ArubaOS 8.6.0.0 Help Center

Setting Up RADIUS Authentication, Authorization, and Accounting

This section contains the following information:

About AAA Services

About the RADIUS Protocol

About the TACACS+ Protocol

About RADIUS Authentication and Authorization

Setting Up RADIUS Accounting

About AAA Services

AAA network security services provide the primary framework through which a network administrator can set up access control on network points of entry or network access servers.

Authentication identifies a user.

Authorization determines what that user can do on the network.

Accounting monitors the network usage time for billing purposes.

AAA information is typically stored in an external database or remote server such as a RADIUS or TACACS+ server. The information can also be stored locally on the access server or router.

Remote security servers, such as RADIUS and TACACS+ servers, assign users specific privileges by associating attribute-value pairs, which define the access rights with the appropriate user. All authorization methods must be defined through AAA.

About RADIUS Authentication and Authorization

Authentication is the process by which a system or network verifies the identity of a user who wishes to access it. Authentication ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual—that is the role of authorization.

Authorization is the process of giving individuals specific access rights to system or network resources based on their identity. Authorization employs access control rules to determine whether access requests from authenticated users are approved (granted) or disapproved (rejected).

The RADIUS protocol combines user authentication and authorization steps into one phase. The user must be successfully authenticated before the RADIUS server sends authorization information (from the user’s profile) to the Network Access Server (NAS).

Commands authorization assigns a list of CLI commands that can be executed by a specified user. The permitted CLI commands are defined on the remote RADIUS server in a user’s profile.When authentication is successful, the RADIUS server returns the permitted list of CLI commands that the authenticated user is authorized to execute. By default, all users can execute a minimal set of commands regardless of their authorization status, for example, “exit” and “logout." This minimal set of commands can prevent deadlock on the switch due to an error in the user’s authorization profile on the RADIUS server. The user’s profile is encoded into Vendor-Specific Attributes (VSAs).

The list of permitted commands is used to filter all the commands executed by the user until the end of the session. This allows greater authorization control, where different rights can be given to different manager or operator users.

About the RADIUS Protocol

The RADIUS (Remote Authentication Dial-In User Service) protocol carries authentication, authorization, and configuration information between a network access server (NAS) and a RADIUS authentication server.

Authentication with RADIUS allows for a unique password for each user, instead of the need to maintain and distribute switch-specific passwords to all users. RADIUS verifies identity for the following types of primary password access to the switch:

Serial port (console)

Telnet

SSH

SFTP/SCP

WebAgent

Port-Access (802.1X)

AOS switch es support RADIUS accounting for web-based authentication and MAC authentication sessions, collecting resource consumption data and forwarding it to the RADIUS server. This data can be used for trend analysis, capacity planning, billing, auditing, and cost analysis.

Requests and responses carried by the RADIUS protocol are called RADIUS attributes. These attributes provide the information needed by a RADIUS server to authenticate users and to establish authorized network service for them. The RADIUS protocol also carries accounting information between a network access server and a RADIUS accounting server.

RADIUS is a client/server protocol. The RADIUS client is typically a network access server. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver service to the user.

About the TACACS+ Protocol

TACACS AAA systems are used as a single point of management to configuring and store user accounts. They are often coupled with directories and management repositories, simplifying the set up and maintenance of the end-user accounts.

In the authorization function of the AAA system, network devices with Authentication Services can provide fine-grained control over user capabilities for the duration of the user’s session; for example, setting access control or session duration. Enforcement of restrictions to a user account can limit available commands and levels of access.

TACACS+ authentication provides a central server in which you can allow or deny access to switches and other TACACS-aware devices in your network. TACACS employs a central database that creates multiple unique user name and password sets with their associated privilege levels. This central database can be accessed by individuals via the AOS switch from either a console port or via Telnet.

TACACS+ uses an authentication hierarchy consisting of:

Remote passwords assigned in a TACACS+ server

Local passwords configured on the switch

 

In the event of a connection failure, a TACACS+ server defaults to locally assigned passwords for authentication control.

A TACACS+ server is able to:

Configure login authentication for read/write or read-only privileges.

Manage the authentication of login attempts by either the console port or via Telnet.

Setting Up RADIUS Accounting

This section provides the following information:

Accounting Services

RADIUS Accounting Server

Enabling RADIUS Accounting

Operating Rules for RADIUS Accounting

Operating Rules for RADIUS

Accounting Services

RADIUS accounting on the switch collects resource consumption data and forwards it to the RADIUS server. This data can be used for trend analysis, capacity planning, billing, auditing, and cost analysis. Accounting support is provided for WebAgent sessions on the switch.

