RADIUS User Authentication

TNSR supports authenticating users using a Remote Authentication Dial-In User Service (RADIUS) server. Though RADIUS was originally designed for dial-up style user authentication, it can be found in numerous authentication roles on modern networks thanks to various vendor additions to the protocol over the years. Organizations commonly use RADIUS servers for centralized authentication as it is widely supported for authentication in protocols such as 802.11x, WPA2, IPsec, and many others.

Danger

Communication between a RADIUS server and a host authenticating against the RADIUS sever, such as TNSR, should be private. In other words, this communication should take place over a VPN, a directly connected secure network, or similar method of secure communication. The RADIUS protocol itself is not encrypted and much of the protocol is sent in the clear which could expose potentially sensitive user information.

Adding a RADIUS Server

To define a RADIUS server, start in config mode and use the radius command to enter config-radius mode:

tnsr(config)# radius
tnsr(config-radius)#

Now define one or more RADIUS servers using the server command:

tnsr(config-radius)# server name <name> host <address> [port <auth-port>] secret <secret>
                       [timeout <timeout:3-60>] [source-address <ip-addr>]

The server command accepts the following parameters:

name <name>

The name of the RADIUS server, such as primary

host <address>

The IP address or FQDN of the server, such as radius.example.com

port <port>

Optional custom authentication port. When not defined, TNSR assumes the default port which is 1812.

secret <secret>

The shared secret between this host and the RADIUS server. Note that this must use printable ASCII characters and cannot contain spaces or quotes.

timeout <timeout>

Optional duration, in seconds, after which a query will time out. Value can be between 3-60 seconds.

source-address <ip-addr>

Optional IP address from which TNSR will use as the source address when communicating with this RADIUS server.

The server command can be repeated with additional servers for redundancy.

Note

This only defines the RADIUS server. TNSR will not use the server unless it is added to an authentication server group. That group must then be configured for use elsewhere, such as for system user authentication.

Example

This example adds two RADIUS servers named primary and secondary:

tnsr(config-radius)# server name primary host 198.51.100.3 secret abcd1234
                       timeout 30 source-address 198.51.100.30
tnsr(config-radius)# server name secondary host 198.51.100.7 secret efgh5678

Viewing RADIUS Servers

tnsr(config)# show radius servers
Name                    Host            Secret            Timeout Source-Address
primary                 198.51.100.3    "abcd1234"           30   198.51.100.30
secondary               198.51.100.7    "efgh5678"

Removing a RADIUS Server

To remove a RADIUS server start in config-radius mode and negate its entry with the no form of the server command along with the name of the entry:

tnsr(config-radius)# no server name <name>

For example:

tnsr(config-radius)# no server name secondary