User Authentication and Authorization with RADIUS on SR Linux#
SR Linux supports a number of user authentication methods, including local authentication, TACACS+, and RADIUS. In this post, we will look at how to configure RADIUS authentication and authorization on SR Linux. As you may have already guessed, we will have a lab environment to play with sporting the FreeRADIUS server and a single-node SR Linux lab. