command to add the RADIUS client information to the end of file.
Type the following:
```
client SW6 {
```
```
 ipaddr = 192.168.10.0   
```
```
 secret = IS5ComRadius 
```
```
 netmask = 24
```
```
 shortname = SW6
```
```
}
```
Save by pressing Control + O. Exit the nano editor by pressing Control + X.

Execute nano users command to add / choose a user to be verified.

An example for the user admin is as follows:

admin  Auth-Type :=PAP, Cleartext-Password := "Admin_12"

 Service-Type = 12,

 Framed-MTU = 1500,

 Is5-privilege-id = 15

Or you can manually add a user tech :

 tech  Auth-Type :=PAP, Cleartext-Password := "techpass"

 Service-Type = 12,

 Framed-MTU = 1500,

 Is5-privilege-id = 7

Execute freeradius restart or reboot.
Execute freeradius -CX. The following message should appear: Configuration appears to be OK
To stop free RADIUS, press Control + Z.
Execute freeradius -X. If you get the following error message: Failed binding to auth address * port 1812 bound to server default: Address already in use /etc/freeradius/3.0/sites-enabled/default[59]: Error binding to port for 0.0.0.0 port 1812, reboot.
Execute freeradius -X.
Add the RADIUS configuration to the switch configuration.
Type the following:
```
set radius enable
```
```
radius-server host 192.168.10.170 auth-port 1812 timeout 6 retransmit 6 key IS5ComRadius primary
```
```
login authentication radius local
```
Note that the used above password is the same as in step 9: IS5ComRadius.
To be placed as level 15 user, use the username admin and password Admin_12.
To be placed as level 7 user, use the username tech and password techpass.
Note that as a level 7 user, you won’t be able to create new users from the CLI user interface of the switch.

MS-CHAPv2

CHAP stands for Challenge Handshake Authentication Protocol. When logging in a network, the user provides a username and a secret password which is authenticated through a 3 way handshake process. MS-CHAP is the Microsoft version of t CHAP. The protocol exists in two versions, MS-CHAPv1 (defined in RFC 2433) and MS-CHAPv2 (defined in RFC 2759). MS-CHAPv2 provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Success packet.

Enable MS-CHAPv2. Implement the following command:

set radius enable

radius-server host 192.168.10.170 auth-port 1812 timeout 6 retransmit 6key IS5ComRadius primary

login authentication radius local

set radius protocol-mode ms-chapv2

Go to free RADIUS for any changes. The configuration files can be found under:

/etc/freeradius/3.0/sites-enabled/default

Change the configuration if needed.
Go to:
```
# cd /etc/freeradius/3.0/sites-enabled/
```
Execute the following command.
Type the following:
```
# nano default
```
Verify that the below shown lines are there—most of them are enabled by default. Don’t delete or modify the rest of the code.
```
authorize {
```
```
 preprocess
```
```
 digest
```
```
 mschap
```
```
 suffix
```
```
 sql
```
```
 eap
```
```
 files
```
```
 }
```
```
authenticate {
```
```
 #  MSCHAP authentication
```
```
 Auth-Type MS-CHAP {
```
```
 mschap
```
```
 }
```
```
 mschap
```
```
 digest
```
```
 }
```
Browse to the following location.
Type the following:
```
 cd /etc/freeradius/3.0/
```
Execute # nano users command, then change the content to make sure you have the below content. Don’t delete or modify the rest of code.
The output should be as follows:
```
#Make sure that the Auth-Type is equal to MS-CHAP
```
```
#you can create admin and tech and guest users as PAP 
```
```
 is5:
```
```
 test  Auth-Type :=MS-CHAP, Cleartext-Password := "testpw"
```
```
 Service-Type = 14,
```
```
 Framed-MTU = 1500,
```
```
 Is5-privilege-id = 15
```
Then, save by pressing Control + O.

Exit the nano editor by pressing Control + X
In the same directory shown in step 3, execute # nano mschap command, then change the content to make sure you have the below content. Don’t delete or modify the rest of code.
The output should be as follows:
```
mschap {
```
```
 use_mppe = yes
```
```
 require_encryption = yes
```
```
 require_strong = yes
```
```
 authtype = MS-CHAP
```
```
 }
```
Then, save by pressing Control + O.

Exit the nano editor by pressing Control + X
To test the MS-CHAPv2 on the RADIUS server, issue the following command:
Type the following:
```
radtest -x -t mschap  [username] [password] localhost 0 [Radius serever shared secret]
```

C. Multiple Level Role-Based Authentication (RBAC)- Windows Server 2016

To configure a RADIUS server with Password Authentication Protocol (PAP) or MS-CHAPv2 for three users privilege levels, first, we need to create Active Directory as the VSA (vendor specific attribute) should be assigned to a group of users, and not to an individual.

