Cisco Crosswork Network Controller 7.2 Administration Guide

PDF

Configure RADIUS servers

Want to summarize with AI?

Log in

Configure RADIUS server settings in Crosswork Network Controller to define authentication priority and connection details for external user authentication.


Crosswork uses RADIUS (Remote Authentication Dial-In User Service) servers to authenticate users. You can integrate Crosswork with applications such as Cisco Identity Services Engine (ISE) for RADIUS-based authentication.

Before you begin

  • Create a Device Access Group to manage access for AAA operations.

  • In the RADIUS server (standalone or Cisco ISE), configure required parameters such as user role, device access group attribute, shared secret format, and shared secret value before adding the server to Crosswork Network Controller.

  • For details on configuring Cisco ISE, refer to the latest Cisco Identity Services Engine Administrator Guide.

Follow these steps to configure RADIUS servers:

Procedure

1.

From the main menu, select Administration > AAA > Servers > RADIUS .

2.

To add a new RADIUS server: Click Add icon, enter required details (see RADIUS field descriptions), and click Add.

3.

To edit an existing RADIUS server: Select the server you want to edit, click Edit icon, update required information, and click Update.

4.

To delete a RADIUS server: Select the server you want to delete, click Delete icon, and confirm deletion.

5.

Click Save to apply the configuration. When prompted with a warning about restarting the server, click Save changes to confirm.

RADIUS authentication servers are added, updated, or removed as configured. Crosswork uses these servers for user and device authentication.

What to do next

Test user authentication with the updated RADIUS server settings to confirm successful configuration.

RADIUS field descriptions

The following table describes the key fields required when configuring a RADIUS server in Crosswork Network Controller:
Table 1. RADIUS field descriptions

Field

Description

Authentication order

Specify a unique priority value to assign precedence in the authentication request. The order can be any number between 10 to 99. Below 10 are system reserved.

By default, 10 is selected.

IP address

Enter the IP address of the RADIUS server (if IP address is selected).

DNS name

Only IPv4 DNS name is supported (if DNS name is selected).

Port

The default RADIUS port number is 1645.

Shared secret format

Shared secret for the active RADIUS server. Select ASCII or Hexadecimal.

Shared secret / Confirm shared secret

Plain-text shared secret for the active RADIUS server. The format of the text entered must match with the format selected (ASCII or Hexadecimal).

For Crosswork to communicate with the external authentication server, the Shared Secret parameter you enter on this screen must match with the shared secret value configured on the RADIUS server.

Service

Enter the value of the service you are attempting to gain access to.

The service field is an attribute that tells the RADIUS server what type of network service the user is trying to access. It allows the RADIUS server to distinguish between different types of access, such as:

  • Login access (e.g., device CLI, SSH, console)

  • Network access (e.g., PPP, SLIP)

For example, the "raccess" value is a service type used in the service field of an authorization request. It stands for Remote Access and is typically used when a user is requesting remote administrative access.

Policy ID

Enter the user role that you created in the RADIUS server. The Policy ID is a unique key used by the RADIUS server to identify and retrieve the user role assigned to an authenticated user. This value must exactly match the user role you configured on the RADIUS server.

In Crosswork Network Controller, this field corresponds to the policy_id.

Note

If you try to login to Crosswork Network Controller as a RADIUS user before creating the required user role, you will get the error message: "Key not authorized: no matching policy". If this occurs, close the browser. Login as a local admin user and create the missing user roles in the RADIUS server, and login back to Crosswork using the RADIUS user credentials.

Device access group attribute

Enter the device access group attribute value based on the key used for the device access group in the RADIUS server attributes. These values can be one or more comma-separated entries.

In a RADIUS context, the Device Access Group attribute is typically a custom or authorization attribute that the RADIUS server sends back to the network device. This attribute specifies which group of network devices or which level of device access policy applies to the authenticated user. The Device Access Group attribute works in sync with the policy id to define user permissions across devices.

Retransmit timeout

Enter the timeout value. Maximum timeout is 30 seconds.

Retries

Specify the number of authentication retries allowed.

Authentication type

Select the authentication type for RADIUS:

  • PAP: Password-based authentication is the protocol where two entities share a password in advance and use the password as the basis of authentication.

  • CHAP: Challenge-Handshake Authentication Protocol requires that both the client and server know the plain text of the secret, although it is never sent over the network. CHAP provides greater security than Password Authentication Protocol (PAP).