System User Authentication Method¶
TNSR supports using RADIUS or LDAP servers for system authentication as an alternative to the default method of authenticating users locally (Local User Authentication).
To configure the system to use servers for user authentication, the servers must first be defined (RADIUS User Authentication, LDAP User Authentication) and also added to a server group (Authentication Server Groups).
To define an alternate system authentication method, use the auth method
command from config
mode, which has the following syntax:
auth method (ldap|radius) server-group <group-name>
This command adds a server group the operating system can use to authenticate users.
The command can be repeated to add multiple groups of either the same or different types.
The available options for these entries are:
(ldap|radius)
The type of authentication used by the group in this entry. Must match the
type
value of the server group.server-group <group-name>
The name of the authentication server group for TNSR to use.
Once this method is configured the system will attempt to authenticate user logins against the servers in the group. This includes SSH and console logins, for example.
Example¶
tnsr(config)# radius
tnsr(config-radius)# server name primary host 198.51.100.3 secret abcd1234
timeout 30 source-address 198.51.100.30
tnsr(config-radius)# server name secondary host 198.51.100.7 secret efgh5678
tnsr(config-radius)# exit
tnsr(config)# auth server-group radauth
tnsr(config-auth-server-group)# type radius
tnsr(config-auth-server-group)# priority 20 radius primary
tnsr(config-auth-server-group)# priority 40 radius secondary
tnsr(config-auth-server-group)# exit
tnsr(config)# auth method radius server-group radauth
Known Limitations¶
Currently a local user must exist for each RADIUS user who will login via SSH. This limitation does not apply to users authenticated against LDAP servers. RADIUS authentication does not have usable a way to pass back common user attributes such as a UID, home directory, etc. so these must come from an existing local user account.
Warning
The local password does not need to match the password on the RADIUS server, but both passwords are valid to login with the account. As such, ensure the local passwords are sufficiently random and long enough that they are resistant to guessing/brute force.
The following is a brief example of creating a local user. For more details, see Local User Authentication.
tnsr(config)# auth user myuser
tnsr(config-auth)# pass s0m3r3a11Yl0ngR4nd00m$t21nG
tnsr(config-auth)# exit
tnsr(config)#
After defining the local user, myuser
can then login using their RADIUS
credentials.