RADIUS Authentication |
Starting in 3.0, ProVision supports 6connect vendor-specific attributes (VSAs) for use with RADIUS authentication. To use these attributes, you must perform the following procedures:
To use the 6connect VSA, the attributes must be defined on the RADIUS server. Add the following RADIUS dictionary file to your RADIUS server and name it dictionary.6connect:
Important Note: Between version 3.9.3 and 4.0, the permissions structure for ProVision was significantly changed. Make sure you following the version specific instructions below.
ProVision 3.9.3 and prior: http://cloud.6connect.com/Download/Radius/3.9.3/6connect_VSA.txt
VENDOR 6connect 36009 BEGIN-VENDOR 6connect ATTRIBUTE priv_admin 10 integer #This is used to give a user administrative access to the application ATTRIBUTE priv_ipam_c 20 integer #This allows a user to create IP blocks ATTRIBUTE priv_ipam_d 21 integer #This allows a user to delete IP blocks ATTRIBUTE priv_ipam_m 22 integer #This allows a user to modify IP blocks ATTRIBUTE priv_swip 23 integer #This allows a user to SWIP IP blocks ATTRIBUTE priv_email 24 integer #This allows a user to email IP block information ATTRIBUTE priv_ipam_v 25 integer #This allows a user to view IP block information ATTRIBUTE priv_dns_c 30 integer #This allows a user to create DNS Zones ATTRIBUTE priv_dns_d 31 integer #This allows a user to delete DNS Zones ATTRIBUTE priv_dns_m 32 integer #This allows a user to modify DNS Zones ATTRIBUTE priv_dns_v 33 integer #This allows a user to view DNS Zones ATTRIBUTE priv_cust_c 40 integer #This allows a user to create Customer records ATTRIBUTE priv_cust_d 41 integer #This allows a user to delete Customer records ATTRIBUTE priv_cust_m 42 integer #This allows a user to modify Customer records ATTRIBUTE priv_cust_v 43 integer #This allows a user to view Customer records ATTRIBUTE priv_peer_c 50 integer #This allows a user to create peering sessions ATTRIBUTE priv_peer_d 51 integer #This allows a user to delete peering sessions ATTRIBUTE priv_peer_m 52 integer #This allows a user to modify peering sessions ATTRIBUTE priv_peer_v 53 integer #This allows a user to view peering sessions ATTRIBUTE priv_logs 60 integer #This allows a user to have access to the logs tab in the application END-VENDOR 6connect |
ProVision 4.0 and greater: http://cloud.6connect.com/Download/Radius/4.0/6connect_VSA.txt
Make sure to add the following to the primary dictionary file: $INCLUDE dictionary.6connect |
On the Radius server, configure the user accounts that will have access to the ProVision system.
An example of a ProVision account configuration for the user file on a Freeradius system for version 3.9.3 and prior: http://cloud.6connect.com/Download/Radius/3.9.3/Freeradius-users-example.txt
An example of a ProVision account configuration for the user file on a Freeradius system for version 4.0 and greater: http://cloud.6connect.com/Download/Radius/4.0/Freeradius-users-example.txt
Example: To add a new radius user, edit the 'users' file found at /etc/raddb/users and add a block like:
bobber Cleartext-Password := "hello" 6connect_user_group = "Global Admins,Group 2,Group 1,Group Nonexistant" |
There are many Radius attributes, but '6connect_user_group' is the one used by 6connect ProVision and it is just a comma-separated list of all the group names that the user belongs to. |
For 3.9.3 and prior, test and response should look like the following:
#>radtest test test 50.23.215.162 6connect Sending Access-Request of id 179 to 50.23.215.162 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 10.124.47.6 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 50.23.215.162 port 1812, id=179, length=68 priv_admin = 1 priv_ipam_c = 1 priv_ipam_m = 1 priv_ipam_d = 1 |
For 4.0 and higher, test and response should look like the following:
﹤insert example﹥
To configure the use of Radius authentication with ProVision, follow the steps below.