RADIUS (Remote Access Dial In User Service ) provides central authentication for users.
It is a client server protocol that runs on application layer. It can use either TCP or UDP as transport.
Normally, all users have access to use all devices without restriction.
Configuration
- Step 1 - On the Nodegrid side:
1. Login in as admin and go to Security
2. Select Authentication and Click Add.
3. Select Radius as method and enter the IP address of remote server.
4. Enter IP address of Radius accounting server.
5. Enter the secret key and confirm it .
6. Select Fallback if denied access option.
7. Click Save.
The "Fall-back if denied access" option enables you to log-in to the Nodegrid with local accounts in case you cannot authenticate with the Radius users.
In the case there is no accounting server on the Radius side, it is recommended to leave the field 'Accounting Server' above empty (i.e. no IP address).
8. Go back to Security and select Services.
9. Look in to Manage devices portion and select Device access enforced via user group authentication option.
10. Click Save.
Now, login as a normal user and one can see that user does not have access to any devices.
To give access to a user,
1. login as admin and go to Security
2. Select Authorization and select the group needed and click Add.
3. Enter the user one wants to add. If more users needs to be added then separate each username with a comma.
4. Click Save.
Login back as normal user and one can see that user will have access to devices allowed by the group.
To match the Radius group, Go to Security :: Authorization, select or create a new group. In Profile, assign the permissions of that group. In Remote Groups, enter the name of group as per declared on the Radius server.
- Step 2 - On the RADIUS server side
We took as an example the free radius server (opensource).
We suppose that your free radius server is installed.
First, go /etc/freeradius/3.0/clients.conf. Declare the Nodegrid, following the format:
client your_nodegrid_device {
ipaddr = 10.10.10.6
secret = your_secret_password
require_message_authenticator = no
nastype = other
}
The secret must match the secret entered, during the first step, on the Nodegrid side.
Second, create the file "usr/share/freeradius/dictionnary.zpe" with the content listed below:
VENDOR ZPE 42518
BEGIN-VENDOR ZPE
ATTRIBUTE ZPE-User-Groups 1 string
END-VENDOR ZPE
Then, edit the file "usr/share/freeradius/dictionnary". In the file, add a line with the dictionary.zpe:
$INCLUDE dictionary.zpe
Then, in /etc/freeradius/users, assign user groups. Define the "Framed-Filter-ID" attribute (as before) or define a new attribute "ZPE-User-Groups".
NOTE: if both attributes are defined, "ZPE-User-Groups" takes precedence:
user_radius Cleartext-Password := "password_user_radius"
ZPE-User-Groups = "radius_network_admin"
Restart the radius server: systemctl restart freeradius
- Tests
First, make a local test, on the Radius server, with the command:
radtest user_radius password_user_radius localhost 0 your_secret_password
Then, log-in to the Nodegrid, using the Radius user of the Radius group:
The permissions of that user shall match the ones of the local and associated group.