TACACS+ and RADIUS

You can configure the ACOS device to use remote servers for Authentication, Authorization, and Accounting (AAA) for administrative sessions. The ACOS device supports RADIUS, TACACS+, and LDAP servers.

This chapter provides the following information:

     Authentication

     Authorization

     Configure Accounting

     Configuring Authentication, Authorization, Accounting and for Administrator Access

     CLI Examples

     Windows IAS Setup for RADIUS

For information about LDAP support, see Lightweight Directory Access Protocol.

Authentication

Authentication grants or denies access to the device based on the credentials provided by the user (admin user name and password).

By default, when someone attempts to log in to the ACOS device, the device determines whether the username and pass­word exist in the local administrative database. Without additional configuration, the authentication process stops at this point. If the administrator username and password exist in the local database, the user is granted access; otherwise, access to the device is denied.

You can configure the ACOS device to also use external RADIUS, TACACS+ or LDAP servers for authentication.

Multiple Authentication Methods

You can specify multiple methods for authenticating ACOS administrators. For example, you can configure the ACOS device to try the these servers in the following order:

1.     LDAP

2.     TACACS+

3.     RADIUS

4.     Local database

In this example, the ACOS device tries to use the LDAP servers first. If no LDAP servers respond, the ACOS device tries to use the TACACS+ servers. If no TACACS+ servers respond, the ACOS device tries the RADIUS servers. If no RADIUS servers respond, the ACOS device uses the local database.

Tiered Authentication

In addition to selecting multiple methods of authentication, if the primary authentication method is unavailable, you can configure the ACOS device to use tiers of authentication and configure backup authentication methods. By default, the backup authentication method is used only if the primary method does not respond. If the primary method responds and denies access, the secondary method is not used. The administrator is not granted access.

You can enable the ACOS device to check the next method if the primary method does respond and authentication fails. This option is called “tiered authentication”. For example, the primary method is RADIUS and the next method is TACACS+. If RADIUS rejects the administrator, tiered authentication attempts to authenticate the administrator by using TACACS+.

TABLE 6    provides information about the ACOS authentication behavior based on tiered authentication.

TABLE 6       Authentication Process Based on Tiered Authentication

Tiered Authentication Setting

ACOS Behavior

Single
(default)

1. Try method1. If a method1 server replies, permit or deny access based on the server reply.

2. Only if no method1 servers reply, try method2. If a method2 server replies, permit or deny access based on the server reply.

3. Only if no method2 servers reply, try method3. If a method3 server replies, permit or deny access based on the server reply.

4. Only if no method3 servers reply, try method4. If authentication succeeds, the admin is permitted. Otherwise, the admin is denied.

Multiple

1. Try method1. If a method1 server replies, permit access based on the server reply.

2. If no method1 servers reply or a method1 server denies access, try method2. If a method2 server replies, permit access based on the server reply.

3. If no method2 servers reply or a method2 server denies access, try method3. If a method3 server replies, permit access based on the server reply.

4. If no method3 servers reply or a method3 server denies access, try method4. If authentication suc­ceeds, the admin is permitted. Otherwise, the admin is denied.

By default, tiered authentication is disabled and is set to single. You can enable it on a global basis.

Authentication Process

You can specify whether to check the local database or the remote server first. FIGURE 1    and FIGURE 2    show the authentication processes that are used if the ACOS device is configured to check remote AAA servers first.

If the RADIUS, TACACS+, or LDAP server responds, the local database is not checked, and one of the following situations occurs:

     If the administrator’s credentials are found on the RADIUS, TACACS+, or LDAP server, the administrator is granted access.

     If the administrator credentials are not found on the RADIUS, TACACS+, or LDAP server, the administrator is denied access.

If there is no response from RADIUS, TACACS+, or LDAP server, the ACOS device checks its local database for the administra­tor name and password.

NOTE:                               An exception is made for the admin account; by default, the ACOS device always uses local authentication for admin.

Local authentication can be disabled for admin, in which case the authentication pro­cess is the same as for other administrator accounts. For more information, see Disabling Local Authentication for the Administrator Account by Using the CLI.

FIGURE 1            Authentication Process When Remote Authentication Is First (two remote servers configured) – RADIUS

remote_auth_RADIUS.jpg

 

 

 

FIGURE 2            Authentication Process When Remote Authentication Is First (one remote server configured) – TACACS+

remote_auth_TACACS.jpg

 

Disabling Local Authentication for the Administrator Account by Using the CLI

By default, the ACOS device always locally authenticates admin even if RADIUS, TACACS+, or LDAP is used as the primary authentication method.

