Skip to main content

FreeRADIUS-Based User Authentication with Asterfusion SONiC Campus Access Switches

written by Asterfuison

February 21, 2024

Table of Contents

What are RADIUS and FreeRADIUS?

RADIUS (Remote Authentication and Dial-In User Service) is a network protocol for dial-up user access and service request authentication.RADIUS provides centralized authentication, authorization and accounting (AAA) for managing access to network resources. RADIUS allows all user configuration information to be stored using a centralized database and shared by all users.

FreeRADIUS is an open source, modular, high-performance and feature-rich set of RADIUS programs, including servers, clients, development libraries and some additional related RADIUS tools. As the first open source RADIUS program, the source code can be compiled and installed on almost any system. Moreover, the product is designed for large-scale AAA authentication server deployment (10 million users and millions of requests per day).

How to configure a FreeRADIUS server?

Before everything starts, we should have a server with the required services and software installed. One thing to note is that FreeRADIUS does not have WebUI, so we use a third-party tool DaloRADIUS, as the management interface.

Server：KVM，2 vCPU + 2GB vMem + 8GB Disk
OS：CentOS Linux release 7.8.2003
Database：PostgreSQL 15.4
Web：v2.4.6
PHP：v5.4.16
FreeRADIUS：v3.0.13
DaloRADIUS：v1.3

Configurations

Basic configurations on server

Disable SELinux, so as not to cause Web access exceptions.

# setenforce 0
# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' 
/etc/sysconfig/selinux

Disable firewall to make sure external access after installation is finished

# systemctl   stop firewalld && systemctl disable firewalld

Configure YUM, EPEL and PostgreSQL database source

# mv   /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
# wget   -P /etc/yum.repos.d/ https://mirrors.163.com/.help/CentOS7-Base-163.repo
#   yum clean all
#   yum makecache
# yum   install epel-release -y
# yum   install -y   https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm

Download installation package (DaloRADIUS)

# wget   https://codeload.github.com/lirantal/daloradius/tar.gz/refs/tags/1.3 -O /tmp/freeradius

Install & configure database

# yum   install -y mariadb-server mariadb
#   systemctl start mariadb
#   systemctl enable mariadb
#   mysql_secure_installation
 
#   mysql -u root -p
MariaDB   [(none)]> create database radius;
MariaDB   [(none)]> grant all on radius.* to radius@localhost identified by 'radius';
MariaDB   [(none)]> flush privileges;
MariaDB   [(none)]> exit

Install & configure Web & PHP service

#   yum install -y httpd
#   systemctl enable httpd
#   systemctl start httpd
 
#   yum install -y php php-mysql php-pear php-devel php-common php-gd   php-mbstring php-mcrypt php-xml php-pear-DB
#   systemctl restart httpd

Install & configure FreeRADIUS

# yum   install -y freeradius freeradius-utils freeradius-mysql
#   systemctl start radiusd.service
#   systemctl enable radiusd.service
 
# mysql -u root -p   radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
# vim   /etc/raddb/mods-available/sql
#  cat    /etc/raddb/mods-available/sql | grep -v ^#
sql   {
        # The sub-module to use to execute   queries. This should match
        # the database you're attempting to   connect to.
        #
        #      * rlm_sql_mysql
        #      * rlm_sql_mssql
        #      * rlm_sql_oracle
        #      * rlm_sql_postgresql
        #      * rlm_sql_sqlite
        #      * rlm_sql_null (log queries to disk)
        #
        driver = "rlm_sql_mysql"
 
 
        # The dialect of SQL you want to use,   this should usually match
        # the driver you selected above.
        #
        # If you're using rlm_sql_null, then   it should be the type of
        # database the logged queries are   going to be executed against.
        dialect = "mysql"
 
        # Connection info:
        #
        server = "localhost"
        port = 3306
        login = "radius"
        password = "radius"
 
        # Database table configuration for   everything except Oracle
        radius_db = "radius"
# chgrp   -h radiusd /etc/raddb/mods-available/sql
# systemctl   restart radiusd.service

Install & configure DaloRADIUS

# cd   /tmp/freeradius
# tar   xvf daloradius-1.3.tar.gz
# mv   daloradius-1.3/ /var/www/html/daloradius
# chown   -R apache:apache /var/www/html/daloradius
# cd   /var/www/html/daloradius/
# mv   library/daloradius.conf.php.sample library/daloradius.conf.php
# chmod   -R 644 library/daloradius.conf.php
# mysql   -u root -p radius <   /var/www/html/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
# mysql   -u root -p radius <   /var/www/html/daloradius/contrib/db/mysql-daloradius.sql
# vim   library/daloradius.conf.php
# cat library/daloradius.conf.php
……
$configValues['FREERADIUS_VERSION']   = '2';
$configValues['CONFIG_DB_ENGINE']   = 'mysqli';
$configValues['CONFIG_DB_HOST']   = 'localhost';
$configValues['CONFIG_DB_PORT']   = '3306';
$configValues['CONFIG_DB_USER']   = 'radius';
$configValues['CONFIG_DB_PASS']   = 'radius';
$configValues['CONFIG_DB_NAME']   = 'radius';
 
# systemctl restart   httpd

After finishing all the steps above, we can verify the results by visiting: http://freeradius-ip/daloradius/ and the default username/password is administrator/radius.

