Configuring and using freeRtr as an AAA appliance. While there are many commercial AAA appliances that eat huge amounts of CPU and RAM and storage if ran in GNS3. There is a lack of easy to use AAA appliances, and these that are offered in the GNS3 store, are not handy. Here is an approach configuring a AAA appliance without getting into to much into details on applications and operating systems and software dependencies. Actually this tiny AAA appliance is available in the GNS3 store, the only thing that is lacking is a easy setup and documentation. No hard feelings on lacking documentation, if everything else is working perfectly behind the lines.
It make no difference if AAA is ran using a big commercial appliance or using freeRtr. The protocols and the debugging process are the same. Only the configuration is different. Using the explained approach the AAA appliance will be ready in 5 minutes, literally. No needless waiting for the GUI to open up and no web interfaces needed, no certification warnings, no smart browsers preventing you from connecting to the control plane. Everything is done using the command line interface CLI.
Here in particular as a RADIUS daemon. Setup is for authentication and authorisation . There are a few ways to configure authorisation. This is the 2-nd easy way to configure authorisation by assigning a NAS default preset, the priv-lvl. Assigning priv-lvl works with following NAS or network operating systems:
- IOS (Cisco) Vendor ID = 9
- RGOS (Ruijie networks) Vendor ID = 4881
- EXOS (Extreme networks) Vendor ID = 6307
But using RADIUS Vendor Specific Attributes (VSA)'s this explained approach will work only for Cisco IOS. Swapping the Vendor ID
and the Vendor type
prefix should get you going to migrate this to other vendors. Honestly I did not try it out, yet.
Terms
These are the technical terms used here. The AAA RADIUS will be referred as AAA daemon:
- AAA daemon - AAA appliance
- NAC - Network Access Client
- NAS - Network Access Server
AAA is either RADIUS or TACACS+. Here AAA stands for RADIUS.
Configuration
Configuration of the AAA appliance, specifically how to configure Authentication and Authorisation, and how both parts of the freeRtr configuration work together.
A basic setup. One broadcast domain, network topology with following IP addressing:
Node | Function | Term | IP address |
---|---|---|---|
node-10 | Telnet client | NAC | 10.100.100.10 |
AAA-49 | RADIUS daemon | daemon | 10.100.100.49/24 |
R101 | IOS router | NAS | 10.100.100.101/24 |
freeRtr
User authentication configuration part:
Authentication
aaa userlist USER-1
username cisco
username cisco anypass
username dos
username dos anypass
username linux
username linux anypass
exit
Using anypass
just for the sake of simplicity and for this netlab. It is possible to assign a privilege levels using this part of configuration, but that would work only using freeRtr itself, not any other NAS.
RADIUS
This is the RADIUS config, with emphasis on the first 2 interger that are configured. That is the major part to understand within this configuration. This is how it looks on the CLI while actually configuring:
R1-AAA(cfg-server)#vendor
R1-AAA(cfg-server)#vendor ?
<num> - vendor id
R1-AAA(cfg-server)#vendor 9 ?
<num> - vendor type
R1-AAA(cfg-server)#vendor 9 1 ?
<num> - data byte
In this context here above especially that particular prefix vendor 9 1
vendor 9 1
9
is the vendor ID of Cisco systems. Here is one of the sources and citing below:
[...] The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." [...]
Authorisation
The prefix used 9 1
is named cisco-avpair
. This is the RADIUS configure part, with a cross-reference to the USER-1
list for authentication.
AAA-49#show running-config server radius RADIUS-1
!
server radius RADIUS-1
security authentication USER-1
authentication USER-1
secret $v10$MTIzLW15X3JhZGl1c19rZXk=
vendor 9 1 70 72 69 76 2d 6c 76 6c 3d 31 34 0a
vrf v1
exit
Well you wonder what is this binary code in here and what it does. This is the priv-lvl=14
setting. This particular configuration of priv-lvl=14
has been set, to distinguish between default setting or configured priv-lvl setting. The full RADIUS VSA looks like this:
vendor 9 1 70 72 69 76 2d 6c 76 6c 3d 31 34 0a
So how to get this particular RADIUS configure line in binary? Setting priv-lvl 15 would be done using following line:
70 72 69 76 2d 6c 76 6c 3d 31 35 0a
To create the binary line use following standard GNU tool, this is an example creating using od
which looks just fine for copy pasting into ready configuration:
or here an example using the xxd
tool
Both binaries shown in examples, od
is part of GNU/coreutils and xxd
is installed vim-core
.
