Dell Networking SONiC AAA authentication using RADIUS server
Summary: This article explains how to configure AAA authentication using RADIUS server on a Dell SONiC installed switch.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
NOTE: This article uses a switch running Dell SONiC 4.1.
Prerequisites of this article
This article assumes the following
- We have connectivity between the Switch which is running Dell Networking Sonic and Radius server.
- The Radius server has the user details with the required Management-Privilege-Level (MPL) attribute preconfigured.
Index
AAA radius authentication in Dell SONiC
Operation
User Roles and MPL values
Configuration
Sample Configuration
Verification
AAA radius authentication in Dell SONiC
Authentication, authorization, and accounting (AAA) services secure networks against unauthorized access.
Enterprise SONiC supports these client/server authentication systems
● RADIUS (remote authentication dial-in user service)
● TACACS+ (terminal access controller access control system)
● LDAP (lightweight directory access protocol)
This article focuses on the configuration of AAA RADIUS authentication on a switch running Dell SONiC.
During RADIUS authentication, the switch acts as a client and sends authentication requests to a server. This request contains all user authentication and network service access information. The Radius server responds with an Accept or Reject for the user request.
If the server sends an Accept, it will also include its configured MPL value.
If there is no MPL value, then the user is assigned an operator role. The username admin may get admin privilege without an MPL.
Enterprise SONiC requires the Management-Privilege-Level (MPL) attribute with value 15 to grant read/write access to an authorized user.
For understanding more regarding user roles, click below link.
Dell Networking SONiC User Role-Based Access Control
User Roles and MPL values
Below table mentions various user roles and its corresponding MPL values to be configured on the Radius server. This is tested in Dell SONiC 4.1
| User Role | MPL value |
|---|---|
| admin | 15 |
| operator | No value or 1 |
| netadmin | 14 |
| secadmin | 13 |
Configuration
Configure Radius Servers details on the switch.
Configuration Syntax
| Configuration | Explanation |
|---|---|
| admin@DELLSONiC:~$ sonic-cli | Enter Dell sonic-cli |
| DELLSONiC# configure | Enter Config Mode |
| DELLSONiC(config)# radius-server host <hostname | ip-address | ipv6-address> auth-port <port-number> auth-type <authentication-type> key <text> priority <value> retransmit <number> source-interface <Eth slot/port[/breakout-port][.subinterface] | Loopback number | Management 0 | PortChannel number[.subinterface] | Vlan vlan-id> timeout <seconds> vrf <mgmt | vrf-name> | Configure radius server IP Address/Hostname and attributes |
| DELLSONiC(config)# radius-server auth-type <authentication-type> | (Optional) Configure authentication type. This can also be configured with the radius-server host separately. |
To configure a RADIUS server detail on the switch, enter its hostname (63 characters maximum), IP, or IPv6 address and these optional values:
● auth-port UDP port number on the server (1 to 65535; default 1812)
● Transmission timeout in seconds (1 to 60; default 5)
● Number of times a request for user authentication is resent to a RADIUS server (0 to 10; default 3)
● Secret key text that is shared between a RADIUS server and the switch (up to 65 characters). This key is encrypted by the system.
● Authentication type — chap, pap, or mschapv2; default pap; the authentication algorithm is used to encrypt/decrypt data that is sent and received between the switch and the RADIUS server.
● Priority used to access multiple RADIUS servers to authenticate users (1 to highest priority 64; default 1).
● Enter a VRF name to specify the VRF to use to reach the RADIUS server.
Enable authentication order
A switch uses a list of authentication methods to define the types of authentication and the sequence in which they apply. By default, only the local authentication method is used to authenticate users with the local user database. We can configure RADIUS as primary or secondary authentication method with local authentication.
Configuration Syntax
| Configuration | Explanation |
|---|---|
| DELLSONiC(config)# aaa authentication login default radius local | Configure Order of authentication |
| DELLSONiC(config)#no aaa authentication login default | This removes the configured authentication methods and return to only local authentication |
Enable fail-through for RADIUS authentication (Optional)
Use the fail-through option if we need to configure RADIUS-based authentication with more than one remote server. The fail-through feature continues to access each server in the method list if an authentication request fails on one server.