To disable automatic local authentication for the administrator account, access the admin configuration level for the admin you want to disable, then use the disable command. For example:

ACOS(config)# admin exampleuser password examplepassword

ACOS(config-admin:exampleuser)# disable

Modify Admin User successful!

ACOS(config-admin:exampleuser)#

NOTE:                               If the RADIUS, TACACS+, or LDAP server can not be reached, the ACOS device then uses local authentication for admin. This behavior is also used for other administrator accounts when the remote AAA server can not be reached.

Token-based Authentication Support for RADIUS

The ACOS Series supports RSA token-based RADIUS authentication, which provides additional login security by requiring the administrator to enter a string and a token in addition to the username and password. This enhancement supports the Access-Challenge function in RFC 2865.

After the administrator enters a username and a password, the ACOS device sends the credentials to the RADIUS server. If the username and password are valid, and the server is configured to use token-based authentication, the server replies with an Access-Challenge message. The ACOS device displays a prompt for the required token.

The ACOS device attempts to verify the token, and one of the following situations occurs:

     If the token is valid, the administrator is granted access.

     If the token is invalid, even though the username and password are valid, access is denied.

By default, support for token-based RADIUS authentication is enabled and can not be disabled. No additional configuration is required on the ACOS device.

Configuring Token-Based Authentication for RADIUS

You can configure token-based authentication for RADIUS by using the GUI or the CLI.

Use the CLI to Configure Token-Based Authentication for RADIUS

In the following CLI example, an administrator initiates the log in process by entering a username and a password. The ACOS device presents a challenge value and prompts for the response.

login as: admin2

Using keyboard-interactive authentication.

Password: ********

Using keyboard-interactive authentication.

Challenge: 133420

 Response: ******

Last login: Fri Jul  1 21:51:35 2011 from 192.168.32.153

 

[type ? for help]

 

ACOS>

Authorization

You can configure authorization based on the following:

     Authorization Based on a User Interface

     Authorizing Admin Privileges

     Authorization for CLI Access

     Authorization Based on L3V Partitions

     LDAP Configuration for Partition Access

     RADIUS Authorization Based on Service-Type

Authorization Based on a User Interface

You can deny an administrator access to the ACOS device by using one or more of the following user interfaces:

     CLI

     GUI

     aXAPI

By default, administrators are allowed to use all three user interfaces.

RADIUS Configuration for User Interface Access

To configure RADIUS authorization based on the user interface, use:

A10-Admin-Access-Type

the following A10-Admin-Access-Type values:

     cli

     web

     axapi

To authorize access to more than one user interface, enter a comma between each value. For example, to authorize access to the CLI and web interfaces, enter cli,web.

TACACS+ Configuration for User Interface Access

To configure authorization based on the user interface, enter the following Attribute Value Pair (AVP):

a10-access-type=user-interface

Replace user-interface with one or more of the following options:

     cli

     web

     axapi

To authorize access to more than one user interface, enter a comma between each value, for example,

a10-access-type=cli,web

NOTE:                               An AVP is the combination of an attribute, which is a parameter that is associated with an ACOS administrator account, and the value of the parameter.

LDAP Configuration for User Interface Access

Authorization for LDAP is based on a schema file. For more information, see A10 Schema File for OpenLDAP.

Authorizing Admin Privileges

The privileges for each admin are the same across all three user interfaces. For example, if you create an admin with global read and write privileges, then the same privileges apply to both the CLI and GUI.

Compatibility with Privilege Levels Assigned by RADIUS or TACACS+

It is required to assign a proper privilege level (defined on the ACOS device) to the external user on the RADIUS or TACACS+ server, so that the user may be authenticated and be granted access to the ACOS device. After the ACOS device authenti­cates the privilege level, it will use the GUI access role assigned to the user to manage the device.

It is not required to assign a privilege level to an ACOS admin on the RADIUS or TACACS+ server used to authenticate the admin. The ACOS device uses the GUI access role assigned to the admin in the admin’s account on the ACOS device.

However, if a privilege level is assigned to the admin on the RADIUS or TACACS+ server, that privilege level must match the privilege assigned to the admin in the ACOS configuration. Otherwise, the admin will be denied access.

TABLE 7    lists the RADIUS and TACACS+ privilege levels that match the GUI privileges.

