Versions Compared

Old Version 15

changes.mady.by.user Pete Sclafani

Saved on

compared with

New Version Current

changes.mady.by.user The Force

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from this space and version 8.2.0

RADIUS Authentication

Image Added

Table of Contents

Starting in 3.0, ProVision supports 6connect vendor-specific attributes (VSAs) for use with RADIUS authentication.

To use these attributes, you must perform the following procedures:

...

Table of Contents

Setting Up Radius

...

Authentication

Add the 6connect VSA to the Radius Installation

To use the 6connect VSA, the attributes must be defined on the RADIUS server. Add the following RADIUS dictionary file to your RADIUS server and name it dictionary.6connect:

Important Note:  Between version 3.9.3 and ProVision 4.0 , the permissions structure for ProVision was significantly changed.  Make sure you following the version specific instructions below.

ProVision 3.9.3 and prior: http://cloud.6connect.com/Download/Radius/3.9.3/6connect_VSA.txt

and greater:

VENDOR 6connect 
36009

BEGIN-VENDOR 
6connect

ATTRIBUTE
priv_admin 10 integer #This is used to give a user administrative access to the application ATTRIBUTE priv_ipam_c 20 integer #This allows a user to create IP blocks ATTRIBUTE priv_ipam_d 21 integer #This allows a user to delete IP blocks ATTRIBUTE priv_ipam_m 22 integer #This allows a user to modify IP blocks ATTRIBUTE priv_swip 23 integer #This allows a user to SWIP IP blocks ATTRIBUTE priv_email 24 integer #This allows a user to email IP block information ATTRIBUTE priv_ipam_v 25 integer #This allows a user to view IP block information ATTRIBUTE priv_dns_c 30 integer #This allows a user to create DNS Zones ATTRIBUTE priv_dns_d 31 integer #This allows a user to delete DNS Zones ATTRIBUTE priv_dns_m 32 integer #This allows a user to modify DNS Zones ATTRIBUTE priv_dns_v 33 integer #This allows a user to view DNS Zones ATTRIBUTE priv_cust_c 40 integer #This allows a user to create Customer records ATTRIBUTE priv_cust_d 41 integer #This allows a user to delete Customer records ATTRIBUTE priv_cust_m 42 integer #This allows a user to modify Customer records ATTRIBUTE priv_cust_v 43 integer #This allows a user to view Customer records ATTRIBUTE priv_peer_c 50 integer #This allows a user to create peering sessions ATTRIBUTE priv_peer_d 51 integer #This allows a user to delete peering sessions ATTRIBUTE priv_peer_m 52 integer #This allows a user to modify peering sessions ATTRIBUTE priv_peer_v 53 integer #This allows a user to view peering sessions ATTRIBUTE priv_logs 60 integer #This allows a user to have access to the logs tab in the application END-VENDOR 6connect
Code Block
VENDOR 6connect
Expand
Code Block
title3.9.3 VSA text file

 

 

ProVision 4.0 and greater: http://cloud.6connect.com/Download/Radius/4.0/6connect_VSA.txt

6connect_user_group 10 string
#A 6connect User Group to which this user belongs.

END-VENDOR 6connect


Note
Make sure to add the following to the primary dictionary file:  $INCLUDE dictionary.6connect

Configure Radius Accounts

On the Radius server, configure the user accounts that will have access to the ProVision system.

An example of a ProVision account configuration for the user file on a Freeradius system for version 3.9.3 and prior: http://cloud.6connect.com/Download/Radius/3.9.3/Freeradius-users-example.txtAn example of a ProVision account configuration for the user file on a Freeradius system for version 4.0 and greater: http://cloud.6connect.com/Download/Radius/4.0/Freeradius-users-example.txt

Example: To  To add a new radius user, edit the 'users' file found at /etc/raddb/users and add a block like:

Code Block
languagepowershell
titleSetting up a RADIUS account
bobber  Cleartext-Password := "hello"
        6connect_user_group = "Global Admins,Group 2,Group 1,Group Nonexistant"

The Radius server must be restarted every time you add, remove, or modify users. To restart the Radius server, use this command:

Code Block
/etc/init.d/radiusd restart


Note
titleNote on RADIUS attributes
There are many Radius attributes, but '6connect_user_group' is the one used by 6connect ProVision and it . It is just a comma-separated list of all the group names that the user belongs to.