Configuration Syntax
| Configuration | Explanation |
|---|---|
| DELLSONiC(config)# aaa authentication failthrough enable | Enable fail through |
| DELLSONiC(config)# aaa authentication failthrough disable | Disable fail through |
Sample Configuration
Consider we are having two servers 10.0.0.100 and 10.0.0.130 and we are using key 123For the purpose of demonstration, we have the following users preconfigured in Radius Server.
| Username | Password | User Role | MPL (Management-Privilege-Level) |
|---|---|---|---|
| admin | admin@123 | admin | 15 |
| operator1 | operator1@123 | operator | 1 |
admin@DELLSONiC:~$ sonic-cli DELLSONiC# configure DELLSONiC(config)# radius-server host 10.0.0.100 key 123 DELLSONiC(config)# radius-server host 10.0.0.130 key 123 DELLSONiC(config)# radius-server auth-type pap DELLSONiC(config)# aaa authentication login default local group radius DELLSONiC(config)# aaa authentication failthrough enable |
To view configured RADIUS servers
To view configured RADIUS servers use configured show radius-server and show running-configuration | grep radius
DELLSONiC# show running-configuration | grep radius radius-server timeout 5 radius-server auth-type pap radius-server host 10.0.0.100 auth-port 1812 key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= encrypted radius-server host 10.0.0.130 auth-port 1812 key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= encrypted |
DELLSONiC# show radius-server --------------------------------------------------------- RADIUS Global Configuration --------------------------------------------------------- timeout : 5 auth-type : pap key configured : No -------------------------------------------------------------------------------- HOST AUTH-TYPE KEY-CONFIG AUTH-PORT PRIORITY TIMEOUT RTSMT VRF SI -------------------------------------------------------------------------------- 10.0.0.100 - Yes 1812 - - - - - 10.0.0.130 - Yes 1812 - - - - - DELLSONiC# |
Verification
To View AAA Authentication
To view AAA authentication configuration user command show running-configuration | grep aaa and show aaa
DELLSONiC# show running-configuration | grep aaa aaa authentication login default local group radius aaa authentication failthrough enable |
DELLSONiC# show aaa --------------------------------------------------------- AAA Authentication Information --------------------------------------------------------- failthrough : True login-method : local, radius |
Log in as admin user with admin role
A user with admin role logs into shell. Admin role user has access to configuration mode (write access)
DELLSONiC login: admin Password: Last login: Wed Sep 13 00:04:08 UTC 2023 on ttyS0 Linux DELLSONiC 5.10.0-8-2-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64 You are on ____ ___ _ _ _ ____ / ___| / _ \| \ | (_)/ ___| \___ \| | | | \| | | | ___) | |_| | |\ | | |___ |____/ \___/|_| \_|_|\____| -- Software for Open Networking in the Cloud -- Unauthorized access and/or use are prohibited. All access and/or use are subject to monitoring. Help: http://azure.github.io/SONiC/ admin@DELLSONiC:~$ admin@DELLSONiC:~$ sonic-cli DELLSONiC# DELLSONiC# configure DELLSONiC(config)# |
Log in as operator1 with operator role
A user with operator role enters sonic-cli directly, rather than the shell. In addition, an operator cannot enter config mode(read only).
DELLSONiC login: operator1 Password: Last login: Tue Sep 12 18:29:02 UTC 2023 on ttyS0 Linux DELLSONiC 5.10.0-8-2-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64 You are on ____ ___ _ _ _ ____ / ___| / _ \| \ | (_)/ ___| \___ \| | | | \| | | | ___) | |_| | |\ | | |___ |____/ \___/|_| \_|_|\____| -- Software for Open Networking in the Cloud -- Unauthorized access and/or use are prohibited. All access and/or use are subject to monitoring. Help: http://azure.github.io/SONiC/ DELLSONiC# DELLSONiC# conf ^ % Error: Invalid input detected at "^" marker. DELLSONiC# |
Troubleshooting
To debug RADIUS service, check the log files in the /var/log/auth.log folder, and the log files in show in-memory-logging and show logging SONiC CLI command output.
For more detailed logging, set the debug field to True in the authentication key of the AAA table in the CONFIG_DB redis database, or contact Technical Support.
Affected Products
PowerSwitch E3200-ON Series, Dell EMC Networking N3200-ON, PowerSwitch S5212F-ON, PowerSwitch S5224F-ON, PowerSwitch S5232F-ON, PowerSwitch S5248F-ON, PowerSwitch S5296F-ON, PowerSwitch Z9100-ON, PowerSwitch Z9264F-ON, PowerSwitch Z9332F-ON
, PowerSwitch Z9432F-ON
...
Article Properties
Article Number: 000217350
Article Type: How To
Last Modified: 22 Sep 2023
Version: 6
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.