TABLE 7       RADIUS / TACACS+ Privilege Levels and Matching GUI Access Roles

GUI Access Role

Privilege Level

Partition Role

RADIUS

TACACS+

ReadWriteAdmin

2

15

N

ReadOnlyAdmin

1

0

N

PartitionReadWrite

8

9

Y

PartitionSlbServiceOperator

11

6

Y

PartitionReadOnly

12

5

Y

The Partition Role column indicates whether the privilege is for a partition admin and requires specification of an L3V parti­tion name. If the privilege level for a partition role is specified on the RADIUS or TACACS+ server, the partition name also must be specified on the server. If the privilege level is for a non-partition role, it is invalid to specify a partition name on the server.

RADIUS Configuration for GUI Privileges

To configure admin privileges for RADIUS, use the A10-Admin-Privilege option. For example, to authorize PartitionRead­Write privileges, use the following statement in the admin definition:

A10-Admin-Role = "PartitionReadWrite"

NOTE:                               The A10-Admin-Privilege option applies only to GUI access. It does not restrict CLI or aXAPI access.

TACACS+ Configuration for GUI Access Roles

To configure admin privileges for TACACS+, use the following attribute-value pair (AVP):

a10-admin-role=role-name

NOTE:                               This attribute-value pair applies only to GUI access. It does not restrict CLI or aXAPI access.

 

Authorization for CLI Access

You can configure the ACOS device to use external RADIUS, TACACS+, or LDAP servers to authorize CLI commands. After a successful authentication, the authenticated party is granted access to specific system resources by authorization. For an ACOS administrator, authorization specifies the CLI levels that they can access.

Disabled Commands for Read-Only Administrators

Administrators who are authenticated by using RADIUS, TACACS+, or LDAP, and are authorized for read-only access directly to the Privileged EXEC level of the CLI, cannot run the following operational commands:

     backup

     config

     import

     locale

     reboot

     reload

     shutdown

This includes administrators with the ReadOnlyAdmin or PartitionReadOnly privileges.

RADIUS CLI Authorization

To configure RADIUS CLI Authorization, enter the following settings on the RADIUS server:

VALUE A10-Admin-Privilege Read-only-Admin 1

VALUE A10-Admin-Privilege Read-write-Admin 2

The first line grants access to the User EXEC level and Privileged EXEC level. The administrator’s CLI session begins at the User EXEC level. The administrator can access the Privileged EXEC level without entering an enable password, but the administra­tor cannot access the configuration level:

login as: admin

Using keyboard-interactive authentication.

Password: ********

Last login: Fri Mar 26 20:03:39 2010 from 192.168.1.140

 

[type ? for help]

 

ACOS> enable

ACOS#

 

The second line grants access to all levels, and the administrator’s CLI session begins at the Privileged EXEC level:

login as: admin2

Using keyboard-interactive authentication.

Password: ********

Last login: Fri Mar 26 20:03:39 2010 from 192.168.1.140

 

[type ? for help]

 

ACOS#

 

For more information, see RADIUS Authorization Based on Service-Type.

TACACS+ CLI Authorization

To configure TACACS+ CLI authorization, complete the following tasks:

     Configure the TACACS+ server to authorize or deny the execution of specific commands or command groups.

     Configure the ACOS device to send commands to the TACACS+ server for authorization before executing those com­mands.

This authorization process does not apply to administrators who log in by using the GUI. For more information, see Authorizing Admin Privileges.

CLI Access Levels

You can use TACACS+ to authorize an administrator to execute commands at one of the following CLI access levels:

     15 (admin) – This is the most extensive level of authorization. The commands at all CLI levels, including those used to configure administrative accounts, are sent to TACACS+ for authorization.

     14 (config) – Commands at all CLI levels, except the commands that are used to configure administrative accounts, are sent to TACACS+ for authorization. The commands that are used to configure administrator accounts are auto­matically allowed.

     1 (admin) – This is the most extensive level of authorization and is the same as access level 15. The commands at the Privileged EXEC and User EXEC levels are sent to TACACS+ for authorization, and the commands at other levels are automatically allowed.

     0 (user EXEC) – This is the equivalent of Read-only privileges. The commands at the User EXEC level are sent to TACACS+ for authorization, and the commands at other levels are automatically allowed.

Access levels 1-15 grant access to the Privileged EXEC level or higher, without challenging the administrator for the enable password. Access level 0 grants access only to the User EXEC level.

NOTE:                               Privilege level 1 supports Read-write or admin privileges. The highest privilege level is 1 and 15 (Read-write), and the lowest privilege level is 0 (Read-only).

TACACS+ Authorization Debug Options

You can enable the following TACACS+ debug levels for troubleshooting:

     0x1 – Common system events such as “trying to connect with TACACS+ servers” and “getting response from TACACS+ servers”. These events are recorded in the syslog.

