Readers will learn how to implement RADIUS login authentication and send user authentication requests to a RADIUS server.
Notes & Requirements:
This article is applicable to EdgeOS 1.9.7 + firmware in all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
Equipment used in this article:
- Windows Server 2016 Network Policy Server (NPS)
Table of Contents
- Network Diagram
- Steps - RADIUS Client
- Steps - RADIUS Server
- Steps - Testing & Verification
- Related Articles
The network topology is shown below. Using the RADIUS terminology the server at 192.168.1.10 is the ‘RADIUS Server’ and the EdgeRouter (ER) is the ‘RADIUS Client’.
The following interfaces are in use on the ER:
- eth0 (WAN)
- eth1 (LAN) - 192.168.1.1/24
Steps - RADIUS Client
In this example the EdgeRouter has been pre-configured using the Basic Setup Wizard. For the purposes of this article we will assume that the masquerade rules are in place so that the hosts on the LAN can communicate with hosts on Internet.
The UDP ports relevant to RADIUS are:
- UDP 1812 (new port) / UDP 1645 (old port) - RADIUS Authentication
- UDP 1813 (new port) / UDP 1646 (old port) - RADIUS Accounting
|ATTENTION: Make sure you have an existing SSH/HTTPS session or an alternative management method (console if applicable) when making changes to login methods, as you can lock yourself out of the device.|
|CLI STEPS: Access the command line interface (CLI). You can do this by using the CLI button in the GUI or by using a program such as PuTTY.|
1. Enter configuration mode.
2. Create local admin users to use for RADIUS authentication (replace <password> with your desired passphrase).
set system login user user1 level admin
set system login user user1 authentication plaintext-password <password>
set system login user user2 level admin
set system login user user2 authentication plaintext-password <password>
Note: The EdgeMAX platform currently requires that all remote RADIUS users are also present as local administrator accounts on the device. The local username on the ER has to match the remote username defined on the RADIUS server.
The password does not have to match! You can create a local user with a random password and then throw away the password. Afterwards you can connect to the router using the username defined on the RADIUS server with a new password.
3. (Optional) Create a new local admin user to use as a fallback authentication method and delete build-in users (replace <password> with your desired passphrase).
set system login user backupadmin level admin
set system login user backupadmin authentication plaintext-password <password>
After creating a new admin user, login with the new account and delete the build-in users:
delete system login user ubnt
4. Define the location and settings of the Radius Authentication server (replace <secret> with your desired passphrase).
set system login radius-server 192.168.1.10 port 1812 (default)
set system login radius-server 192.168.1.10 secret <secret>
set system login radius-server 192.168.1.10 timeout 5 (default)
Steps - RADIUS Server
The section below (briefly) focuses on configuring the Network Policy and Access Services (NPS) role on a Windows 2016 server. There are multiple guides available online that go into more detail than this article.
1. Add the NPS role.
Server Manager > Add Roles and Features > Network Policy and Access Services
2. Add the EdgeRouter to the RADIUS clients (replace <secret> with your desired passphrase).
Network Policy Server Console (NPS) > Radius Clients and Servers > Radius Clients > New
Friendly Name: ER-X (does not have to match device hostname)
Address (IP or DNS): 192.168.1.1 (the source address of the router)
Shared Secrets Template: None
Shared Secret: Manual
Shared Secret / Confirm: <secret>
| Note: You can also create a ‘RADIUS Shared Secret Template’ and use the same passphrase for all RADIUS Clients.
3. Create a Network Policy for the RADIUS clients.
NPS > Policies > Network Policy > New
Policy Name: ER Radius Clients
Type of Network Access Server: Unspecified
Specify Conditions > Add
Client Friendly Name: ER-?
User Groups: UBNT\Network Engineers
| Note: You can use Active Directory (AD) or local users (Windows Group) for authentication. In this example the users allowed to authenticate to the ER are ‘Network Engineers’ in the UBNT domain. You can use expressions when matching the ‘Client Friendly Name’. For example 'ER-?' matches device names starting with 'ER-'.
Next > Specify Access Permission
Next > Configure Authentication Methods
Uncheck all methods and check ‘Unencrypted Authentication (PAP, SPAP)’
Next > Configure Constraints > Next > Configure Settings > Radius Attributes: Standard
Select Framed-Protocol > Remove
Select Service-Type > Edit > Others > Login
Steps - Testing & Verification
After completing the configuration, verify the workings of RADIUS using the following commands and output on the RADIUS Server:
1. The incoming and outgoing requests on the defined UDP port (1812):
sudo tcpdump -i eth1 -n udp port 1812
IP 192.168.1.1.1391 > 192.168.1.10.1812: RADIUS, Access-Request (1), id: 0x17 length: 76
IP 192.168.1.10.1812 > 192.168.1.1.1391: RADIUS, Access-Accept (2), id: 0x17 length: 72
IP 192.168.1.1.2996 > 192.168.1.10.1812: RADIUS, Access-Request (1), id: 0x0f length: 90
IP 192.168.1.10.1812 > 192.168.1.1.2996: RADIUS, Access-Reject (3), id: 0x0f length: 20
2. The event logs on the Radius server:
Event Viewer > Custom Views > ServerRoles > Network Policy and Access Services
| Note: In the two examples above, the first request was made when user1 was also configured locally on the ER. After deleting the user account on the ER, the NPS server receives a security ID containing ‘NULL SID’ and the authentication fails.