RADIUS User Authentication

TNSR supports authenticating users using a Remote Authentication Dial-In User Service (RADIUS) server. Though RADIUS was originally designed for dial-up style user authentication, it can be found in numerous authentication roles on modern networks thanks to various vendor additions to the protocol over the years. Organizations commonly use RADIUS servers for centralized authentication as it is widely supported for authentication in protocols such as 802.11x, WPA2, IPsec, and many others.

Danger

Communication between a RADIUS server and a host authenticating against the RADIUS sever, such as TNSR, should be private. In other words, this communication should take place over a VPN, a directly connected secure network, or similar method of secure communication. The RADIUS protocol itself is not encrypted and much of the protocol is sent in the clear which could expose potentially sensitive user information.

Known Limitations

Currently a local user must exist for each RADIUS user who will login via SSH. RADIUS does not have a way to pass back common user attributes such as a UID, home directory, etc. so these must come from an existing local user account.

Warning

The local password does not need to match the password in RADIUS, but both passwords are valid to login with the account. As such, ensure the local passwords are sufficiently random and long enough that they are resistant to guessing/brute force.

The following is a brief example of creating a local user. For more details, see Local User Authentication.

tnsr(config)# auth user myuser
tnsr(config-auth)# pass s0m3r3a11Yl0ngR4nd00m$t21nG
tnsr(config-auth)# exit
tnsr(config)#

After defining the local user, myuser can then login using their RADIUS credentials.

Adding a RADIUS Server

To define a RADIUS server, start in config mode and use the radius command to enter config-radius mode:

tnsr(config)# radius
tnsr(config-radius)#

Now define one or more RADIUS servers using the server command:

tnsr(config-radius)# server <name> <address> [<port>] <secret> [<timeout>] [<source-addr>]

The server command accepts the following parameters:

<name>

The name of the RADIUS server, such as primary

<address>

The IP address or FQDN of the server, such as radius.example.com

<port>

Optional custom authentication port. When not defined, TNSR assumes the default port which is 1812.

<secret>

The shared secret between this host and the RADIUS server. Note that this must use printable ASCII characters and cannot contain spaces or quotes.

<timeout>

Optional duration, in seconds, after which a query will time out. Value can be between 3-60 seconds.

<source-addr>

Optional IP address from which TNSR will use as the source address when communicating with this RADIUS server.

The server command can be repeated with additional servers for redundancy.

Example

This example adds two RADIUS servers named primary and secondary:

tnsr(config-radius)# server primary 198.51.100.3 abcd1234 30 198.51.100.30
tnsr(config-radius)# server secondary 198.51.100.7 efgh5678

Viewing RADIUS Servers

tnsr(config)# show radius servers
Name                    Host            Secret            Timeout Source-Address
primary                 198.51.100.3    "abcd1234"           30   198.51.100.30
secondary               198.51.100.7    "efgh5678"

Removing a RADIUS Server

To remove a RADIUS server start in config-radius mode and negate its entry with the no form of the server command along with the name of the entry:

tnsr(config-radius)# no server <name>

For example:

tnsr(config-radius)# no server secondary