TechLibrary

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

RADIUS on PSM

The PSM server software includes a pre-packaged FreeRADIUS server that can be used to authenticate users in PSM and users in the network. This local RADIUS server stores user credentials in a SQL database (also included).

RADIUS facilitates the exchange of user credentials between the client and the server. The credentials are encrypted using a shared secret that is known to both the client and the server. The RADIUS protocol is UDP-based.

When a user launches the PSM client or the proNX Service Manager Dashboard and attempts to log in, or when a user attempts to log in to a network element directly, the PSM server acts as a RADIUS client, providing encrypted user credentials to a RADIUS server. The RADIUS server determines the access service that an authenticated user is authorized to use, and provides information to the network access server to allow the specific access service to be used.

The RADIUS authentication exchange happens at user login. The status of the client login is maintained and subsequent authentication exchanges take place at an interval that is configurable. This means that the current login session is impacted by changes in server availability or configuration.

The PSM RADIUS client does not support session accounting.

If firewall traversal is required, then the firewall must be configured to allow RADIUS traffic. The default ports for RADIUS traffic are 1812 and 1813.

The following table lists the supported RADIUS attributes:

Packet type	Attribute	Description
ACCESS-REQUEST - PSM server to RADIUS server. Sent by PSM to request a PSM client user be remotely authenticated.	User-Name	User’s login userid.
	User-Password	User’s login password.
	Called-Station-Id	Called station identifier.
	Message-Authenticator	RFC 2869 message authenticator.
ACCESS-ACCEPT - RADIUS server to PSM server. This response message must be received by PSM to allow the PSM client user login.	Reply-Message	The Reply-Message attribute must be present and determines the privilege level of the user. Contains “Administrator” or “Service Provider” or "NOC".
ACCESS-REJECT	All attributes ignored.	RADIUS server to PSM server. The receipt of this message causes the login to fail.
ACCESS-CHALLENGE	All attributes ignored.	RADIUS server to PSM server. This response message is treated as if an ACCESS-REJECT response was received.

The following table lists some of the attributes that can be provisioned on the PSM server. See the common.properties file in /usr/local/ems9001/conf for the default values.

Attribute	Description
RADIUS server IP address	Address of RADIUS server.
RADIUS server port (Authentication)	Typically 1812.
RADIUS server port (Accounting)	Typically 1813.
RADIUS authentication timeout	This is the time period in seconds that the RADIUS client waits for a response to ACCESS-REQUEST before considering the attempt a failure.
RADIUS authentication retry count	This is the number of times that authentication is attempted in the case of failure to reach the server.
Server authentication key (shared secret)	This consists of 6 to 256 case-sensitive alphanumeric characters and the following special characters: ! @ # $ % ^ & * ( ) _ + - = { } \| [ ] ‘ < > . / ~
Called-Station-Id	This is the called station identifier that is used in ACCESS-REQUEST messages.

The following table lists the attributes that must be provisioned in the authentication database to authenticate a client. A PSM-specific policy on the RADIUS server can be based on receiving a called-station-id attribute that matches the configured value.

RADIUS Attribute	Origin	Content
User-Name	RFC 2865	User id of the user described by the entry.
User-Password	RFC 2865	Password of the user described by the entry.
Reply-Message	RFC 2865	Authorization level (must contain “Administrator” or ”Service Provider” or "NOC").

Configuring PSM to Use a RADIUS Server

Use this procedure to configure PSM to use a RADIUS server.

There is no limit to the number of RADIUS servers that can be specified. PSM cycles through the defined RADIUS servers and tries each server in turn until a response is received.

Add the PSM server to the list of allowable RADIUS clients.
1. Change to the RADIUS raddb directory.
```
cd /etc/raddb
```
2. Edit the clients.conf file and add the IP address of the PSM server to the list of allowable RADIUS clients.
  This file contains entries for each set of clients, with each entry indicating the IP address (or range) and the shared secret to use when connecting to the RADIUS server. For example:
```
client 10.64.6.24 {
        secret      = testing123
}
```
Restart the RADIUS server daemon for the changes to take effect.
```
service radiusd restart
```
The RADIUS server is now configured to accept authentication requests from the specified PSM server.
Note: By default, the local RADIUS server listens on port 1812 for authentication requests.

Configure the PSM server to use the RADIUS server.

Edit the following file:/var/local/ems9001/conf/override-common.properties

Note: The /var/local/ems9001/conf/override-common.properties file contains many settings that affect the behavior of the PSM server. Only those attributes explicitly described in this guide should be changed. Changing any other attributes may have unintended consequences, and must only be performed under the guidance of Juniper Networks Support.

