Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

RADIUS on PSM

 

The PSM server software includes a pre-packaged FreeRADIUS server that can be used to authenticate users in PSM and users in the network. This local RADIUS server stores user credentials in a SQL database (also included).

RADIUS facilitates the exchange of user credentials between the client and the server. The credentials are encrypted using a shared secret that is known to both the client and the server. The RADIUS protocol is UDP-based.

When a user launches the PSM client or the proNX Service Manager Dashboard and attempts to log in, or when a user attempts to log in to a network element directly, the PSM server acts as a RADIUS client, providing encrypted user credentials to a RADIUS server. The RADIUS server determines the access service that an authenticated user is authorized to use, and provides information to the network access server to allow the specific access service to be used.

The RADIUS authentication exchange happens at user login. The status of the client login is maintained and subsequent authentication exchanges take place at an interval that is configurable. This means that the current login session is impacted by changes in server availability or configuration.

The PSM RADIUS client does not support session accounting.

If firewall traversal is required, then the firewall must be configured to allow RADIUS traffic. The default ports for RADIUS traffic are 1812 and 1813.

The following table lists the supported RADIUS attributes:

Packet type

Attribute

Description

ACCESS-REQUEST - PSM server to RADIUS server. Sent by PSM to request a PSM client user be remotely authenticated.

User-Name

User’s login userid.

User-Password

User’s login password.

Called-Station-Id

Called station identifier.

Message-Authenticator

RFC 2869 message authenticator.

ACCESS-ACCEPT - RADIUS server to PSM server. This response message must be received by PSM to allow the PSM client user login.

Reply-Message

The Reply-Message attribute must be present and determines the privilege level of the user. Contains “Administrator” or “Service Provider” or "NOC".

ACCESS-REJECT

All attributes ignored.

RADIUS server to PSM server. The receipt of this message causes the login to fail.

ACCESS-CHALLENGE

All attributes ignored.

RADIUS server to PSM server. This response message is treated as if an ACCESS-REJECT response was received.

The following table lists some of the attributes that can be provisioned on the PSM server. See the common.properties file in /usr/local/ems9001/conf for the default values.

Attribute

Description

RADIUS server IP address

Address of RADIUS server.

RADIUS server port (Authentication)

Typically 1812.

RADIUS server port (Accounting)

Typically 1813.

RADIUS authentication timeout

This is the time period in seconds that the RADIUS client waits for a response to ACCESS-REQUEST before considering the attempt a failure.

RADIUS authentication retry count

This is the number of times that authentication is attempted in the case of failure to reach the server.

Server authentication key (shared secret)

This consists of 6 to 256 case-sensitive alphanumeric characters and the following special characters: ! @ # $ % ^ & * ( ) _ + - = { } | [ ] ‘ < > . / ~

Called-Station-Id

This is the called station identifier that is used in ACCESS-REQUEST messages.

The following table lists the attributes that must be provisioned in the authentication database to authenticate a client. A PSM-specific policy on the RADIUS server can be based on receiving a called-station-id attribute that matches the configured value.

RADIUS Attribute

Origin

Content

User-Name

RFC 2865

User id of the user described by the entry.

User-Password

RFC 2865

Password of the user described by the entry.

Reply-Message

RFC 2865

Authorization level (must contain “Administrator” or ”Service Provider” or "NOC").

Configuring PSM to Use a RADIUS Server

Use this procedure to configure PSM to use a RADIUS server.

There is no limit to the number of RADIUS servers that can be specified. PSM cycles through the defined RADIUS servers and tries each server in turn until a response is received.

  1. Add the PSM server to the list of allowable RADIUS clients.
    1. Change to the RADIUS raddb directory.

    2. Edit the clients.conf file and add the IP address of the PSM server to the list of allowable RADIUS clients.

      This file contains entries for each set of clients, with each entry indicating the IP address (or range) and the shared secret to use when connecting to the RADIUS server. For example:

  2. Restart the RADIUS server daemon for the changes to take effect.

    The RADIUS server is now configured to accept authentication requests from the specified PSM server.

    Note

    By default, the local RADIUS server listens on port 1812 for authentication requests.

  3. Configure the PSM server to use the RADIUS server.

    Edit the following file:/var/local/ems9001/conf/override-common.properties

    Note

    The /var/local/ems9001/conf/override-common.properties file contains many settings that affect the behavior of the PSM server. Only those attributes explicitly described in this guide should be changed. Changing any other attributes may have unintended consequences, and must only be performed under the guidance of Juniper Networks Support.