     0x2 – Packet fields sent out and received by the Thunder Series device, not including the length fields. These events are written to the terminal.

     0x4 – Length fields of the TACACS+ packets will also be displayed on the terminal.

     0x8 – Information about TACACS+ MD5 encryption will be sent to the syslog.

Authorization Based on L3V Partitions

If the ACOS device is configured with L3V partitions, you can specify which partitions a remotely authenticated administrator can access. You can authorize an administrator to access up to 8 partitions. The partition name that is specified on the RADIUS or TACACS+ server must match the partition name that is specified in the administrator’s account configuration on the ACOS device.

NOTE:                               For administrators with global access, which means access to the shared partition, do not specify a partition name.

RADIUS Configuration for Partition Access

To authorize an administrator to access only the resources in a specific L3V partition, use the A10-Admin-Partition option. For example, to authorize an administrator to access only the resources in partition1, enter the following statement in the administrator definition:

A10-Admin-Partition = "partition1"

To authorize an administrator for access to multiple partitions, use the following syntax:

A10-Admin-Partition = "partition-name1

A10-Admin-Partition += " partition-name2

A10-Admin-Partition += " partition-name3

A10-Admin-Partition += " partition-name4

A10-Admin-Partition += " partition-name5

A10-Admin-Partition += " partition-name6

A10-Admin-Partition += " partition-name7

A10-Admin-Partition += " partition-name8

TACACS+ Configuration for Partition Access

To configure TACACS+ to access partitions:

     To authorize an administrator to access only the resources in a specific L3V partition, use the following AVP:

a10-partition=partition-name

     To authorize an administrator to access multiple partitions, use the following syntax:

a10-partition = partition-name1,partition-name2,

partition-name3,partition-name4,partition-name5,

partition-name6,partition-name7,partition-name8

LDAP Configuration for Partition Access

Authorization for LDAP is based on a schema file. For more information, see A10 Schema File for OpenLDAP.

RADIUS Authorization Based on Service-Type

The ACOS device supports the RADIUS Service-Type attribute values listed in TABLE 8   :

TABLE 8       Supported RADIUS Service-Type Attribute Values

Attribute Value

Description

Service-Type=Login

Allows access to the EXEC level of the CLI and read-only access to the GUI. The EXEC level of the CLI is denoted by the following prompt (as an example):

ACOS>

Service-Type=NAS Prompt

Allows access to the Privileged EXEC level of the CLI and read-only access to the GUI. The Privileged EXEC level of the CLI is denoted by the following prompt (as an example):

ACOS#

Service-Type=Administrative

Allows access to the configuration level of the CLI and read-only access to the GUI. The configuration level of the CLI is denoted by the following prompt (as an example):

ACOS(config)#

By default, if the Service-Type attribute or the A10 vendor attribute is not used, successfully authenticated administrators are authorized for read-only access. You can change the default privilege that is authorized by RADIUS from read-only to read-write. To change the default access level authorized by RADIUS, enter the following command at the global configuration level of the CLI:

ACOS(config)# radius-server default-privilege-read-write

 

Configure Accounting

Accounting keeps track of user activities while the user is logged on. You can configure the ACOS device to use external RADIUS or TACACS+ for accounting for the following activities:

     Log in/log off activity

When the user logs in, the accounting process starts, and when the user logs off, the accounting process stops.

     Commands

Command Accounting (TACACS+ only)

TABLE 9    shows the CLI levels in which you can use TACACS+ servers to track attempts to execute commands:

TABLE 9       CLI Access Levels for Accounting

Access Level

Description

15 (admin)

This is the most extensive accounting level. Commands at all CLI levels, including those used to configure administrator accounts, are tracked.

14 (config)

Commands at all CLI levels, except the commands that are used to configure administrator accounts, are tracked. The commands that are used to configure administrator accounts are not tracked.

1 (privileged EXEC)

Commands at the Privileged EXEC and User EXEC levels are tracked. Commands at other levels are not tracked.

0 (user EXEC)

Commands at the User EXEC level are tracked. Commands at other levels are not tracked.

NOTE:                               Command levels 2-13 are equivalent to command level 1 (privileged EXEC).

TACACS+ Accounting Debug Options

The same debug levels that are available for TACACS+ Authorization are also available for TACACS+ Accounting. For more information, see TACACS+ Authorization Debug OptionsTACACS+ Authorization Debug Options.

Configuring Authentication, Authorization, Accounting and for Administrator Access

To configure authentication, authorization, and accounting (AAA):

1.     Prepare the AAA servers:

a.     Add administrator accounts (user names and passwords).

b.     Add the ACOS device as a client.

