Most network devices support external authentications via the radius protocol and/or TACACS. The two protocols have some differences but the concepts are the same, so for the rest of article I will focus mainly on using radius.
This configuration is extremely useful to centralize all your users in a common directory system (ldap, active directory, etc…). You usually do not want to change your passwords in hundredth of cisco switches because one of your employees leaves…
The standard solution for Cisco Devices is Cisco ACS, but to make things more interesting (and cheaper!), I will describe how to implement radius authentication using a Radius Server under Linux.
What you need:
- a Linux server (a low resource VPS is enough)
- Radiator Radius server
- an OpenLDAP server
The installation of radiator is very easy:
Now let’s have a look at the radius.cfg file:
Let’s analyze the configuration in detail:
- we use the secret key YOURSECRET. You will need to configure the same key in all your network devices. For additional security, you could change the secret key per device and add a certain number of Client clause to map IPs to secret keys (eventually it is possible to store these values as well in a database…)
- we will accept both Radius and Tacacs+ connections (remember to open your firewall!)
- the realm is ldap so if your login is USERNAME, you will have to enter it like USERNAME@ldap
- the AuthBy LDAP clause contains all the informations needed for authenticating against the ldap server. You will have to fill them based on your ldap schema.
What about the perl script that are executed in the different hooks?
- postauth.pl: this hook is executed after the authentication is validated. This could be useful to add logging about what has happened during the authentication (e.g: which user has authenticated, their IP address etc…)
- accthook.pl: this hook is useful for devices that support logging of executed commands via accounting packets. You can then logs in your favorite way (file, syslog server, database) all the commands executed (and by whom)
- postsearchhook.pl: this is the main script for managing authorization. After we have validated username and password, we could still need to validate additional authorizations like:
does the user have access to this particular device?
does the user have administrative access to the device? (in Cisco terms, can it execute the “enable” command)
For example, the code to make the user escalate to level 15 in a Cisco router could be the following:
Radius support is quite wide-spread in network devices, but sometimes it can be buggy or non-standard. A good documentation covering which attributes need to be sent to different devices can be found at the FreeRadius Wiki (hp, cisco)
Which radius server and authentication mechanism do you use in production?