RADIUS
Overview
Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service.
VEGA has built-in RADIUS client function, with which you can easily connect to your existing RADIUS services.
Vega can optionally be configured to use a RADIUS server to authenticate users when logging in. On logging in the Vega sends the username and password to the configured radius server for verification rather than holding the password locally.
The permissions for the user will be held locally on the Vega. There is a 2 second timeout for the radius login. If the Vega doesn’t receive a radius server response in 2 seconds, the login will fail.
NOTE: VEGA doesn't provide RADIUS server functionality
Below is the call flow for RADIUS Authentication and Authorization and RADIUS Accounting:
RADIUS Authentication and Authorization Flow:
RADIUS Accounting Flow:
Configuration
Radius configuration is present within “RADIUS Accounting” option under “Logging Tab” of “Expert Config Section” (i.e. Expert Config Section-> Logging and edit “RADIUS Accounting”) as show below:
As shown in above figure Vega Radius Accounting configuration is divided in to two parts:
RADIUS Configuration
RADIUS Server Configuration
RADIUS Client Configuration
RADIUS client configuration mainly has configuration like:
On which lan profile (ip) RADIUS client need to be configured
Hostname
Timer Values like Retry time
Maximum Number of Retries
Overload Session ID i.e. basically to select the format like vega specific format or cisco VSA format or any other.
RADIUS Server Configuration
As name suggest this mainly has configuration with respect to RADIUS Server like:
IP/Domain Name at which radius server is configured
Authenticating port
Accounting port
Secret i.e. password of RADIUS server
Enable in order to enable that respect radius server on VEGA
In order to Use RADIUS authentication for user login RADIUS login needs to be enable.If the RADIUS login is not set and the user attempts to login via a console (serial) session RADIUS login authentication will not be used.
The user password will be checked against the one configured in the Vega. If the RADIUS login is set then RADIUS authentication will be used for all logins, including serial access.
RADIUS login configuration is present within “User Administration” option under “System Tab” of “Expert Config Section” (i.e. Expert Config Section-> System and edit “User Administration”) as show below:
Troubleshooting
You can easily troubleshoot RADIUS message flow by filtering wireshark pcap trace by filter "radius".
VEGA only has RADIUS client functionality; for RADIUS server, we can either use existing RADIUS server if present any, or download and install the great open source FreeRadius from www.freeradius.org.
In order to check how to configure FreeRadius with VEGA please refer to VEGA with FreeRadius.Here below is the screen capture of one RADIUS Accounting pcap trace: