FreeRADIUS-Based User Authentication with Asterfusion SONiC Campus Access Switches
written by Asterfuison
Table of Contents
What are RADIUS and FreeRADIUS?
RADIUS (Remote Authentication and Dial-In User Service) is a network protocol for dial-up user access and service request authentication.RADIUS provides centralized authentication, authorization and accounting (AAA) for managing access to network resources. RADIUS allows all user configuration information to be stored using a centralized database and shared by all users.
FreeRADIUS is an open source, modular, high-performance and feature-rich set of RADIUS programs, including servers, clients, development libraries and some additional related RADIUS tools. As the first open source RADIUS program, the source code can be compiled and installed on almost any system. Moreover, the product is designed for large-scale AAA authentication server deployment (10 million users and millions of requests per day).
How to configure a FreeRADIUS server?
Before everything starts, we should have a server with the required services and software installed. One thing to note is that FreeRADIUS does not have WebUI, so we use a third-party tool DaloRADIUS, as the management interface.
- Server:KVM,2 vCPU + 2GB vMem + 8GB Disk
- OS:CentOS Linux release 7.8.2003
- Database:PostgreSQL 15.4
- Web:v2.4.6
- PHP:v5.4.16
- FreeRADIUS:v3.0.13
- DaloRADIUS:v1.3
Configurations
Basic configurations on server
- Disable SELinux, so as not to cause Web access exceptions.
# setenforce 0
# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g'
/etc/sysconfig/selinux
- Disable firewall to make sure external access after installation is finished
# systemctl stop firewalld && systemctl disable firewalld
- Configure YUM, EPEL and PostgreSQL database source
# mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
# wget -P /etc/yum.repos.d/ https://mirrors.163.com/.help/CentOS7-Base-163.repo
# yum clean all
# yum makecache
# yum install epel-release -y
# yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
- Download installation package (DaloRADIUS)
# wget https://codeload.github.com/lirantal/daloradius/tar.gz/refs/tags/1.3 -O /tmp/freeradius
Install & configure database
# yum install -y mariadb-server mariadb
# systemctl start mariadb
# systemctl enable mariadb
# mysql_secure_installation
# mysql -u root -p
MariaDB [(none)]> create database radius;
MariaDB [(none)]> grant all on radius.* to radius@localhost identified by 'radius';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
Install & configure Web & PHP service
# yum install -y httpd
# systemctl enable httpd
# systemctl start httpd
# yum install -y php php-mysql php-pear php-devel php-common php-gd php-mbstring php-mcrypt php-xml php-pear-DB
# systemctl restart httpd
Install & configure FreeRADIUS
# yum install -y freeradius freeradius-utils freeradius-mysql
# systemctl start radiusd.service
# systemctl enable radiusd.service
# mysql -u root -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
# vim /etc/raddb/mods-available/sql
# cat /etc/raddb/mods-available/sql | grep -v ^#
sql {
# The sub-module to use to execute queries. This should match
# the database you're attempting to connect to.
#
# * rlm_sql_mysql
# * rlm_sql_mssql
# * rlm_sql_oracle
# * rlm_sql_postgresql
# * rlm_sql_sqlite
# * rlm_sql_null (log queries to disk)
#
driver = "rlm_sql_mysql"
# The dialect of SQL you want to use, this should usually match
# the driver you selected above.
#
# If you're using rlm_sql_null, then it should be the type of
# database the logged queries are going to be executed against.
dialect = "mysql"
# Connection info:
#
server = "localhost"
port = 3306
login = "radius"
password = "radius"
# Database table configuration for everything except Oracle
radius_db = "radius"
# chgrp -h radiusd /etc/raddb/mods-available/sql
# systemctl restart radiusd.service
Install & configure DaloRADIUS
# cd /tmp/freeradius
# tar xvf daloradius-1.3.tar.gz
# mv daloradius-1.3/ /var/www/html/daloradius
# chown -R apache:apache /var/www/html/daloradius
# cd /var/www/html/daloradius/
# mv library/daloradius.conf.php.sample library/daloradius.conf.php
# chmod -R 644 library/daloradius.conf.php
# mysql -u root -p radius < /var/www/html/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
# mysql -u root -p radius < /var/www/html/daloradius/contrib/db/mysql-daloradius.sql
# vim library/daloradius.conf.php
# cat library/daloradius.conf.php
……
$configValues['FREERADIUS_VERSION'] = '2';
$configValues['CONFIG_DB_ENGINE'] = 'mysqli';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'radius';
$configValues['CONFIG_DB_NAME'] = 'radius';
# systemctl restart httpd
After finishing all the steps above, we can verify the results by visiting: http://freeradius-ip/daloradius/ and the default username/password is administrator/radius.
How to configure SONiC AAA authentication using Freeradius server?
Now we already have a functioning FreeRADIUS server, and it’s time to set up networking and enable user access authentication. Firstly, let’s take a look at the basic deployment environment. We drew a detailed schematic and organized all the switches involved, server parameters and software information into a table.
Item | Role | OS | Software |
---|---|---|---|
Asterfusion CX204Y-48GT-M | Spine switch (Spine 1) | AsterNOS V5.2R006 | / |
Asterfusion CX204Y-48GT-M | Leaf switch(Leaf 3) | AsterNOS V5.2R006 | / |
2-Core vCPU,2G vMemory (Linux bridge ) | Access Terminal (PC) | CentOS Linux release 7.8.2003 | / |
2-Core vCPU,2G vMemory (Ethernet interface passthrough) | AAA Authentication Server | CentOS Linux release 7.8.2003 | FreeRADIUS v3.0.13 daloRADIUS v1.3 DHCP v4.2.5 |
Asterfusion SONiC Campus Access Switches Overview
Asterfusion CX-M series are SONiC-based Switches for campus accesses and enterprise data centers. With Full featured and enterprise ready SONiC (AsterNOS), it’s easy for us to build a high scalability and reliability network with just 2-3 commodity single chip switch SKUs, and what’s more, after simple peer configuration, the entire large-scale campus network can be considered as a virtual device, other configuration will synchronized automatically.
Here we have provided an unboxing & disassembly video, a PoE switch in CX-M series. If you are interested, please feel free to visit our website(cloudswit.ch) and help portal (help.cloudwit.ch)
Okay, let’s get back to FreeRADIUS. You will soon find it is not hard to configure user authentication in Asterfusion’s SONiC-based campus access networking.
Configurations on FreeRADIUS Server
Check RADIUS server status and make sure that it is running normally.
Add NAS device
Add user account(user 03)
Configurations on Asterfusion SONiC Campus Switches
leaf03# configure terminal
leaf03(config)# dot1x enable
leaf03(config)# dot1x radius-server 172.24.22.4 asteros source 172.24.20.17
leaf03(config)# dot1x radius-server detect-server enable
leaf03(config)# dot1x radius-server testuser testing password
leaf03# show running-config dot1x
dot1x enable
dot1x radius-server 172.24.22.4 ******* source 172.24.20.17
dot1x radius-server detect-server enable
dot1x radius-server testuser testing ********
leaf03#
leaf03# configure terminal
leaf03(config)# interface ethernet 25
leaf03(config-if-25)# dot1x enable
leaf03(config-if-25)# show this interface ethernet 25
dot1x enable
startup-delay 300
monitor-link 1 downlink
speed 10000
switchport access vlan 8
leaf03(config-if-25)#
Results
Finally, we have the following information, and it appears that our user authentication system using Asterfusion SONiC switches is now working well.
Let’s go through it step by step. After successful authentication, VM1 can access the network and connect to the gateway. We can see the authentication information from the access switch.
When dot1x authentication is not enabled on the access terminal, we enable the NIC by DHCP, and although the IP address can be obtained, there is no network connection, and the terminal cannot connect to the gateway.
Summary
Due to the length of the article, we only demonstrated user authentication of SONIC AAA authentication. Authorization and accounting can be fully supported for Asterfusion CX-M series switches, perhaps with a little front-end tuning as needed.
If you would like to try this access switch with enterprise SONiC (AsterNOS) in your campus network, or learn more about the test results and deployment examples related to this switch, please contact us. In addition, we also support a virtual machine version of AsterNOS, which is available to experience the operating system without switch hardware.
Product Category List