Full configuration
Fully working configuration for freeRtr acting as a RADIUS daemon:
configure
!
hostname AAA-49
!
aaa userlist USER-1
username cisco
username cisco anypass
username linux
username linux anypass
username dos
username dos anypass
exit
!
vrf definition v1
rd 1:1
exit
!
interface ethernet1
vrf forwarding v1
ipv4 address 10.100.100.49 255.255.255.0
no shutdown
no log-link-change
exit
!
proxy-profile p1
vrf v1
exit
!
server radius RADIUS-1
authentication USER-1
secret 123-my_radius_key
vendor 9 1 70 72 69 76 2d 6c 76 6c 3d 31 34 0a
vrf v1
exit
!
client proxy p1
!
end
That is the whole, working configuration. It is mind blowing, comparing this to other AAA appliances - 38 lines of and it is finished and have fully working AAA RADIUS server. That is all that is needed to get it into full operating mode on that side.
NAS
This is tested using the Cisoc IOS NAS. Following router configuration has been used here:
conf t
!
hostname R101
!
interface e0/0
ip address 10.100.100.101 255.255.255.0
no shutdown
exit
!
aaa new-model
!
aaa group server radius AAA
server name AAA-49
!
aaa authentication login VTY group AAA local
aaa authorization exec VTY group AAA
!
radius server AAA-49
address ipv4 10.100.100.49 auth-port 1812 acct-port 1813
key 123-my_radius_key
exit
!
line vty 0 4
transport input telnet
authorization exec VTY
login authentication VTY
exit
!
end
No local users are configured on the IOS router. The credentials and privilege is handled by the RADIUS server. Now - All systems go.
Verify
Here are the debugs output ran on participating systems.
NAS
This is the RADIUS debug ran during authentication/authorization phase on the IOS router R101:
*Aug 17 12:36:49.369: AAA/BIND(00000023): Bind i/f
*Aug 17 12:36:49.369: RADIUS/ENCODE(00000023): ask "Username: "
*Aug 17 12:36:49.369: RADIUS/ENCODE(00000023): send packet; GET_USER
*Aug 17 12:36:50.738: RADIUS/ENCODE(00000023): ask "Password: "
*Aug 17 12:36:50.738: RADIUS/ENCODE(00000023): send packet; GET_PASSWORD
*Aug 17 12:36:51.144: RADIUS/ENCODE(00000023):Orig. component type = Exec
*Aug 17 12:36:51.144: RADIUS/ENCODE: Skip encoding 0 length AAA Cisco vsa password
*Aug 17 12:36:51.144: RADIUS/ENCODE(00000023): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Aug 17 12:36:51.144: RADIUS(00000023): Config NAS IP: 0.0.0.0
*Aug 17 12:36:51.144: RADIUS(00000023): Config NAS IPv6: ::
*Aug 17 12:36:51.144: RADIUS/ENCODE(00000023): acct_session_id: 25
*Aug 17 12:36:51.144: RADIUS(00000023): sending
*Aug 17 12:36:51.144: RADIUS/ENCODE: Best Local IP-Address 10.100.100.101 for Radius-Server 10.100.100.49
*Aug 17 12:36:51.144: RADIUS(00000023): Send Access-Request to 10.100.100.49:1812 id 1645/23, len 69
*Aug 17 12:36:51.144: RADIUS: authenticator 65 6B D8 F8 05 BA BC FE - B3 00 6F
*Aug 17 12:36:51.151: RADIUS: User-Name [1] 7 "cisco"
*Aug 17 12:36:51.151: RADIUS: User-Password [2] 18 *
*Aug 17 12:36:51.151: RADIUS: NAS-Port [5] 6 2
*Aug 17 12:36:51.151: RADIUS: NAS-Port-Id [87] 6 "tty2"
*Aug 17 12:36:51.151: RADIUS: NAS-Port-Type [61] 6 Virtual
*Aug 17 12:36:51.151: RADIUS: NAS-IP-Address [4] 6 10.100.100.101
*Aug 17 12:36:51.151: RADIUS(00000023): Sending a IPv4 Radius Packet
*Aug 17 12:36:51.151: RADIUS(00000023): Started 5 sec timeout
*Aug 17 12:36:51.159: RADIUS: Received from id 1645/23 10.100.100.49:1812, Acces
*Aug 17 12:36:51.159: RADIUS: authenticator 18 EE C0 55 C3 C3 E2 3E - 10 DD B3
*Aug 17 12:36:51.159: RADIUS: Reply-Message [18] 12
*Aug 17 12:36:51.159: RADIUS: 73 75 63 63 65 73 73 66 75 6C [ successful ]
*Aug 17 12:36:51.159: RADIUS: Ascend-Client-Second[136] 6
*Aug 17 12:36:51.159: RADIUS: 00 00 00 0E
*Aug 17 12:36:51.159: RADIUS: Vendor, Cisco [26] 19
*Aug 17 12:36:51.159: RADIUS: Cisco AVpair [1] 13 "priv-lvl=14"
*Aug 17 12:36:51.159: RADIUS(00000023): Received from id 1645/23
*Aug 17 12:36:51.159: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes
*Aug 17 12:36:51.159: RADIUS: Ascend-Client-Second[136] 6
*Aug 17 12:36:51.159: RADIUS: 00 00 00 0E
*Aug 17 12:36:51.159: AAA/AUTHOR/EXEC(00000023): processing AV priv-lvl=14
*Aug 17 12:36:51.159: AAA/AUTHOR/EXEC(00000023): Authorization successful
The authorisation is working. The priv-lvl=14
is set. The AAA appliance sends a successful
Reply-Message which is displayed in the debug written out and how the AAA appliance actually sends it to the NAS in HEX. Also there is VSA Nr 26
displayed in the debug output, this is the prerequisite to all other VSA working correctly.