  4. Configure the auth.radius.server.1 attribute as follows:
    • To specify that the local RADIUS server on the PSM machine is to be used, set the value to localhost.

    • To specify that an external RADIUS server is to be used, set the value to the IP address of the external RADIUS server.

    For example:

    Note

    The PSM server is initially configured to use the local, pre-packaged RADIUS server.

  5. Configure the port numbers used by RADIUS. The typical values are shown below:
  6. Configure the shared secret. This must match the shared secret configured on the RADIUS server.

    For example:

  7. Configure other RADIUS attributes as needed. For the list of attributes that you can configure, look for auth.radius in the common.properties file.

    Remember to modify the /var/local/ems9001/conf/override-common.properties file and not the /usr/local/ems9001/conf/common.properties file.

  8. To specify additional RADIUS servers, create a set of attributes similar to the ones in the previous steps, but append the next number to each attribute, as shown in the following example:
  9. Save and close the file.
  10. Track changes to the /var/local/ems9001/conf/override-common.properties file with Git by committing this update to the Git repository.

    For example:

    This update can now be seen in the Git log. For more information on Git, see Using Git to Track override-common.properties.

  11. Changes made to the override-common.properties file do not take effect until the PSM is restarted. To restart the server, enter the following command:

    The restart command successfully completes when the 'Ems-' processes all change to 'running' state. Type <ctrl> c to exit the Linux watch command window.

Configuring Network Elements to Use the Local RADIUS Server

Use this procedure to configure network elements to use the local, pre-packaged RADIUS server.

The PSM server software includes a pre-packaged FreeRADIUS server that can be used to authenticate users in the network. This RADIUS server is initially configured to allow clients from the local host only. To allow network elements to use this RADIUS server, you need to configure this RADIUS server to allow those NE clients, and you need to configure those NE clients to use this RADIUS server.

  1. Add the list of allowable NE clients to the RADIUS configuration file.
    1. Change to the RADIUS raddb directory.

    2. Edit the clients.conf file and add the IP addresses of the NEs that will be making use of this RADIUS server.

      This file contains entries for each set of clients, with each entry indicating the IP address (or range) and the shared secret for those NEs to use when connecting to the RADIUS server. For example:

  2. Restart the RADIUS server daemon for the changes to take effect.

    The RADIUS server is now configured to accept authentication requests from the specified network elements.

    Note

    By default, the local RADIUS server listens on port 1812 for authentication requests.

  3. Use PSM to add users to the RADIUS server database.

    It is good practice to add users to the database before configuring the NE to use the RADIUS server.

    1. Ensure PSM is configured to use the included RADIUS server. For example, in the /var/local/ems9001/conf/override-common.properties file:

      Note

      The /var/local/ems9001/conf/override-common.properties file contains many settings that affect the behavior of the PSM server. Only those attributes explicitly described in this guide should be changed. Changing any other attributes may have unintended consequences, and must only be performed under the guidance of Juniper Networks Support.

    2. If you make any changes to the /var/local/ems9001/conf/override-common.properties file, track your changes with Git by committing this update to the Git repository.

      For example:

      This update can now be seen in the Git log. For more information on Git, see Using Git to Track override-common.properties.

    3. If you make any changes to the override-common.properties file, restart the PSM server in order for the changes to take effect.

      The restart command successfully completes when the 'Ems-' processes all change to 'running' state. Type <ctrl> c to exit the Linux watch command window.

    4. Add users to the RADIUS database by using the user management capability in PSM.

      For information on how to do this, see the proNX Service Manager User Guide.

  4. Configure network elements to use this RADIUS server.

    For each network element, use the CLI, the proNX 900, or PSM to configure the following parameters:

    RADIUS configuration parameters on the NEs

    Example values

    Description

    RADIUS server IP address

    10.10.1.100

    Specifies 10.10.1.100 as the IP address of the RADIUS server to use.

    RADIUS server role

    primary

    Specifies that this is the primary RADIUS server.

    RADIUS server port

    1812

    Specifies the port on which to make the authentication request.

    RADIUS server key

    testing123

    Specifies the shared secret configured on the RADIUS server for this network element.

    RADIUS server priority

    remote

    Specifies that the NE authenticates with the RADIUS server first before authenticating with the local database.

    For information on how to use PSM to configure these parameters on the NEs, see the proNX Service Manager User Guide.

    The NEs can now connect to the local RADIUS server as clients.