RADIUS Authentication |
Starting in 3.0, ProVision supports 6connect vendor-specific attributes (VSAs) for use with RADIUS authentication. To use these attributes, you must perform the following procedures:
To use the 6connect VSA, the attributes must be defined on the RADIUS server. Add the following RADIUS dictionary file to your RADIUS server and name it dictionary.6connect:
Important Note: Between version 3.9.3 and 4.0, the permissions structure for ProVision was significantly changed. Make sure you following the version specific instructions below.
ProVision 3.9.3 and prior: http://cloud.6connect.com/Download/Radius/3.9.3/6connect_VSA.txt
ProVision 4.0 and greater: http://cloud.6connect.com/Download/Radius/4.0/6connect_VSA.txt
Make sure to add the following to the primary dictionary file: $INCLUDE dictionary.6connect |
On the Radius server, configure the user accounts that will have access to the ProVision system.
An example of a ProVision account configuration for the user file on a Freeradius system for version 3.9.3 and prior: http://cloud.6connect.com/Download/Radius/3.9.3/Freeradius-users-example.txt
An example of a ProVision account configuration for the user file on a Freeradius system for version 4.0 and greater: http://cloud.6connect.com/Download/Radius/4.0/Freeradius-users-example.txt
Example: To add a new radius user, edit the 'users' file found at /etc/raddb/users and add a block like:
bobber Cleartext-Password := "hello" 6connect_user_group = "Global Admins,Group 2,Group 1,Group Nonexistant" |
There are many Radius attributes, but '6connect_user_group' is the one used by 6connect ProVision and it is just a comma-separated list of all the group names that the user belongs to. |
For 3.9.3 and prior, test and response should look like the following:
#﹥radtest test test 50.23.215.162 6connect
Sending Access-Request of id 179 to 50.23.215.162 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 10.124.47.6
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 50.23.215.162 port 1812, id=179, length=68
priv_admin = 1
priv_ipam_c = 1
priv_ipam_m = 1
priv_ipam_d = 1
For 4.0 and higher, test and response should look like the following:
﹤insert example﹥
To configure the use of Radius authentication with ProVision, follow the steps below.