Configure the auth.radius.server.1 attribute as follows:
- To specify that the local RADIUS server on the PSM machine is to be used, set the value to localhost.
- To specify that an external RADIUS server is to be used, set the value to the IP address of the external RADIUS server.
For example:
```
auth.radius.server.1=192.168.101.8
```
Note: The PSM server is initially configured to use the local, pre-packaged RADIUS server.
Configure the port numbers used by RADIUS. The typical values are shown below:
```
auth.radius.port.authentication.1=1812
auth.radius.port.accounting.1=1813
```
Configure the shared secret. This must match the shared secret configured on the RADIUS server.
For example:
```
auth.radius.secret.1=testing123
```
Configure other RADIUS attributes as needed. For the list of attributes that you can configure, look for auth.radius in the common.properties file.
Remember to modify the /var/local/ems9001/conf/override-common.properties file and not the /usr/local/ems9001/conf/common.properties file.

To specify additional RADIUS servers, create a set of attributes similar to the ones in the previous steps, but append the next number to each attribute, as shown in the following example:

auth.radius.server.2
auth.radius.port.authentication.2
auth.radius.port.accounting.2
auth.radius.secret.2
auth.radius.xxx.2

auth.radius.server.3
auth.radius.port.authentication.3
auth.radius.port.accounting.3
auth.radius.secret.3
auth.radius.xxx.3

Save and close the file.
Track changes to the /var/local/ems9001/conf/override-common.properties file with Git by committing this update to the Git repository.
For example:
```
[user ~]# cd /var/local/ems9001/conf
[user conf]# git commit -m "Configured RADIUS server.  By user@example.org."  override-common.properties
```
This update can now be seen in the Git log. For more information on Git, see Using Git to Track override-common.properties.
Changes made to the override-common.properties file do not take effect until the PSM is restarted. To restart the server, enter the following command:
```
psm-restart
```
The restart command successfully completes when the 'Ems-' processes all change to 'running' state. Type <ctrl> c to exit the Linux watch command window.

Configuring Network Elements to Use the Local RADIUS Server

Use this procedure to configure network elements to use the local, pre-packaged RADIUS server.

The PSM server software includes a pre-packaged FreeRADIUS server that can be used to authenticate users in the network. This RADIUS server is initially configured to allow clients from the local host only. To allow network elements to use this RADIUS server, you need to configure this RADIUS server to allow those NE clients, and you need to configure those NE clients to use this RADIUS server.

Add the list of allowable NE clients to the RADIUS configuration file.
1. Change to the RADIUS raddb directory.
```
cd /etc/raddb
```
2. Edit the clients.conf file and add the IP addresses of the NEs that will be making use of this RADIUS server.
  This file contains entries for each set of clients, with each entry indicating the IP address (or range) and the shared secret for those NEs to use when connecting to the RADIUS server. For example:
```
client 10.1.203.0/24 {
        secret      = testing123
}
```
Restart the RADIUS server daemon for the changes to take effect.
```
service radiusd restart
```
The RADIUS server is now configured to accept authentication requests from the specified network elements.
Note: By default, the local RADIUS server listens on port 1812 for authentication requests.

Use PSM to add users to the RADIUS server database.

It is good practice to add users to the database before configuring the NE to use the RADIUS server.

Ensure PSM is configured to use the included RADIUS server. For example, in the /var/local/ems9001/conf/override-common.properties file:

auth.radius.server.1=localhost
auth.radius.port.authentication.1=1812
auth.radius.port.accounting.1=1813
auth.radius.timeout.1=2
auth.radius.retryCount.1=2
auth.radius.secret.1=testing123

If you make any changes to the /var/local/ems9001/conf/override-common.properties file, track your changes with Git by committing this update to the Git repository.
For example:
```
[user ~]# cd /var/local/ems9001/conf
[user conf]# git commit -m "Configured RADIUS server. By user@example.org."  override-common.properties
```
This update can now be seen in the Git log. For more information on Git, see Using Git to Track override-common.properties.
If you make any changes to the override-common.properties file, restart the PSM server in order for the changes to take effect.
```
psm-restart
```
The restart command successfully completes when the 'Ems-' processes all change to 'running' state. Type <ctrl> c to exit the Linux watch command window.
Add users to the RADIUS database by using the user management capability in PSM.
For information on how to do this, see the proNX Service Manager User Guide.

Configure network elements to use this RADIUS server.

For each network element, use the CLI, the proNX 900, or PSM to configure the following parameters:

RADIUS configuration parameters on the NEs	Example values	Description
RADIUS server IP address	10.10.1.100	Specifies 10.10.1.100 as the IP address of the RADIUS server to use.
RADIUS server role	primary	Specifies that this is the primary RADIUS server.
RADIUS server port	1812	Specifies the port on which to make the authentication request.
RADIUS server key	testing123	Specifies the shared secret configured on the RADIUS server for this network element.
RADIUS server priority	remote	Specifies that the NE authenticates with the RADIUS server first before authenticating with the local database.

For information on how to use PSM to configure these parameters on the NEs, see the proNX Service Manager User Guide.

The NEs can now connect to the local RADIUS server as clients.

TechLibrary

RADIUS on PSM

Configuring PSM to Use a RADIUS Server

Configuring Network Elements to Use the Local RADIUS Server

Modified: 2017-06-30