Switch Login Via SSH w/FreeRadius

Information
Below is an example of setting up ssh authentication via FreeRadius with a HPN Switch
(Comware 5 & 7 and ProVision).

Installation of Freeradius under Ubuntu

sudo apt-get install freeradius

How to find the installation directory of Freeradius

simware@simware:~$ sudo find / -name clients.conf 2> /dev/null
/etc/freeradius/clients.conf

simware@simware:~$ sudo netstat -lun | grep freeradius

udp 0 0 127.0.0.1:18120 0.0.0.0:* 6177/freeradius
udp 0 0 0.0.0.0:1812 0.0.0.0:* 6177/freeradius
udp 0 0 0.0.0.0:1813 0.0.0.0:* 6177/freeradius
udp 0 0 0.0.0.0:1814 0.0.0.0:* 6177/freeradius
simware@simware:~$

Edit the clients.conf file

Insert here the IP Address and the Pre-Shared Radius Key for the device
/etc/freeradius/clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
}
client switch {
ipaddr = 1.1.1.2
secret = orange
shortname = switch
}
Edit the file users with users with the Access Attributes

/etc/freeradius/users

comware7 Cleartext-Password := "password"

Service-Type = NAS-Prompt-User,
Login-Service = Telnet,
Cisco-AVPair = "shell:roles=\"network-admin\"",
# Cisco-AVPair = "shell:roles=\"network-operator\"",
Cisco-AVPair += "shell:priv-lvl=15"

comware5 Cleartext-Password := "password"

Service-Type = NAS-Prompt-User,
Login-Service = Telnet,
# 3Com-User-Access-Level = 3Com-Administrator,
3Com-User-Access-Level = 3,
Auth-Type = System

User-Name = "provision-admin"
User-Password = "password"
NAS-Port-Type = Virtual
Service-Type = Administrative-User

User-Name = "provision-operator"
User-Password = "password"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User

Verify that the attributes are in the Radius dictionary, which are defined for the user:
sudo vi /usr/share/freeradius/dictionary.3com

ATTRIBUTE 3Com-User-Access-Level 1 integer

# Read-only access to basic network tools (ping, etc)
VALUE 3Com-User-Access-Level 3Com-Visitor 0
# Read-only access to manageable (not security) parameters
VALUE 3Com-User-Access-Level 3Com-Monitor 1
# Read-write access to manageable (not security) parameters
VALUE 3Com-User-Access-Level 3Com-Manager 2
# Read-write access to all manageable parameters
VALUE 3Com-User-Access-Level 3Com-Administrator 3

Verify that the Vendor Radius Attribute File is declared in the dictionary file
sudo cat /usr/share/freeradius/dictionary | dictionary.3Com
$INCLUDE dictionary.3Com
For SSH authentication edit the following files
sudo vi /usr/share/freeradius/dictionary.rfc2865
#Login Services
# add the following line:
VALUE Login-Service SSH 50

usr/local/etc/raddb/users
# can’t have both telnet and ssh
Login-Service = ssh

Stop and start freeradius process with debug CTRL + C.

sudo /etc/init.d/freeradius stop
sudo freeradius -f –X

Start the Freeradius Server from an other Terminal Session:

sudo /etc/init.d/freeradius start

Much more Debug detail can be obtained with the following command:
sudo freeradius –XXX

Open an other Terminal Session to the Radius Server. The first serves to see the debug
output. Test the correct function of freeradius with “radtest” without involving the device:

sudo radtest comware5 password localhost 0 testing123

sudo radtest comware7 password localhost 0 testing123

The output of these commands:

simware@simware:/tmp$ sudo radtest comware5 password localhost 0 testing123

Sending Access-Request of id 74 to 127.0.0.1 port 1812
User-Name = "comware5"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=74,
length=44
Service-Type = NAS-Prompt-User
Login-Service = Telnet
3Com-User-Access-Level = 3Com-Administrator
simware@simware:/tmp$
simware@simware:/tmp$ sudo radtest comware7 password localhost 0 testing123
Sending Access-Request of id 19 to 127.0.0.1 port 1812
User-Name = "comware7"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=19,
length=61
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:roles=\"network-admin\""
simware@simware:/tmp$
Configuration example for the Comware 5 devices:
#
sysname comware5
#
local-user admin
password simple admin
authorization-attribute level 3
service-type ssh telnet terminal
#
radius scheme freeradius
server-type extended
primary authentication 1.1.1.1
primary accounting 1.1.1.1
key authentication orange
key accounting orange
user-name-format without-domain
#
domain freeradius
authentication default radius-scheme freeradius local
authorization default radius-scheme freeradius local
accounting default radius-scheme freeradius local
authentication login radius-scheme freeradius
authorization login radius-scheme freeradius
accounting login radius-scheme freeradius local
access-limit disable
state active
idle-cut disable
self-service-url disable
accounting optional
#
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
#
domain default enable freeradius
Configuration example for the Comware 7 devices:
#
sysname comware7
#
local-user admin
password simple admin
authorization-attribute level 3
service-type ssh telnet terminal
#
line vty 0 63
authentication-mode scheme
user-role network-operator
undo user-role network-admin
#
radius scheme freeradius
primary authentication 1.1.1.1 key simple orange
primary accounting 1.1.1.1 key simple orange
accounting-on enable
user-name-format without-domain
#
domain freeradius
authentication login radius-scheme freeradius
authorization login radius-scheme freeradius
accounting login radius-scheme freeradius
#
domain default enable freeradius
Configuration example for the Provision devices:
hostname provision-sw
!
aaa authentication telnet login radius none
aaa authentication telnet enable radius none
aaa authentication ssh login radius none
aaa authentication ssh enable radius none
!
! With all newer (>2600) ProCurve switches, the switch can be
! instructed to respect the Service-Type sent
! back from the RADIUS server.
aaa authentication login privilege-mode

Directorys of other RADIUS dictionary files

/usr/share/freeradius/dictionary
/usr/share/freeradius/dictionary.3com
/usr/share/freeradius/dictionary.colubris
/usr/share/freeradius/dictionary.h3c
/usr/share/freeradius/dictionary.hp
/usr/share/freeradius/dictionary.huawei
1.1 Syslog e Freeradius Server
Per attivare e mandare I eventi verso un Syslog Server, devono essere modificate le seguente file:

Deve essere modificata il file “radiusd.conf”, se desidera di avere i risulatati della autenticazione
falita o quella che andata a buon fine. Per default non viene loggato niente (“auth = no,
auth_badpass = no, auth_goodpass = no”; quindi deve essere modificato in “yes”).
I parametri “auth_pass” e “auth_goodpass” visualizzano anche la password, che è stato insertito dal
utente.

sudo vi /etc/freeradius/radiusd.conf

< . . . >
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
< . . . >

Output of the Logging in case of a good and a bad authentication:

sudo more /var/log/freeradius/radius.log | grep Auth

Example Output:
simware@simware:~$ sudo more /var/log/freeradius/radius.log | grep Auth
Fri Dec 5 02:35:06 2014 : Auth: Login OK: [comware5] (from client localhost port
0)
Fri Dec 5 02:35:27 2014 : Auth: Login OK: [comware7] (from client localhost port
0)
Fri Dec 5 02:39:39 2014 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password
check failed): [comware7] (from client localhost port 0)
simware@simware:~$