For the client IP address, specify the ACOS IP address.

c.     For authorization, configure the following settings for the administrator accounts:

     Specify the user interfaces that the administrator is allowed to access (CLI, GUI, or aXAPI).

     If you are using TACACS+, specify the CLI commands or command groups that are to be allowed or denied exe­cution.

     If you are using RADIUS, specify the admin privileges for the CLI and GUI.

     If you are using LDAP, for more information, see Lightweight Directory Access Protocol.

     For private partition administrators, specify the partition name.

2.     To use RADIUS, TACACS+, or LDAP for authentication:

a.     Add the RADIUS, TACACS+, or LDAP server(s) to the ACOS device.

b.     Add a RADIUS, TACACS+, or LDAP server as an authentication method to use with the local database.

c.     To use more than one AAA protocol, see Authentication.

3.     Configure the authorization:

a.     Add the TACACS+, RADIUS, or LDAP servers for authentication, if necessary.

b.     Specify the access level:

     If you are using TACACS+, specify the CLI command levels to be authorized.

     If you are using RADIUS, specify the admin privilege levels for CLI and GUI.

     If you are using LDAP, see Lightweight Directory Access Protocol.

4.     Configure accounting:

a.     Add the TACACS+, RADIUS, or LDAP servers for authorization, if necessary.

b.     Specify whether to track logon/logoff activity.

You can track log ons and log offs, log offs only, or neither.

c.     If you are using TACACS+, specify the command levels to track.

Configuring Authentication

You can configure remote authentication by using the GUI or the CLI.

Configure Remote Authentication by Using the GUI

You can configure remote authentication using the GUI.

Configuring Global Authentication Settings on the ACOS Device

To configure global authentication settings, navigate to System >> Admin >> External Authentication.

There are no mandatory fields that need to be completed on the Authentication Settings page; you can configure your desired global authentication settings as needed. Refer to the GUI online help for more information about the fields on this page.

Click Authentication Settings when you are finished specifying your desired configuration.

Configuring a RADIUS Server

To configure a RADIUS server:

1.     Navigate to System >> Admin >> External Authentication >> RADIUS.

2.     Click Create to designate a RADIUS server and enter settings.

3.     Enter the hostname or IP address of the server in the Server field.

4.     In the Type field, indicate whether the specified server is an IPv4 or IPv6 address, or a name.

5.     In the Secret field, enter the shared secret (password) expected by the server when it receives requests.

6.     Complete the other fields on this page as desired; refer to the online help for additional information.

FIGURE 3            RADIUS Server Configuration

gui_RADIUS_server_config.JPG

7.     Click Create.

The first RADIUS server configured will act as the primary server and the ACOS device will attempt to use this server first for authentication. You can configure additional RADIUS servers as needed, if you want to have any backup servers.

 

Configuring a TACACS+ Server

To configure a TACACS+ server:

1.     Navigate to System >> Admin >> External Authentication >> TACACS Host.

2.     Click Create to designate a TACACS+ server and enter settings.

3.     Enter the hostname or IP address of the server in the Server field.

4.     In the Type field, indicate whether the specified server is an IPv4 or IPv6 address, or a name.

5.     In the Secret Value field, enter the password expected by the server when it receives requests.

6.     Complete the other fields on this page as desired; refer to the online help for additional information.

FIGURE 4            

gui_TACACS_server_config.JPG

TACACS+ Server Configuration

7.     Click Create.

The first TACACS server configured will act as the primary server and the ACOS device will attempt to use this server first for authentication. You can configure additional TACACS servers as needed, if you want to have any backup servers.

 

Configuring an LDAP Server

To configure an LDAP server:

1.     Navigate to System >> Admin >> External Authentication >> LDAP.

2.     Click Create to designate a TACACS+ server and enter settings.

3.     Enter the hostname or IP address of the server in the Server field.

4.     In the Type field, indicate whether the specified server is an IPv4 or IPv6 address, or a name.

5.     Specify the LDAP common name and distinguished name.

6.     Complete the other fields on this page as desired; refer to the online help for additional information.

FIGURE 5            Primary and Secondary Information for an LDAP Server

gui_LDAP_server_config.JPG

7.     Click Create.

The first LDAP server configured will act as the primary server and the ACOS device will attempt to use this server first for authentication. You can configure additional LDAP servers as needed, if you want to have any backup servers.

For more information on LDAP servers, refer to Lightweight Directory Access Protocol.

Configuring Remote Authentication by Using the CLI

You can configure remote authentication by using the CLI. For examples, see CLI Examples.

