RADIUS

This chapter provides examples of how to configure and manage RADIUS on AsterNOS devices using NETCONF.

Caution

NOTE: RADIUS should be used together with AAA configuration. Please refer to AsterNOS-AAA for AAA configuration examples.

RADIUS Vendor Attributes

For supporting RADIUS authorization with vendor-specific attributes, AsterNOS provides a set of predefined vendor attributes.

The following table lists the supported vendor attributes:

VENDOR        Asterfusion  56928
BEGIN-VENDOR  Asterfusion
ATTRIBUTE     ASTER-Terminal-Type 1 string
ATTRIBUTE     ASTER-Terminal-Vendor 2 string
ATTRIBUTE     ASTER-Privilege 3 integer
ATTRIBUTE     ASTER-Service 4 string
ATTRIBUTE     ASTER-Command 5 string
ATTRIBUTE     ASTER-Argument 6 string
ATTRIBUTE     ASTER-Error 7 string
END-VENDOR    Asterfusion

If user want to assign vendor attributes to a user, please configure corresponding attributes on radius server.

• ASTER-Privilege is used to assign privilege level to a user. The value range is from 0 to 15, where 0 is the lowest privilege level and 15 is the highest privilege level.
• ASTER-Service is used to assign service level command permission to a user. The value will be provided by other documents.
• ASTER-Command is used to assign cmd level command permission to a user.

Example of configuring vendor attributes on freeradius server users file:

bob0   Cleartext-Password := "hello"
    Service-Type = NAS-Prompt-User,
    ASTER-Privilege = 0,
    ASTER-Service = "interface,l2",
    ASTER-Command = "(configure|exit|(^interface.*))"

Configure RADIUS Global Attributes

Request example to configure RADIUS global attributes via edit-config

<config><top>
    <radius>
        <global>
            <timeout>30</timeout>
            <retransmit>3</retransmit>
            <auth-type>chap</auth-type>
            <shared-secret>123456</shared-secret>
            <src-ip>192.168.1.1</src-ip>
            <nas-ip>10.0.0.1</nas-ip>
        </global>
    </radius>
</top></config>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:ebfa3243-1eef-4fb8-a002-5f8b06596324">
    <ok/>
</rpc-reply>

Add RADIUS Server

Request example to add RADIUS server via edit-config

<config><top>
    <radius>
        <servers operation="create">
            <server>
                <ipaddress>192.168.1.2</ipaddress>
                <auth-port>1812</auth-port>
                <auth-type>pap</auth-type>
                <timeout>30</timeout>
            </server>
            <server>
                <ipaddress>192.168.1.3</ipaddress>
                <auth-port>1813</auth-port>
                <auth-type>chap</auth-type>
                <timeout>50</timeout>
            </server>
        </servers>
    </radius>
</top></config>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:e5bdc8c8-b73c-4987-9907-0ae6f1229d81">
    <ok/>
</rpc-reply>

Get RADIUS Configuration

Request example to get RADIUS configuration via get-config

<filter type="subtree">
  <top>
    <radius/>
  </top>
</filter>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:d497411c-967b-482b-8637-766faf82f727">
    <data>
        <top>
            <radius xmlns="http://asterfusion.com/ns/yang/asternos-radius">
                <global>
                    <shared-secret>123456</shared-secret>
                    <auth-type>chap</auth-type>
                    <src-ip>192.168.1.1</src-ip>
                    <nas-ip>10.0.0.1</nas-ip>
                    <timeout>30</timeout>
                    <retransmit>3</retransmit>
                </global>
                <servers>
                    <server>
                        <ipaddress>192.168.1.2</ipaddress>
                        <auth-port>1812</auth-port>
                        <auth-type>pap</auth-type>
                        <timeout>30</timeout>
                    </server>
                    <server>
                        <ipaddress>192.168.1.3</ipaddress>
                        <auth-port>1813</auth-port>
                        <auth-type>chap</auth-type>
                        <timeout>50</timeout>
                    </server>
                </servers>
            </radius>
        </top>
    </data>
</rpc-reply>

Request example to get single radius server configuration

<filter type="subtree">
  <top>
    <radius>
        <servers>
            <server>
                <ipaddress>192.168.1.2</ipaddress>
            </server>
        </servers>
    </radius>
  </top>
</filter>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:e5f7621e-ec07-44b2-8c16-8a82878381a2">
    <data>
        <top>
            <radius xmlns="http://asterfusion.com/ns/yang/asternos-radius">
                <servers>
                    <server>
                        <ipaddress>192.168.1.2</ipaddress>
                        <auth-port>1812</auth-port>
                        <auth-type>pap</auth-type>
                        <timeout>30</timeout>
                    </server>
                </servers>
            </radius>
        </top>
    </data>
</rpc-reply>

Delete RADIUS Server

Request example to delete single RADIUS server via edit-config

<config><top>
    <radius>
        <servers>
            <server operation="delete">
                <ipaddress>192.168.1.2</ipaddress>
            </server>
        </servers>
    </radius>
</top></config>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:f81dc57e-98e9-40fd-a405-b1ec2c381d14">
    <ok/>
</rpc-reply>

Request example to delete all RADIUS servers via edit-config

<config><top>
    <radius>
        <servers operation="delete"/>
    </radius>
</top></config>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0d022129-79d2-4f46-9f20-5f4f69cd31a5">
    <ok/>
</rpc-reply>