跳转到内容
AsterNOS
Ask AI

RADIUS

此内容尚不支持你的语言。

This chapter provides examples of how to configure and manage RADIUS on AsterNOS devices using NETCONF.

RADIUS Vendor Attributes

Section titled “RADIUS Vendor Attributes”

For supporting RADIUS authorization with vendor-specific attributes, AsterNOS provides a set of predefined vendor attributes.

The following table lists the supported vendor attributes:

VENDOR        Asterfusion  56928
BEGIN-VENDOR  Asterfusion
ATTRIBUTE     ASTER-Terminal-Type 1 string
ATTRIBUTE     ASTER-Terminal-Vendor 2 string
ATTRIBUTE     ASTER-Privilege 3 integer
ATTRIBUTE     ASTER-Service 4 string
ATTRIBUTE     ASTER-Command 5 string
ATTRIBUTE     ASTER-Argument 6 string
ATTRIBUTE     ASTER-Error 7 string
END-VENDOR    Asterfusion

If user want to assign vendor attributes to a user, please configure corresponding attributes on radius server.

  • ASTER-Privilege is used to assign privilege level to a user. The value range is from 0 to 15, where 0 is the lowest privilege level and 15 is the highest privilege level.
  • ASTER-Service is used to assign service level command permission to a user. The value will be provided by other documents.
  • ASTER-Command is used to assign cmd level command permission to a user.

Example of configuring vendor attributes on freeradius server users file:

bob0   Cleartext-Password := "hello"
    Service-Type = NAS-Prompt-User,
    ASTER-Privilege = 0,
    ASTER-Service = "interface,l2",
    ASTER-Command = "(configure|exit|(^interface.*))"

Configure RADIUS Global Attributes

Section titled “Configure RADIUS Global Attributes”

Request example to configure RADIUS global attributes via edit-config

<config><top>
    <radius>
        <global>
            <timeout>30</timeout>
            <retransmit>3</retransmit>
            <auth-type>chap</auth-type>
            <shared-secret>123456</shared-secret>
            <src-ip>192.168.1.1</src-ip>
            <nas-ip>10.0.0.1</nas-ip>
        </global>
    </radius>
</top></config>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:ebfa3243-1eef-4fb8-a002-5f8b06596324">
    <ok/>
</rpc-reply>

Add RADIUS Server

Section titled “Add RADIUS Server”

Request example to add RADIUS server via edit-config

<config><top>
    <radius>
        <servers operation="create">
            <server>
                <ipaddress>192.168.1.2</ipaddress>
                <auth-port>1812</auth-port>
                <auth-type>pap</auth-type>
                <timeout>30</timeout>
            </server>
            <server>
                <ipaddress>192.168.1.3</ipaddress>
                <auth-port>1813</auth-port>
                <auth-type>chap</auth-type>
                <timeout>50</timeout>
            </server>
        </servers>
    </radius>
</top></config>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:e5bdc8c8-b73c-4987-9907-0ae6f1229d81">
    <ok/>
</rpc-reply>

Get RADIUS Configuration

Section titled “Get RADIUS Configuration”

Request example to get RADIUS configuration via get-config

<filter type="subtree">
  <top>
    <radius/>
  </top>
</filter>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:d497411c-967b-482b-8637-766faf82f727">
    <data>
        <top>
            <radius xmlns="http://asterfusion.com/ns/yang/asternos-radius">
                <global>
                    <shared-secret>123456</shared-secret>
                    <auth-type>chap</auth-type>
                    <src-ip>192.168.1.1</src-ip>
                    <nas-ip>10.0.0.1</nas-ip>
                    <timeout>30</timeout>
                    <retransmit>3</retransmit>
                </global>
                <servers>
                    <server>
                        <ipaddress>192.168.1.2</ipaddress>
                        <auth-port>1812</auth-port>
                        <auth-type>pap</auth-type>
                        <timeout>30</timeout>
                    </server>
                    <server>
                        <ipaddress>192.168.1.3</ipaddress>
                        <auth-port>1813</auth-port>
                        <auth-type>chap</auth-type>
                        <timeout>50</timeout>
                    </server>
                </servers>
            </radius>
        </top>
    </data>
</rpc-reply>

Request example to get single radius server configuration

<filter type="subtree">
  <top>
    <radius>
        <servers>
            <server>
                <ipaddress>192.168.1.2</ipaddress>
            </server>
        </servers>
    </radius>
  </top>
</filter>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:e5f7621e-ec07-44b2-8c16-8a82878381a2">
    <data>
        <top>
            <radius xmlns="http://asterfusion.com/ns/yang/asternos-radius">
                <servers>
                    <server>
                        <ipaddress>192.168.1.2</ipaddress>
                        <auth-port>1812</auth-port>
                        <auth-type>pap</auth-type>
                        <timeout>30</timeout>
                    </server>
                </servers>
            </radius>
        </top>
    </data>
</rpc-reply>

Delete RADIUS Server

Section titled “Delete RADIUS Server”

Request example to delete single RADIUS server via edit-config

<config><top>
    <radius>
        <servers>
            <server operation="delete">
                <ipaddress>192.168.1.2</ipaddress>
            </server>
        </servers>
    </radius>
</top></config>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:f81dc57e-98e9-40fd-a405-b1ec2c381d14">
    <ok/>
</rpc-reply>

Request example to delete all RADIUS servers via edit-config

<config><top>
    <radius>
        <servers operation="delete"/>
    </radius>
</top></config>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0d022129-79d2-4f46-9f20-5f4f69cd31a5">
    <ok/>
</rpc-reply>