How to configure SONiC AAA authentication using Freeradius server?

Now we already have a functioning FreeRADIUS server, and it’s time to set up networking and enable user access authentication. Firstly, let’s take a look at the basic deployment environment. We drew a detailed schematic and organized all the switches involved, server parameters and software information into a table.

Item	Role	OS	Software
Asterfusion CX204Y-48GT-M	Spine switch (Spine 1)	AsterNOS V5.2R006	/
Asterfusion CX204Y-48GT-M	Leaf switch(Leaf 3)	AsterNOS V5.2R006	/
2-Core vCPU，2G vMemory (Linux bridge )	Access Terminal (PC)	CentOS Linux release 7.8.2003	/
2-Core vCPU，2G vMemory (Ethernet interface passthrough)	AAA Authentication Server	CentOS Linux release 7.8.2003	FreeRADIUS v3.0.13 daloRADIUS v1.3 DHCP v4.2.5

Asterfusion SONiC Campus Access Switches Overview

Asterfusion CX-M series are SONiC-based Switches for campus accesses and enterprise data centers. With Full featured and enterprise ready SONiC (AsterNOS), it’s easy for us to build a high scalability and reliability network with just 2-3 commodity single chip switch SKUs, and what’s more, after simple peer configuration, the entire large-scale campus network can be considered as a virtual device, other configuration will synchronized automatically.

Here we have provided an unboxing & disassembly video, a PoE switch in CX-M series. If you are interested, please feel free to visit our website(cloudswit.ch) and help portal (help.cloudwit.ch)

Okay, let’s get back to FreeRADIUS. You will soon find it is not hard to configure user authentication in Asterfusion’s SONiC-based campus access networking.

Configurations on FreeRADIUS Server

Check RADIUS server status and make sure that it is running normally.

Add NAS device

Add user account(user 03)

Configurations on Asterfusion SONiC Campus Switches

leaf03#   configure terminal                                                                                                                                                          
leaf03(config)#   dot1x enable
leaf03(config)#   dot1x radius-server 172.24.22.4 asteros source 172.24.20.17
leaf03(config)#   dot1x radius-server detect-server enable
leaf03(config)#   dot1x radius-server testuser testing password
leaf03# show running-config dot1x
dot1x enable
dot1x radius-server 172.24.22.4 ******* source 172.24.20.17
dot1x radius-server detect-server enable
dot1x radius-server testuser testing ********
leaf03#
leaf03#   configure terminal
leaf03(config)#   interface ethernet 25
leaf03(config-if-25)#   dot1x enable
leaf03(config-if-25)# show this interface ethernet 25
  dot1x enable
  startup-delay 300
  monitor-link 1 downlink
  speed 10000
  switchport access vlan 8
leaf03(config-if-25)#

Results

Finally, we have the following information, and it appears that our user authentication system using Asterfusion SONiC switches is now working well.

Let’s go through it step by step. After successful authentication, VM1 can access the network and connect to the gateway. We can see the authentication information from the access switch.

dot1x authentication interface of terminal VM1

dot1x configuration for VM1

Network status

When dot1x authentication is not enabled on the access terminal, we enable the NIC by DHCP, and although the IP address can be obtained, there is no network connection, and the terminal cannot connect to the gateway.

Summary

Due to the length of the article, we only demonstrated user authentication of SONIC AAA authentication. Authorization and accounting can be fully supported for Asterfusion CX-M series switches, perhaps with a little front-end tuning as needed.

If you would like to try this access switch with enterprise SONiC (AsterNOS) in your campus network, or learn more about the test results and deployment examples related to this switch, please contact us. In addition, we also support a virtual machine version of AsterNOS, which is available to experience the operating system without switch hardware.

Product Category List

Latest Posts

EasyRoCE-blogcoverimage

Asterfusion Easy RoCE: Enabling Lossless Ethernet with a Single Command Line

Asterfusion 32-port 400G Switch CX732Q-N

Asterfusion SONiC based 32 x 400G QSFP-DD Data Center Switch Overview

Asterfusion CX206Y-48GT-M 48-Port PoE+/++ Switch

Asterfusion SONiC NOS based 48x1G RJ45 PoE+ layer 3 Enterprise Switch Overview

AsterNOS: Enterprise-ready SONiC NOS for Cloud, AI and Campus

September 14, 2021