The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure the Remote Access Dial-In User Service (RADIUS) protocol on the Cisco 1000 Series Connected Grid Routers (hereafter referred to as Cisco CG-OS router).
The RADIUS distributed client/server system allows you to secure networks against unauthorized access. In the Cisco implementation, RADIUS clients run on the Cisco CG-OS router and send authentication and accounting requests to a central RADIUS server that contains all user-authentication and network-service access information.
This section includes the following topics:
RADIUS is implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.
You can use RADIUS in the following network environments that require access security:
When a user attempts to log in to a Cisco CG-OS router and authenticate by using a remote RADIUS server, the following process occurs:
1. Server prompts the user for username and password.
2. Cisco CG-OS router sends entered username and encrypted password over the network to the RADIUS server.
3. The user receives one of the following responses from the RADIUS server:
– ACCEPT—Server authenticates the user.
– REJECT—Server does not authenticate the user and the Cisco CG-OS router prompts the user to reenter the username and password, or access is denied.
– CHALLENGE—Server requests and collects additional information from the user.
– CHANGE PASSWORD—Server requests that the user select a new password.
The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization. You must first complete RADIUS authentication before using RADIUS authorization. The additional data included with the ACCEPT or REJECT packets consists of the following:
An unresponsive RADIUS server can cause a delay in processing AAA requests. You can configure the Cisco CG-OS router to periodically monitor a RADIUS server to check whether it is responding (or alive) to save time in processing AAA requests. The Cisco CG-OS router marks unresponsive RADIUS servers as dead and does not send AAA requests to any dead RADIUS servers. The Cisco CG-OS router periodically monitors the dead RADIUS servers and marks them as in the alive state when they respond. This monitoring process verifies that a RADIUS server is in a working state before real AAA requests are sent its way.
Whenever a RADIUS server changes to the dead state, the Cisco CG-OS router displays an error message that a failure is taking place. Figure 2-1 shows the RADIUS server states.
Figure 2-1 RADIUS Server States
Note The Cisco CG-OS router performs RADIUS server monitoring by sending a test authentication request to the RADIUS server. (See Configuring Periodic RADIUS Server Monitoring.)
The Internet Engineering Task Force (IETF) draft standard specifies attribute 26 as the method for communicating Vendor-Specific Attributes (VSAs) between the network access server and the RADIUS server. VSAs allow vendors to support their own extended attributes that are not suitable for general use.
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:
The protocol is a Cisco attribute for a particular type of authorization, the separator is an equal (=) sign for mandatory attributes, and an asterisk (
*)
indicates optional attributes.
When you use RADIUS servers for authentication on a Cisco CG-OS router, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, with authentication results. This authorization information is specified through VSAs.
Cisco CG-OS software supports the following VSA protocol options:
Cisco CG-OS software supports the following attributes:
The following examples show the roles attribute that is supported by FreeRADIUS:
Note When you specify a VSA as shell:roles*"network-operator vdc-admin" or "shell:roles*\"network-operator vdc-admin\"", this VSA is flagged as an optional attribute and other Cisco devices ignore this attribute.
Obtain IPv4 or IPv6 addresses or hostnames for the RADIUS servers.
Obtain keys from the RADIUS servers.
Ensure that the Cisco CG-OS router is is recognized as a RADIUS client on the AAA servers.
You can configure a maximum of 64 RADIUS servers on the Cisco CG-OS router.
When you have a user account configured on the local Cisco CG-OS router that has the same name as a remote user account on an AAA server, Cisco CG-OS software applies the user roles for the local user account to the remote user, instead of the user roles configured on the AAA server.
This section includes the following topics:
To configure RADIUS servers, follow these steps:
Step 2 Configure the RADIUS secret keys for the RADIUS servers. (See Configuring Global RADIUS Keys.)
Step 3 If needed, configure RADIUS server groups with subsets of the RADIUS servers for AAA authentication methods. (See Configuring RADIUS Server Groups and Configuring AAA.)
Step 4 When needed, configure any of the following optional parameters:
Step 5 (Optional) Configure periodic RADIUS server monitoring. (See Configuring Periodic RADIUS Server Monitoring.)
To access a remote RADIUS server, you must define the IP address or hostname of the RADIUS server on the Cisco CG-OS router. You can configure up to 64 RADIUS servers.
Note • By default, when you define a RADIUS server IP address or hostname on the Cisco CG-OS router, the RADIUS server becomes a member of the default RADIUS server group.
Ensure that the server is a member of a server group. Refer to Configuring RADIUS Server Groups.
Ensure that the server is configured to authenticate RADIUS traffic.
Ensure that the Cisco CG-OS router is recognized as a RADIUS client on the AAA servers.