Additional TACACS+ Authentication Options

This section describes additional TACACS+ AAA options.

Password Self-Service

ACOS supports TACACS+ TAC_PLUS_AUTHEN_CHPASS (password change) messages. When this option is enabled on the TACACS+ server, the server sends a TACACS+ TAC_PLUS_AUTHEN_CHPASS message in response to an authentication request from the ACOS device. The ACOS device prompts the administrator for the current and new passwords and sends the password change to the TACACS+ server. The ACOS device then grants access to the administrator.

Password self-service is enabled by default and cannot be disabled and is activated only when the TACACS+ server sends a password change message.

NOTE:                               The current release supports TAC_PLUS_AUTHEN_CHPASS messages only for login to the CLI.

Configuring Access to the Privileged EXEC Level in the CLI

You can enable TACACS+-authenticated administrators to log in at the Privileged EXEC level of the CLI instead of at the User EXEC level. This option is disabled by default, and you can enable it on a global basis.

Configuring Access to the Privileged EXEC Level by Using the GUI

To enable direct access to the Privileged EXEC level of the GUI for TACACS+-authenticated admins:

1.     Click System > Admin > External Authentication > Settings.

2.     Select the Login Privilege-Mode check box.

3.     Click Authentication Settings.

Configuring Access to the Privileged EXEC Level by Using the CLI

To enable access to the Privileged EXEC level of the CLI for TACACS+-authenticated administrators, enter the following com­mand at the global configuration level:

ACOS(config)# authentication login privilege-mode

 

CLI Examples

This section provides the following configuration examples:

     RADIUS Authentication

     TACACS+ Authorization

     TACACS+ Accounting

     RADIUS Server Setup

RADIUS Authentication

The following commands configure a pair of RADIUS servers for remote authentication and configure the ACOS device to use these servers before using the local database. Since the RADIUS server 10.10.10.12 is added first, this server is used as the primary server. Server 10.10.10.13 is used only if the primary server is unavailable.

The following text is an example of configuring RADIUS authentication:

ACOS(config)# radius-server host 10.10.10.12 secret radp1

ACOS(config)# radius-server host 10.10.10.13 secret radp2

ACOS(config)# authentication type radius local

 

TACACS+ Authorization

The following commands configure the ACOS device to use TACACS+ server 10.10.10.13 to authorize commands at all CLI levels. In this example, the none option is not used. As a result, if TACACS+ authorization cannot be performed, for example, due to server unavailability, the command is denied.

The following text is an example of configuring TACACS+ authorization:

ACOS(config)# tacacs-server host 10.10.10.13 secret SharedSecret

ACOS(config)# authorization commands 15 method tacplus

 

TACACS+ Accounting

The following commands configure the ACOS device to use the same TACACS+ server for the accounting of log on, log off, and all command activity:

ACOS(config)# accounting exec start-stop tacplus

ACOS(config)# accounting commands 15 stop-only tacplus

 

RADIUS Server Setup

This example shows the ACOS commands that you can enter to complete the following tasks:

     Configure an ACOS device to use a RADIUS server

     Display the changes that you can make on the RADIUS server

The RADIUS server in this example is freeRADIUS, the IP address is 192.168.1.157, and the shared secret is a10rad.

To implement this solution:

1.     On the ACOS device, to add the RADIUS server and enable RADIUS authentication, enter run the following commands:

ACOS(config)# radius-server host 192.168.1.157 secret a10rad

ACOS(config)# authentication type local radius

 

2.     Complete the following steps on the freeRADIUS server:

a.     In the /usr/local/etc/raddb/clients.conf file, to add the ACOS device as a client, enter the following commands:

client 192.168.1.0/24 {

   secret = a10rad

   shortname = private-network-1

}

NOTE:                               In this example, the ACOS device’s subnet is added as the client.

b.     To add the /usr/local/share/freeradius/dictionary.a10networks dictionary file for vendor a10net­works (22610 is the vendor code) and add the file to the dictionary, enter the following commands:

NOTE:                               After authenticating an administrator, the RADIUS server must return the A10-Admin-Privilege attribute, with one of the values shown in the following example.