RADIUS accounting collects data about user activity and system events and sends it to a RADIUS server when specified events occur on the switch, such as a logoff or a reboot.

Accounting Service Types

The switch supports four types of accounting services:

Network accounting: Provides records containing information on clients directly connected to the switch and operating under Port-Based Access Control (802.1X).

Executive accounting: Provides records holding the information about login sessions (console, Telnet, and SSH) on the switch.

System accounting: Provides information regarding system events that occur on the switch, including system reset, system boot, and enabling or disabling system accounting.

Commands accounting: Provides records containing information on CLI-command execution during user sessions.

RADIUS Accounting Server

A Network Access Server (NAS) operates as a client of the RADIUS accounting server. The client is responsible for passing user accounting information to a designated RADIUS accounting server. The RADIUS accounting server is responsible for receiving the accounting request and returning a response to the client indicating that it has successfully received the request. The RADIUS accounting server can act as a proxy client to other kinds of accounting servers. Transactions between the client and RADIUS accounting server are authenticated through the use of a shared secret, which is never sent over the network.

Enabling RADIUS Accounting

You can enable RADIUS Accounting for multiple features within the switch accounting configuration. Additionally you can configure accounting start-stop for other components. You also need to configure the accounting interval update timer—aaa accounting update periodic parameter (set to 2 minutes in the example below) . To set up RADIUS accounting, run the following commands:

AOS-switch(config)# aaa accounting network start-stop radius server-group CP-cluster

AOS-switch(config)# aaa accounting update periodic 2

AOS-switch(config)# show accounting

Figure 1  show accounting Command Output

Operating Rules for RADIUS Accounting

The operating rules for RADIUS accounting are as follows:

You can configure up to four types of accounting to run simultaneously: executive, system, network, and command.

RADIUS servers used for accounting are also used for authentication.

The switch must be configured to access at least one RADIUS server.

RADIUS servers are accessed in the order in which their IP addresses were configured in the switch. To view the order of the RADIUS servers, use the show radius command .As long as the first server is accessible and responding to authentication requests from the switch, a second or third server cannot be accessed.

If access to a RADIUS server fails during a session, but after the client has been authenticated, the switch continues to assume the server is available to receive accounting data. Thus, if server access fails during a session, it doesn't receive accounting data transmitted from the switch.

Operating Rules for RADIUS

The AOS switch operating rules for RADIUS are as follows:

You must have at least one RADIUS server accessible to the switch.

The switch supports authentication and accounting using up to fifteen RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius. If the first server does not respond, the switch tries the next one, and so on.

You can select RADIUS as the primary authentication method for each type of access.

 

Only one primary and one secondary access method is allowed for each access type.

In the switch, EAP RADIUS uses MD5 and TLS to encrypt a response to a challenge from a RADIUS server.

When primary/secondary authentication is set to Radius/Local (for either Login or Enable) and the RADIUS server fails to respond to a client attempt to authenticate, the failure is noted in the Event Log with the message:

radius: Can't reach RADIUS server <server-ip-address>.

When this type of failure occurs, the switch prompts the client again to enter a user name and password. In this case, use the local user name (if any) and password configured on the switch itself.

Zero-length user names or passwords are not allowed for RADIUS authentication, even though this is allowed by some RADIUS servers.

Additional Configuration Considerations

Beyond the 802.1X configuration basics described above, there are many additional parameters you may choose to configure across the switch ports, such as the following recommendations.

Limiting Access for Unauthorized Clients

On the AOS switch, a switch port with a static VLAN ID and an unauthenticated client VLAN ID is automatically part of the Unauthenticated-client VLAN as soon as a device connects. If the device passes authentication, the port becomes an untagged member of the static VAN. This behavior helps guest and other devices with 802.1X supplicants to connect more quickly.

To set an unauthenticated-client VLAN for one or more interfaces, issue the following command:

AOS-switch (config) # aaa port-access authenticator <port ID list> unauth-vid <VLAN ID>

The unauth-vid parameter configures the VLAN to keep the specified ports while there is an unauthenticated client connected to the network.

Preventing Connectivity Delays for 802.1X Devices

For users who use 802.1X to log in, setting an unauthenticated-client VLAN might lose connectivity. If the user's device allows non-EAP traffic before authentication, it might receive a DHCP address that is in the unauthenticated-client VLAN, which would cause the user's device to lose connectivity after the port moves to the VLAN for authenticated users.