Verification ran from the node-10. This is the telnet session:
Trying 10.100.100.101... Connected to 10.100.100.101. Escape character is '^]'. User Access Verification Username: cisco Password: successful R101#show privilege Current privilege level is 14
The privilege level is correctly set to 14
. So this works. Cool.
RADIUS
On the AAA daemon side the debug output will look like depicted below:
debug servRadiusConn.doer:servRadius.java:229 rx access request id=25 auth= 11 9a 36 f7 a3 43 f7 39 df 02 3f d7 2b 3d 2c a8 user=cisco chap=-1 nasip=10.100.100.101 nasprt=2 service=-1 frnprt=-1 frmadr=null frnnsk=null frmrtr=-1 filter=null mtu=-1 comp=-1 logip=null logserv=-1 logtcp=-1 reply=null cllbck=null callid=null route=null ipx=-1 state=null class=null sestim=-1 idltim=-1 term=-1 called=null calling=null nasid=null latserv=null latmod=null latgrp=null link=-1 net=-1 zone=null portyp=5 prtlim=-1 latprt=null tunTyp=-1 tunMed=-1 tunCln=null tunSrv=null tunAct=null tunPwd=null arpPwd=null arpFtr=null arpZon=-1 arpSec=-1 arpDat=nullpwdTry=-1 prmpt=-1 conInf=null cfgTkn=null eapMsg=null msgAut=null tunPrv=null tunAsg=null tunPrf=-1 arpChl=null actInt=-1 tunLst=-1 nasPoi=tty2 frmPol4=null cui=null frmCln=null frmSrv=null nasFlt=null OrgLin=null frmIfi=null frmPrf=null lgnHst6=null frmRou6=null frmPol6=null errCau=-1 eapKey=null dgsRsp=null dgsRlm=null dgsNon=null dgsAut=null dgsNno=null dgsMet=null dgsUri=nulldgsQop=null dgsAlg=null dgsEnt=null dgsCno=null dgsNoc=null dgsUsr=null dgsOpq=null dgsPrm=null dgsAka=null dgsDom=null dgsStl=null dgsHa1=null sipAor=null delPfx=null mipFtr=-1 mipHom=null oprNam=null locInf=null locDat=null locBas=null locExt=null locCap=-1 locReq=-1 frmMgt=-1 mgtPrt=-1 mgtPol=null mgtPrv=-1 pkmSsc=null pkmCac=null pkmCfg=null pkmCrp=null pkmSai=null pkmSad=null pkmKey=null dslTun=null mobNod=null srvSel=null pmiHom6=null pmiVis6=null pmiHom4=null pmiVis4=null pmiHomH=null pmiVisH=null pmiHomI=null pmiVisI=null pmiHomO=null pmiVisO=null pmiHomD4=null pmiVisD4=null pmiHomD6=null pmiVisD6=null pmiHomG=null pmiVisG=null eapLay=-1 gssNam=null gssHst=null gssSpc=null gssRlm=null frmAdr6=null dnsSrv6=null rouInf6=null delPol6=null staPol6=null 6rdCfg=null alwSta=null eapPer=null eapSrv=null mobDom=-1 preTim=-1 netName=null eapAno=null wlaHes=null wlaVen=-1 wlaLng=null wlaNam=null wlaRea=-1 wlaPai=-1 wlaGrp=-1 wlaAkm=-1 wlaMgt=-1 wlaBnd=-1
debug servRadiusConn.doer:servRadius.java:277 tx access accept id=25 auth= 11 9a 36 f7 a3 43 f7 39 df 02 3f d7 2b 3d 2c a8 user=null chap=-1 nasip=null nasprt=-1 service=-1 frnprt=-1 frmadr=null frnnsk=null frmrtr=-1 filter=null mtu=-1 comp=-1 logip=null logserv=-1 logtcp=-1 reply=successful cllbck=null callid=null route=null ipx=-1 state=null class=null sestim=-1 idltim=-1 term=-1 called=null calling=null nasid=null latserv=null latmod=null latgrp=null link=-1 net=-1 zone=null portyp=-1 prtlim=-1 latprt=null tunTyp=-1 