This example shows how to define an IPv4 address or hostname for those RADIUS servers that the
Cisco CG-OS router wants to access.
You can configure RADIUS keys for all servers used by the Cisco CG-OS router. A RADIUS key is a shared secret text string between the Cisco CG-OS router and the RADIUS server hosts. To configure a RADIUS key specific to a RADIUS server, see Configuring a Key for a Specific RADIUS Server.
This example shows how to configure a global key for all RADIUS servers with which the Cisco CG-OS router communicates.
You can configure a key on the Cisco CG-OS router for a specific RADIUS server. A RADIUS key is a secret text string shared between the Cisco CG-OS router and a specific RADIUS server.
Configure one or more RADIUS server hosts. (See Configuring RADIUS Servers.)
You can specify one or more remote AAA servers for authentication using server groups. All members of a group must use the RADIUS protocol. The Cisco CG-OS router contacts the servers in the order in which they are configured. You can configure up to 100 server groups on the Cisco CG-OS router.
You can configure these server groups at any time but they only take effect when you apply them to an AAA service. For information on AAA services, see Remote AAA Services.
Creates a RADIUS server group and enters the RADIUS server group configuration submode for that group. The group-name argument is a case-sensitive alphanumeric string with a maximum length of 127 characters. |
||
Configures the RADIUS server as a member of the RADIUS server group. |
||
(Optional) Configures the monitoring dead time. The range is from 1 through 1440. The default is 0 minutes. Note When the dead-time interval for a RADIUS server group is greater than zero (0), that value takes precedence over the global dead-time value. (See Configuring the Dead-Time Interval.) |
||
(Optional) Configures a source interface to access the RADIUS servers in the server group. You can use Ethernet, cellular, and WiMax interfaces, and loopback interfaces. The default is the global source interface. (See Configuring the Global Source Interface for RADIUS Server Groups.) |
||
(Optional) Copies the running configuration to the startup configuration. |
You can configure a global source interface for RADIUS server groups to use when accessing RADIUS servers. To configure a different source interface for a specific RADIUS server group, see Configuring RADIUS Server Groups. By default, Cisco CG-OS software uses any available interface.
You can configure a global retransmission retry count and timeout interval for all RADIUS servers. By default, a Cisco CG-OS router retries transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server.
The timeout interval determines how long the Cisco CG-OS router waits for responses from RADIUS servers before declaring a timeout failure.
This example shows how to configure the global RADIUS parameters, transmission retry count and timeout interval.
By default, the Cisco CG-OS router retries a transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server. You can also set a timeout interval that the Cisco CG-OS router waits for responses from RADIUS servers before declaring a timeout failure and reporting it to the system log.
Configure at least one RADIUS server. (See Configuring RADIUS Servers.)
This example shows how to configure the RADIUS parameters, transmission retry count and timeout interval, for a specific server.
You can specify that a RADIUS server only be used for accounting purposes or only be used for authentication purposes. By default, RADIUS servers perform both accounting and authentication.
You can also specify the destination UDP port numbers for RADIUS accounting and authentication messages when there is a conflict with the default port.
Configure at least one RADIUS server. (See Configuring RADIUS Servers.)
This example shows how to configure one RADIUS server to perform only accounting and another to perform only authentication.
You can monitor the availability of RADIUS servers. These parameters include the username and password to use for the server and an idle timer.
The idle timer specifies the interval during which a RADIUS server receives no requests before the
Cisco CG-OS router sends out a test packet. You can configure this option to test servers periodically.
Note For security reasons, Cisco recommends that you do not configure a test username that is the same as an existing user name in the RADIUS database.
Note The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, the Cisco CG-OS router does not perform periodic RADIUS server monitoring.
Configure at least one RADIUS server. (See Configuring RADIUS Servers.)
You can configure the dead-time interval for all RADIUS servers. The dead-time interval specifies the time that the Cisco CG-OS router waits after declaring a RADIUS server as dead, before sending out a test packet to determine if the server is now alive. The default value is 0 minutes.
Note When the dead-time interval is 0 minutes, RADIUS servers are not marked as dead even if they are not responding. You can configure the dead-time interval for a RADIUS server group. (See Configuring RADIUS Server Groups.)
Configure at least one RADIUS server. (See Configuring RADIUS Servers.)
You can manually issue a test message to a RADIUS server or to a server group.
Configure at least one RADIUS server and server group. (See Configuring RADIUS Servers and Configuring RADIUS Server Groups.)
To display RADIUS configuration information, enter any or all of the following commands.
For detailed information about the fields in the output from these commands, see the
Command Lookup Tool
on Cisco.com.
Configure at least one RADIUS server. (See Configuring RADIUS Servers.)
You can now configure AAA authentication methods to include the RADIUS server groups. (See Chapter 4, “Configuring AAA”.)