Tip
This is the documentation for the 23.11 version. Looking for the documentation of the latest version? Have a look here.
RADIUS User Authentication¶
TNSR supports authenticating users using a Remote Authentication Dial-In User Service (RADIUS) server. Though RADIUS was originally designed for dial-up style user authentication, it can be found in numerous authentication roles on modern networks thanks to various vendor additions to the protocol over the years. Organizations commonly use RADIUS servers for centralized authentication as it is widely supported for authentication in protocols such as 802.11x, WPA2, IPsec, and many others.
Danger
Communication between a RADIUS server and a host authenticating against the RADIUS sever, such as TNSR, should be private. In other words, this communication should take place over a VPN, a directly connected secure network, or similar method of secure communication. The RADIUS protocol itself is not encrypted and much of the protocol is sent in the clear which could expose potentially sensitive user information.
Known Limitations¶
Currently a local user must exist for each RADIUS user who will login via SSH. RADIUS does not have a way to pass back common user attributes such as a UID, home directory, etc. so these must come from an existing local user account.
Warning
The local password does not need to match the password in RADIUS, but both passwords are valid to login with the account. As such, ensure the local passwords are sufficiently random and long enough that they are resistant to guessing/brute force.
The following is a brief example of creating a local user. For more details, see Local User Authentication.
tnsr(config)# auth user myuser
tnsr(config-auth)# pass s0m3r3a11Yl0ngR4nd00m$t21nG
tnsr(config-auth)# exit
tnsr(config)#
After defining the local user, myuser can then login using their RADIUS
credentials.
Adding a RADIUS Server¶
To define a RADIUS server, start in config mode and use the radius
command to enter config-radius mode:
tnsr(config)# radius
tnsr(config-radius)#
Now define one or more RADIUS servers using the server command:
tnsr(config-radius)# server <name> <address> [<port>] <secret> [<timeout>] [<source-addr>]
The server command accepts the following parameters:
<name>The name of the RADIUS server, such as
primary<address>The IP address or FQDN of the server, such as
radius.example.com<port>Optional custom authentication port. When not defined, TNSR assumes the default port which is
1812.<secret>The shared secret between this host and the RADIUS server. Note that this must use printable ASCII characters and cannot contain spaces or quotes.
<timeout>Optional duration, in seconds, after which a query will time out. Value can be between
3-60seconds.<source-addr>Optional IP address from which TNSR will use as the source address when communicating with this RADIUS server.
The server command can be repeated with additional servers for redundancy.
Example¶
This example adds two RADIUS servers named primary and secondary:
tnsr(config-radius)# server primary 198.51.100.3 abcd1234 30 198.51.100.30
tnsr(config-radius)# server secondary 198.51.100.7 efgh5678
Viewing RADIUS Servers¶
tnsr(config)# show radius servers
Name Host Secret Timeout Source-Address
primary 198.51.100.3 "abcd1234" 30 198.51.100.30
secondary 198.51.100.7 "efgh5678"
Removing a RADIUS Server¶
To remove a RADIUS server start in config-radius mode and negate its entry
with the no form of the server command along with the name of the entry:
tnsr(config-radius)# no server <name>
For example:
tnsr(config-radius)# no server secondary