Versions Compared

Old Version 23

changes.mady.by.user The Force

Saved on

compared with

New Version 24

changes.mady.by.user The Force

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from this space and version 5.0.3

RADIUS Authentication

Starting in 3.0, ProVision supports 6connect vendor-specific attributes (VSAs) for use with RADIUS authentication. To use these attributes, you must perform the following procedures:

Table of Contents

Add the 6connect VSA to the Radius Installation

To use the 6connect VSA, the attributes must be defined on the RADIUS server. Add the following RADIUS dictionary file to your RADIUS server and name it dictionary.6connect:

Important Note:  Between version 3.9.3 and 4.0, the permissions structure for ProVision was significantly changed.  Make sure you following the version specific instructions below.

ProVision 3.9.3 and prior:

Expand
Code Block
title3.9.3 VSA text file
VENDOR          6connect               36009

BEGIN-VENDOR    6connect

ATTRIBUTE       priv_admin              10      integer
#This is used to give a user administrative access to the application

ATTRIBUTE       priv_ipam_c             20      integer
#This allows a user to create IP blocks
ATTRIBUTE       priv_ipam_d             21      integer
#This allows a user to delete IP blocks
ATTRIBUTE       priv_ipam_m             22      integer
#This allows a user to modify IP blocks
ATTRIBUTE       priv_swip               23      integer
#This allows a user to SWIP IP blocks
ATTRIBUTE       priv_email              24      integer
#This allows a user to email IP block information
ATTRIBUTE       priv_ipam_v             25      integer
#This allows a user to view IP block information

ATTRIBUTE       priv_dns_c              30      integer
#This allows a user to create DNS Zones
ATTRIBUTE       priv_dns_d              31      integer
#This allows a user to delete DNS Zones
ATTRIBUTE       priv_dns_m              32      integer
#This allows a user to modify DNS Zones
ATTRIBUTE       priv_dns_v              33      integer
#This allows a user to view DNS Zones

ATTRIBUTE       priv_cust_c             40      integer
#This allows a user to create Customer records
ATTRIBUTE       priv_cust_d             41      integer
#This allows a user to delete Customer records
ATTRIBUTE       priv_cust_m             42      integer
#This allows a user to modify Customer records
ATTRIBUTE       priv_cust_v             43      integer
#This allows a user to view Customer records

ATTRIBUTE       priv_peer_c             50      integer
#This allows a user to create peering sessions
ATTRIBUTE       priv_peer_d             51      integer
#This allows a user to delete peering sessions
ATTRIBUTE       priv_peer_m             52      integer
#This allows a user to modify peering sessions
ATTRIBUTE       priv_peer_v             53      integer
#This allows a user to view peering sessions

ATTRIBUTE       priv_logs               60      integer
#This allows a user to have access to the logs tab in the application

END-VENDOR      6connect

ProVision 4.0 and greater:

Expand
Code Block
VENDOR                  6connect                        36009

BEGIN-VENDOR    6connect

ATTRIBUTE               6connect_user_group             10              string
#A 6connect User Group to which this user belongs.

END-VENDOR      6connect
Note
Make sure to add the following to the primary dictionary file:  $INCLUDE dictionary.6connect

Configure Radius Accounts

On the Radius server, configure the user accounts that will have access to the ProVision system.

An example of a ProVision account configuration for the user file on a Freeradius system for version 3.9.3 and prior:

Code Block
#A user with full IPAM prvileges and view only DNS privs

joe Cleartext-Password := "testing128"
   priv_admin = 1,
   priv_ipam_v = 1,
   priv_ipam_c = 1,
   priv_ipam_d = 1,
   priv_ipam_m = 1,
   priv_swip = 1,
   priv_email = 1,
   priv_dns_v = 1

An example of a ProVision account configuration for the user file on a Freeradius system for version 4.0 and greater:

Example: To To add a new radius user, edit the 'users' file found at /etc/raddb/users and add a block like:

Code Block
languagepowershell
titleSetting up a RADIUS account
bobber  Cleartext-Password := "hello"
        6connect_user_group = "Global Admins,Group 2,Group 1,Group Nonexistant"

The Radius server must be restarted every time you add, remove, or modify users. To restart the Radius server, use this command:

Code Block
/etc/init.d/radiusd restartNonexistent"
Note
titleNote on RADIUS attributes
There are many Radius attributes, but '6connect_user_group' is the one used by 6connect ProVision . It and it is just a comma-separated list of all the group names that the user belongs to.

Test Radius Accounts

For ProVision 4.0 and higher3.9.3 and prior, test and response should look like the following:

To query a radius server, use the following command format:

Code Block
languagetextpowershell
radtest#>radtest [USERNAME] [USERPASSWORD] [SERVER] 0 [SECRET]

Example:

Code Block
radtest bobber hello 208.39.140.106 0 6connect

A successful response will look like this:

Code Block
languagetext
test test 50.23.215.162 6connect
  Sending Access-Request of id 198179 to 20850.3923.140215.106162 port 1812
  User-Name = "bobbertest"
  User-Password = "hellotest"
  NAS-IP-Address = 6710.221124.24047.2296
  NAS-Port = 0
  Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 20850.3923.104215.106162 port 1812, id=198179, length=6968
Attr-10 = 0x476c6f62616c2041646d696e732c47726f757020322c47726f757020312c47726f7570204e6f6e6578697374616e74

A rejected response may look like this:

...

languagetext

...

 priv_admin = 1
  priv_ipam_c = 1
  priv_ipam_m = 1
  priv_ipam_d = 1

For 4.0 and higher, test and response should look like the following:

﹤insert example﹥

Configure ProVision for Radius Authentication

To configure the use of Radius authentication with ProVision, follow the steps below.

  • Log into 6connect ProVision
  • Go to Admin -> ﹥ General Settings -﹥ Authentication
  • Ensure that Radius functions are marked as available.  Radius functions are always available on 6connect cloud instances.  Radius functions are available on VM Images and Local Installations only if the relevant PHP Pear Radius Libraries have been installed.
    Image Removed
  • Click the Radius Enable checkbox.
  • Fill in the hostname or ip address, authentication ports, accounting port, and shared Radius key as specified.
Note
titleSetting default login options

In the login screen, you would select the authentication method from the dropdown. If you like, you can set the default login option in the following way:

Go to the /data/globals.php and open in vi (or other editor). Add in the following text as the last line of the file (before the closing ?>)

define('DEFAULT_LOGIN_TYPE', 'radius');

Acceptable values are "local", "radius" and "ldap". If this line is not present in globals.php, the default option is "local".