Creating Active Directory

This section gives details on creating active directory.

Start the Windows Server 2016 Server Manager Dashboard.

perform the following.

Figure 2. Server Manager - Dashboard

Click Add roles and features. Keep clicking Next until you reach Select server roles page.

Figure 3. Server Manager- Add Roles and Features Wizard

2. Then, choose by adding check marks Active Directory Domain Services and DNS server. Then keep clicking Next until you get the confirmation page. Click Install.

3. If the server is successfully installed, as a result the following web page appears.

Figure 4. Server Manager- Add Roles and Features Wizard - View Installation progress

4. Click Close to exit the wizard.

Go to the Dashboard again. The WELCOME TO SERVER MANAGER page appears with a strip with one red and 2 yellow rectangles on the left side.

Click it and start promoting the server to domain controller. The post-deployment Configuration appears.

Figure 5. Server Manager - Dashboard - Post-deployment Configuration

Figure 6. Active Directory Domain Services Wizard - Deployment Configuration

5. The Deployment Configuration page appears. In the Select the deployment operation area, click to select Add a new forest.In the Root Domain name box, type the domain name is5com.com as shown below. Click Next.

Figure 7. Active Directory Domain Services Wizard - Domain Controller Options

6. The Domain Controller Options page appears. Type the Directory Services Restore Mode (DSRM) password and click Next.

Figure 8. Active Directory Domain Services Wizard - Prerequisites Check

7. Keep clicking until you reach Prerequisites Check page. If everything is OK, click Install and wait until the View Results page closes. Then, restart.

Figure 9. Server Manager Dashboard- Active Directory Users and Computers

8. After restarting, go to Dashboard, then, choose Tools. After that, from the right-click sensitive menu choose Active Directory Users and Computers. Create 3 users and 3 groups as shown below (each group and user will be in different privilege level).

Group is5-admin will have is5.admin user.
Group is5-tech will have is5.tech user.
Group is5-guest will have is5.guest user.

Figure 10. Server Manager Dashboard - Users

Creating NAP for the RADIUS server

To create Network Access Protection (NAP), start the Windows Server 2016 Server Manager Dashboard.

perform the following.

Figure 11. Server Manager - Dashboard

Figure 12. Server Manager- Add Roles and Features Wizard -Server Roles

Click Add roles and features. Keep clicking Next until you reach Server Roles.Then, choose by adding check marks Network Policy and Access Roles Services. Then keep pressing Next until confirmation page appears, then click Install.When finished, clickClose.

Figure 13. Server Manager- Add Roles and Features Wizard -Server Roles

2. In the left pan of the main dashboard, choose NPAS.

Then, right click and choose Network Policy Server.

Figure 14. Servers - Network Policy Server

3. Add a RADIUS client considering that the shared secret is the same as the one used on Raptor.

Figure 15. New Policy Server

Figure 16. New RADIUS Client

Figure 17. Network Policies

4. Go to Network Policies and delete all existing ones. Then, create 3 policies for is5 for the different three privileges levels.

Figure 18. New Network Policy

5. Click Next, then choose the group you want to add for this policy as a condition. Since the policy name is is5-admin, it is suggested that you add an is5-admin group that contains one user which is is5.admin user.

Figure 19. Specify Conditions

Figure 20. Configure Authentication Methods

6. Click Next and choose Access granted. Then, press Next. In Configure Authentication Methods, choose both MS-CHAPv2 and PAP to make one policy for both.

Figure 21. Configure Settings

7. Click Next. Then, in Configure Settings page choose Vendor Specific. Click Add. Then again, in the Add Vendor Specific Attribute page, choose Vendor Specific and click Add.

Figure 22. Vendor-Specific Attribute Information

8. Click Add, then in Enter Vendor Code field, select 41094.

9. Choose Yes, it conforms, and then, click Configure Attribute.

Figure 23. Vendor-Specific Attribute Information - Configure VSA

In the Attribute value field, add a privilege number. If you put it 7, it will be privilege 7, and if you put 1, it will be privilege 1.

Figure 24. Completing New Network Policy

10. Click Finish.

11. In the very same way, add admin and tech and guest policies.

Figure 25. Completing Network Policy Server

12. After that, right-click on the main Network Policy Server (NPS), and choose Register server in Active Directory. Then, click OK twice.

If you made any changes to the policies, right click on the NPS again and stop NPS service. Then, choose start NPS service.

13. Use CLI in Raptor (Tera Term or equivalent) and enter the following commands.

set radius enable

adius-server host 192.168.10.230 auth-port 1812 timeout 1 retransmit 1 key IS5ComRadius primary

If you want to work in MS-CHAPV2 instead of PAP, add the below shown command to the previous ones.

set radius protocol-mode ms-chapv2

Now, we can use the username and password created previously and grant the privilege level assigned the group that these users belong to.