# A10-Networks dictionary

# Created by Software Tools of A10 Networks.

#

VENDOR A10-Networks 22610

 

BEGIN-VENDOR A10-Networks

ATTRIBUTE A10-App-Name    1    string

ATTRIBUTE A10-Admin-Privilege    2    integer

ATTRIBUTE A10-Admin-Partition    3    string

ATTRIBUTE A10-Admin-Access-Type    4    string

ATTRIBUTE A10-Admin-Role        5    string

VALUE     A10-Admin-Privilege    Read-only-Admin    1

VALUE     A10-Admin-Privilege    Read-write-Admin    2

VALUE     A10-Admin-Privilege    Partition-SlbService-Operator 11

VALUE     A10-Admin-Privilege    Partition-Read_write    8

VALUE     A10-Admin-Privilege    Partition-Read-Only    12

END-VENDOR A10-Networks

 

c.     In the /usr/local/share/freeradius/dictionary directory, to add the file to the dictionary, enter the fol­lowing command:

$INCLUDE dictionary.a10networks  #new added for a10networks

d.     In the /usr/local/etc/raddb/users file, to add each ACOS admin as a user, enter the following commands:

NOTE:                               The following text contains examples of ACOS administrator definitions in a RADIUS users file on the RADIUS server.

###################################

 

#this is a read-write user

rw Cleartext-Password := "111111"

     A10-Admin-Privilege = Read-write-Admin,

 

#this is a read-only user

ro Cleartext-Password := "111111"

     A10-Admin-Privilege = Read-only-Admin,

 

#this is a partition read-only

pro Cleartext-Password := "111111"

     A10-Admin-Privilege = Partition-Read-Only,

     A10-Admin-Partition = "aa"

 

#this is a partition enable-disable

ped Cleartext-Password := "111111"

     A10-Admin-Privilege = Partition-SlbService-Operator,

     A10-Admin-Partition = "aa"

 

#this is partition read-write, has role PartitionReadWrite, only login from web.

prw_r_w Cleartext-Password := "111111"

     A10-Admin-Privilege = Partition-Read-Write,

     A10-Admin-Partition = "aa",

     A10-Admin-Role = "PartitionReadWrite",

     A10-admin-Access-type = "web"

 

Windows IAS Setup for RADIUS

This section describes how to configure Windows Server 2003 Internet Authentication Service (IAS) with ACOS RADIUS authentication. These steps assume that IAS and Active Directory (AD) are already installed on the Windows 2003 server.

Configuring Windows IAS for ACOS RADIUS Authentication

To configure Windows IAS for ACOS RADIUS authentication:

1.     On the IAS server, create the following access groups (see Configure Access Groups):

     ACOS-Admin-Read-Only

     ACOS-Admin-Read-Write

2.     On the IAS server, configure a RADIUS client for the ACOS device (Configure RADIUS Client for ACOS Device).

3.     On the IAS server, configure the following remote access policies (Configure Remote Access Policies):

     ACOS-Admin-Read-Only-Policy

     ACOS-Admin-Read-Write-Policy).

4.     On the IAS server, add AD users to appropriate ACOS device access groups (Add Active Directory Users to ACOS Access Groups).

5.     Register the IAS server in AD (Register the IAS Server in Active Directory).

6.     Configure RADIUS on the ACOS device (Configuring RADIUS on the ACOS Device).

7.     Test the configuration by attempting to log onto the ACOS device with AD users added in step 4 (Verifying the Configuration).

The following sections provide detailed steps for each of these tasks.

Configure Access Groups

To configure access groups, select Select Start > All programs > Administrator tools > Active directory user and computers.

If Active Directory Is Not Installed

If AD is not installed on the IAS server, you can use the following steps to add the users and groups. However, the rest of this section assumes that AD will be used.

1.     Open the Computer Management tool by selecting Start > Programs > Administrative Tools > Computer Manage­ment.

2.     Open the System Tools and Local Users and Groups items, if they are not already open.

3.     Right click on Group and select New Group.

4.     Enter the following information for the first group:

     Group Name – AX-Admin-Read-Only

     Group Description – Read-Only Access to ACOS devices

     Members – Add the members using the Add button.

ias-aaa1.gif

 

5.     Click Create.

6.     Enter the following information for the second group:

     Group Name – AX-Admin-Read-Write

     Group Description – Read-Write to ACOS devices

     Members – Add members as desired using the Add button

7.     Click Create.

8.     Click Close.

Configure RADIUS Client for ACOS Device

1.     Open Internet Authentication Service, by selecting Start > Programs > Administrative Tools > Internet Authentica­tion Service.

2.     Right-click on Client and select New Client.

3.     Enter the following information in the Add Client dialog box:

     Friendly name – Useful name for the ACOS device; for example, ACOS2000_slb1

     Protocol – RADIUS

iasaaa2.gif

 

NOTE:                               192.168.1.238 is the IP address of the ACOS device that will use the IAS server for exter­nal RADIUS authentication.