tunMed=-1 tunCln=null tunSrv=null tunAct=null tunPwd=null arpPwd=null arpFtr=null arpZon=-1 arpSec=-1 arpDat=nullpwdTry=-1 prmpt=-1 conInf=null cfgTkn=null eapMsg=null msgAut=null tunPrv=null tunAsg=null tunPrf=-1 arpChl=null actInt=-1 tunLst=-1 nasPoi=null frmPol4=null cui=null frmCln=null frmSrv=null nasFlt=null OrgLin=null frmIfi=null frmPrf=null lgnHst6=null frmRou6=null frmPol6=null errCau=-1 eapKey=null dgsRsp=null dgsRlm=null dgsNon=null dgsAut=null dgsNno=null dgsMet=null dgsUri=nulldgsQop=null dgsAlg=null dgsEnt=null dgsCno=null dgsNoc=null dgsUsr=null dgsOpq=null dgsPrm=null dgsAka=null dgsDom=null dgsStl=null dgsHa1=null sipAor=null delPfx=null mipFtr=-1 mipHom=null oprNam=null locInf=null locDat=null locBas=null locExt=null locCap=-1 locReq=-1 frmMgt=-1 mgtPrt=-1 mgtPol=null mgtPrv=14 pkmSsc=null pkmCac=null pkmCfg=null pkmCrp=null pkmSai=null pkmSad=null pkmKey=null dslTun=null mobNod=null srvSel=null pmiHom6=null pmiVis6=null pmiHom4=null pmiVis4=null pmiHomH=null pmiVisH=null pmiHomI=null pmiVisI=null pmiHomO=null pmiVisO=null pmiHomD4=null pmiVisD4=null pmiHomD6=null pmiVisD6=null pmiHomG=null pmiVisG=null eapLay=-1 gssNam=null gssHst=null gssSpc=null gssRlm=null frmAdr6=null dnsSrv6=null rouInf6=null delPol6=null staPol6=null 6rdCfg=null alwSta=null eapPer=null eapSrv=null mobDom=-1 preTim=-1 netName=null eapAno=null wlaHes=null wlaVen=-1 wlaLng=null wlaNam=null wlaRea=-1 wlaPai=-1 wlaGrp=-1 wlaAkm=-1 wlaMgt=-1 wlaBnd=-1
Now this particular debug output is not as good to read as on Cisco IOS debug output. But if you read it carefully it is full of useful information and possible RADIUS settings that could be applied and set using a RADIUS server setup on freeRtr.
The only one interesting line above in the output is here:
mgtPrv=14
It would be interesting if setting the mgtPrv=14
could be setup not using binary only.
Summary
It is amazing how little configuration is needed to configure AAA for GNS3. Compare this to the amount of time and energy spent on commercial appliances. Additionally using this example and adjusting for your own network you could implement working AAA in short time. Saving a lot of resources.
While configuring RADIUS using freeRtr I have been trying to apply these all together
- idletime=60 (in seconds)
- priv-lvl=14
- timeout=60 (in minutes)
But just chaining all these in one particular line would look like that:
vendor 9 1 69 64 6c 65 74 69 6d 65 3d 33 30 70 72 69 76 2d 6c 76 6c 3d 31 35 74 69 6d 65 6f 75 74 3d 36 30
does not work. The router picks the 1-st of 3 configured AV's, then establishes the session. If you find out how to configure this, write me an email. I really would like to know how to get that working.
This configuration is very flexible, and using a automation tool of your choice, you could setup a swarm of AAA servers in no time for a network. No needless clicking in web interfaces, no GUI's, just CLI.