Test Radius Accounts

For 3.9.3 and priorProVision 4.0 and higher, test and response should look like the following:

To query a radius server, use the following command format:

Code Block
languagepowershelltext
radtest [USERNAME] [USERPASSWORD] [SERVER] 0 [SECRET]

Example:

Code Block
radtest bobber hello 208.39.140.106 0 6connect

A successful response will look like this:

Code Block
languagetext
#>radtest test test 50.23.215.162 6connect
  Sending Access-Request of id 179198 to 50208.2339.215140.162106 port 1812
  User-Name = "testbobber"
  User-Password = "testhello"
  NAS-IP-Address = 1067.124221.47240.6229
  NAS-Port = 0
  Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 50208.2339.215104.162106 port 1812, id=179198, length=68
  priv_admin = 1
  priv_ipam_c = 1
  priv_ipam_m = 1
  priv_ipam_d = 1

For 4.0 and higher, test and response should look like the following:

...

69
Attr-10 = 0x476c6f62616c2041646d696e732c47726f757020322c47726f757020312c47726f7570204e6f6e6578697374616e74

A rejected response may look like this:

Code Block
languagetext
Sending Access-Request of id 68 to 208.39.140.106 port 1812
User-Name = "bobberbro"
User-Password = "hello"
NAS-IP-Address = 67.221.240.229
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 208.39.104.106 port 1812, id=68, length=20

Configure ProVision for Radius Authentication

To configure the use of Radius authentication with ProVision, follow the steps below.:

  1. Log into 6connect ProVision
  2. Go to

...

  1. Settings → Admin -> Authentication
  2. Select the "Radius" tab under "Authentication Options"
  3. Ensure that Radius functions are

...

  1. available.  Radius functions are always available on 6connect cloud instances.

...

  1.   Note: Radius functions are available on VM Images and Local Installations only if the relevant PHP Pear Radius Libraries have been installed. An error message will be visible if the PHP extension is not installed.

...

  1. Image Added
  2. Move the Radius Enable

...

  1. selector to the "ON" position.
  2. Fill in the hostname or ip address, authentication ports, accounting port, and shared Radius key as specified.

Expand
titleAdding a Secondary Radius Server

Once at least one Radius server has been added, a list will appear at the top of the Radius module. Add an additional Radius server by clicking "Add new server".

Image Added

ProVision will try to connect to each radius server listed in the order listed, until a success is returned. Disabled servers will display in grey, and the currently selected server will display in bold.



Note
titleSetting default login authentication options

In the login screen, you would select the authentication method from the dropdown. If you like, you can set the default login option in the following way:

Go to the /data/globals.php and open in vi (or other editor). Add in the following text as the last line of the file (before the closing ?>)

define('DEFAULT_LOGIN_TYPE', 'radius');

Acceptable values are "local", "radius", "ldap" and "saml". If this line is not present in globals.php, the default option is "local".

Add or Update Radius Authentication Settings (Local Install Only)

Authentication options are accessed by clicking the "Authentication" sub-tab at the top of the Admin Settings page.

Image Added

  • Radius Enable: Move this selector to enable RADIUS functionality.
  • Radius Server Address: Set to the IP address of your radius server. If this is specified, it will force authentication over radius.
  • Radius Authentication Port: Set to the port for authentication. Default port is 1812
  • Radius Accounting Port: Set to the port for radius accounting. Default port is 1813
  • Radius Key: Set to the shared key of your radius server

Enter or update the desired settings.

To verify the settings connect, click "Test Radius Configuration". When done, click "Save Changes".