4.     Click Next.

5.     Enter the following information in the Add RADIUS Client dialog box:

     Client address – IP address or domain name for the client (ACOS device)

     Client-Vendor – RADIUS Standard

     Shared secret – Secret to be shared between IAS and ACOS. You also will need to enter this in the RADIUS configu­ration on the ACOS device.

     Confirm shared secret – Same as above

NOTE:                               Do not select “Request must contain the Message Authenticator attribute”. ACOS RADIUS authentication does not support this option.

 

iasaaa3.gif

 

6.     Click Next.

Configure Remote Access Policies

To configure the remote access policies:

1.     Open the Internet Authentication Service, if not already open.

2.     To create the first remote access policy, right-click on Remote Access Policies, select New Remote Access Policy, and enter the following information:

Policy Friendly name – AX-Admin-Read-Only-Policy

 

iasaaa4.gif

 

3.     Click Next.

4.     In the Add Remote Access Policy dialog box, click Add.

5.     In the Select Attribute dialog box, double-click Client Friendly Name.

6.     In the Client-Friendly-Name dialog box, enter the friendly name used to define the ACOS device (for example, AX-Admin-Read-Only-Policy) and click OK.

7.     In the same Add Remote Access Policy dialog box as before, click Add again.

8.     In the Select Attribute dialog box, double-click Windows-Groups.

iasaaa5.gif

 

9.     In the Groups dialog box, click Add, then double-click AX-Admin-Read-Only group, Click OK to add the group, then click OK once more to confirm the groups.

 

iasaaa6.gif

 

10.  In the same Add Remote Access Policy dialog box as before, click Next.

 

11.  Select Grant remote access permission, and click Next.

iasaaa7.gif

 

12.  Click Edit Profile.

iasaaa8.gif

 

13.  In the Edit Dial-in Profile dialog box, select the Authentication tab. Select the type of authentication you are using: CHAP and PAP.

iasaaa9.gif

14.  Select the Advanced tab, and click Add.

15.  In the RADIUS attributes list, find and double-click the line beginning with Vendor-Specific.

iasaaa10.gif

 

16.  In the Multivalued Attribute Information dialog box, click Add and enter the following:

     Enter vendor code – 22610   (for A10 Networks)

     Conforms to RADIUS RFC – Yes

iasaaa11.gif

17.  Click Configure Attribute, and enter the following information:

     Vendor-assigned attribute number – 2

     Attribute format – Decimal

     Attribute value – 1   

NOTE:                               Attribute value 1 is read-only. Attribute value 2 is read-write.

iasaaa12.gif

 

18.  Click OK for the Configure VSA, Vendor-Specific Attribute Information, and Multivalued Attribute Information dialog boxes.

19.  Click Close in the Add Attributes dialog box.

20.  Click OK in the Edit Dial-In Profile dialog box. Optionally, read the suggested help by clicking OK.

21.  Click Finish in the Add Remote Access Policy dialog box.

22.  To create the second Remote Access Policy, repeat the above steps with the following changes:

     Policy Friendly name – AX-Admin-Read-Write-Policy

     Group to add – AX-Admin-Read-Write

     Attribute value – 2

Add Active Directory Users to ACOS Access Groups

To add Active Directory users to the ACOS access groups:

1.     In the Active Directory management console, add the ACOS access group to the user, tester1:

iasaaa13.gif

2.     Make sure Remote Access Permission is enabled:

iasaaa14.gif

Register the IAS Server in Active Directory

The IAS RADIUS server must be registered with AD. Otherwise, RADIUS will use compatibility mode instead of AD to authen­ticate users.

1.     Open the IAS main window.

2.     Click Action on the menu bar, and click “register server on active directory”.

Configuring RADIUS on the ACOS Device

To add the RADIUS server (IAS server) to the ACOS device, enter the following commands:

ACOS(config)# radius-server host 192.168.230.10 secret shared-secret

ACOS(config)# authentication type local radius

 

NOTE:                               Ensure that the shared secret is the same as the value that you specified for the RADIUS client that you configured for the ACOS server on the IAS server.

In this example, 192.168.230.10 is the IP address of w2003-10.com, and shared-secret is the secret that you entered in the step 5 in Configure RADIUS Client for ACOS Device.

Verifying the Configuration

To verify the configuration:

1.     Log in to the ACOS CLI.

2.     At the command prompt, enter the username in the following format:

user-name@AD-domain-name

For example, you might enter tester1@w2003-10.com.

3.     Enter the password.

4.     Press Enter.

 

 

Table of Contents

Index

Glossary

-Search-

Back