To prevent connectivity delays based on this scenario, issue the following command:

AOS-switch (config) # aaa port-access authenticator <port ID list> unauth-period <seconds>

1. Specify the Add Device parameters as described in Table 1.

Table 1: Add Device Parameters

Parameter

Action/Description

Name

1. Enter the name of the AOS switch.

IP or Subnet Address

2. Enter the IP address or subnet address of the AOS switch.

Description

Enter a description of the device (recommended).

RADIUS Shared Secret

3. Specify the RADIUS Shared Secret for the current Policy Manager server.

NOTE: Make sure that the value of the Key parameter for the RADIUS server configured on the AOS switch is identical to the RADIUS Shared Secret you specify here for this Policy Manager server.

TACACS Shared Secret

If you’re adding a device because you want Policy Manager to manage access to that device with TACACS+, specify the TACACS+ Shared Secret.

Vendor Name

4. Specify the name of the vendor (in this case, Hewlett-Packard Enterprise) to load the dictionary associated with HPE for this device.

Enable RADIUS CoA

5. To enable RADIUS-initiated Change of Authorization (CoA), select the check box for this parameter.

This parameter is enabled by default.

RADIUS CoA Port

If RADIUS CoA is enabled, this specifies the default port 3799. Change this value only if you defined a custom port on the AOS switch. For related information, see Configuring Policy Manager as an RFC 3576 (CoA) Server.

Configuring DHCP Snooping

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch.

DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped.

Enabling DHCP Snooping

When you enable DHCP snooping on a switch, the interface acts as a Layer-2 bridge, intercepting and safeguarding DHCP messages going to a Layer-2 VLAN.

Enabling DHCP snooping on the switch is not a requirement, but it is most helpful in assisting with debugging the switch.

To enable DHCP snooping:

AOS-switch#(config)# dhcp-snooping

If authorized server addresses are configured, a packet from a DHCP server must be received on a trusted port and have a source address in the authorized server list in order to be considered valid.

Specifying the IP Address of Trusted DHCP Servers

If no authorized servers are configured, all servers are considered valid. You can configure a maximum of 20 authorized servers.

To specify the IP address of trusted DHCP servers:

AOS-switch#(config)# dhcp-snooping authorized-server x.x.x.x

AOS-switch#(config)# dhcp-snooping authorized-server y.y.y.y

Specifying DHCP Option 82 (Relay Information)

Adding the option 82 parameter allows the switch to approve the relaying of DHCP requests. DHCP adds Option 82 (relay information option) to DHCP request packets received on untrusted ports by default.

The following command disables DHCP snooping for Option 82:

AOS-switch#(config)# no dhcp-snooping option 82

When DHCP is enabled globally and also enabled on a VLAN, and the switch is acting as a DHCP relay, the settings for the DHCP relay Option 82 command are ignored when snooping is controlling Option 82 insertion.

Option 82 inserted in this manner allows the association of the client’s lease with the correct port, even when another device is acting as a DHCP relay or when the server is on the same subnet as the client.

Enabling DHCP Snooping on VLANs

When you enable DHCP snooping on a VLAN, the switch acts as a Layer-2 bridge within a VLAN domain.

 

DHCP snooping on VLANs is disabled by default.

To enable DHCP snooping on a VLAN, enter the following command at the global configuration level:

AOS-switch#(config)# dhcp-snooping vlan [vlan-range]

For example, the following command enables DHCP snooping on VLANs 10 through 100:

AOS-switch#(config)# dhcp-snooping vlan 10 100

You can also specify a list of VLANs for which you want to enable DHCP snooping:

AOS-switch#(config)# dhcp-snooping vlan 4 10 20 30 40 100 200 300 400

Configuring Ports as Trusted

By default, all ports are untrusted.

To configure a port or range of ports as trusted, enter the following command:

AOS-switch#(config)# dhcp-snooping trust [port-list]

You can also configure trusted ports for a specific interface, in which case you are not able to enter a list of ports:

AOS-switch#(config)# interface 15

AOS-switch#(eth-15)# dhcp-snooping trust

Monitoring DHCP Snooping

To monitor DHCP snooping, you can display the DHCP snooping configuration and view the DHCP snooping statistics.

Displaying the DHCP Snooping Configuration

To display the DHCP snooping configuration:

AOS-switch# show dhcp-snooping

Figure 2  Showing the Status of DHCP Snooping on the Switch

Viewing DHCP Snooping Statistics

To view the DHCP snooping statistics:

AOS-switch# show dhcp-snooping stats

Figure 3  Showing the DHCP Snooping Statistics

/*]]>*/