Radius

在基于身份验证的网络中,终端使用802.1X身份验证请求去开启网络会话,IEEE 802.1X访问控制协议是二层传输协议,其中携带可拓展认证协议(EAP)有效载荷,EAP 是一种身份验证框架,用于定义身份凭证的传输和使用,客户端的验证消息(用户名、密码、证书、令牌、OTP等)被EAP封装发送给NAS(第一跳网络访问服务器),NAS通过Radius报文将消息传递给AAA服务器(ACS、ISE等),Radius服务器使用内部用户数据库或者是外部存储的数据库(AD域),并下发适当的权限给服务器,Radius服务器的可用性和可服务性是企业及网络访安全访问的基础。
Radius - 图1
Radius是一种CS系统,可以保护网络在网络免受未经授权的访问,是一种开发的标准协议,可以使用厂商特定的属性进行自定义。在思科的实现中,Radius客户端可以是Cisco SW,Router,WLC上运行,并将身份请求发送到Radius服务器上,并且Radius服务器可以和其他AAA协议一起使用(TACACS+,Kerberos,本地数据库查找)

AAA configuration for IEEE 802.1X and Radius

Command Description
aaa new-model Enable Authentication Authorization and Accounting (AAA)
aaa authentication dot1x default group radius Specifies RADIUS as the method for 802.1X port based authentication
aaa authorization network default group radius Governs network authorizations via RADIUS (VLAN / ACL assignment)
aaa accounting dot1x default start-stop group radius To enable accounting for 802.1X authentication sessions
aaa session-id common Indicates that all session identification (ID) information that is sent out for a given session is identical.

RADIUS Server Configuration

Command Description
radius server Specifies the name for the RADIUS server configuration and enters RADIUS server configuration mode.
address ipv4 X.X.X.X auth-port
<0-65535> acct-port <0-65535>		 Configures the IPv4 address for the RADIUS server accounting and authentication parameters.
key The shared secret key that’s configured on the RADIUS server must be defined for secure RADIUS communications.
ip radius source-interface To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface command in global configuration mode. The source IP address of the RADIUS packets must match the NAS IP address configured on the RADIUS server. A mismatch leads to RADIUS packet timeout and the server gets marked “DEAD”.

Legacy Configuration for RADIUS Servers

  1.     radius-server host 172.20.254.4 auth-port 1645 acct-port 1646 key cisco

测试命令

  1. switch#show aaa servers
  3. RADIUS: id 5, priority 1, host 172.20.254.4, auth-port 1645, acct-port 1646
  4.      State: current UP, duration 575s, previous duration 0s
  5.      Dead: total time 0s, count 0
  6.      Quarantined: No
  7. <Output truncated>
  9. switch#test aaa group radius user1 cisco new-code
  10. # User successfully authenticated

厂商私有属性

Command Description
radius-server vsa send To configure the network access server to recognize and use vendor- specific attributes, use the radius-server vsa send command in global configuration mode. To restore the default, use the no form of this command.
radius-server vsa send accounting (Optional) Limits the set of recognized vendor-specific attributes to only accounting attributes.
radius-server vsa send authentication (Optional) Limits the set of recognized vendor-specific attributes to only authentication attributes.

AAA Method List Commands

Command Description
Switch(config)# aaa group server radius To group different RADIUS server hosts into distinct lists and distinct methods, enter the aaa group server radius command in global configuration mode.
Switch(config-sg-radius)#server name | (RADIUS) server: The radius server IP address can be defined under the aaa method-list or the name of the radius server defined under “radius server” command can be referenced.
Switch(config)# aaa authentication dot1x default group
Switch(config)# aaa authorization network default group
Switch(config)# aaa accounting dot1x {default} start-stop group 		: Use the list of all RADIUS servers for authentication/authorization/accounting defined by ‘aaa group server radius’ global command.

Example:

  1. aaa new-model
  2. !
  3. aaa group server radius RASERV
  4.  server name RASERV-1
  5.  server name RASERV-2
  6. !
  7. aaa authentication dot1x default group RASERV
  8. aaa authorization network default group RASERV
  9. aaa accounting dot1x default start-stop group RASERV
  10. !
  11. radius server RASERV-1
  12.  address ipv4 172.20.254.4 auth-port 1813 acct-port 1814
  13.  automate-tester username dummy
  14.  key cisco
  15.  timeout 10
  16.  retransmit 5
  17. !
  18. radius server RASERV-2
  19.  address ipv4 172.20.254.8 auth-port 1645 acct-port 1646
  20.  automate-tester username dummy
  21.  key cisco
  22.  timeout 10
  23.  retransmit 5
  24. !

RADIUS Timers

Switch(config)# radius-server retransmit Specifies how many times the switch transmits each RADIUS request to the server before giving up (the default is three times).
Switch(config)# radius-server timeout Specifies for how many seconds a switch waits for a reply to a RADIUS request before retransmitting the request.

RADIUS Server Failure Handling Commands

Command Description
radius-server dead-criteria time tries Use the radius-server dead-criteria global configuration command to configure the conditions that determine when a RADIUS server is considered unavailable or dead.
time seconds: (Optional) Set the time in seconds during which the switch does not need to get a valid response from the RADIUS server. The range is from one to 120 seconds.
tries number: (Optional) Set the number of times that the switch does not get a valid response from the RADIUS server before the server is considered unavailable.
radius-server deadtime Defines time in minutes a server marked as DEAD will be held in that state. This command improves RADIUS response times when some servers might be unavailable, and causes the unavailable servers to be skipped immediately.
Once the deadtime expires, the switch marks the server as UP (ALIVE) and notifies the registered clients about the state change. If the server is still unreachable after the state is marked as UP and if the DEAD criteria is met, then server is marked as DEAD again for the deadtime interval.
# 该时间到期后,NAS 设备会无条件将AAA server 标记为up
automate-tester

(under “radius server “ command)		 To enable the automated testing feature for the RADIUS server, use the automate-tester command in RADIUS server configuration mode.
With this practice, the switch sends periodic test authentication messages to the RADIUS server. It looks for a RADIUS response from the server. A success message is not necessary - a failed authentication will suffice, because it shows that the server is alive.
automate-tester username user [ ignore-auth-port ] [ ignore-acct-port ] [ idle-time minutes ]
username user: Specifies the automatic test user ID username
ignore-auth-port : (Optional) Disables testing on the User Datagram Protocol (UDP) port for the RADIUS authentication server.
ignore-acct-port : (Optional) Disables testing on the UDP port for the RADIUS accounting server.
Legacy Command:
radius-server host {hostname | ip-address} [test username user-name]

在以下情况NAS设备会将Radius 服务器状态从Dead 变为UP

  1. 死亡时间到期,NAS设备会无条件将Radius设备状态变为UP
  2. 如果Radius设备相应了测试的数据包(自动:60分钟),NAS将会把Radius服务器状态改为UP
  3. Radius 服务器响应了新的请求。

Example: telnet 认证授权交给ISE处理

  1. aaa authentication login ISE group radius local
  2. aaa authorization exec ISE group radius local
  3. # 认证授权都交给ISE这个组,组里包含radius 和本地认证
  4. line vty 0 4
  5.  authorization exec ISE
  6.  login authentication ISE
  7.  transport input telnet
  9. # telnet 交给认证交给ISE这个组

Cisco Radius 官方文档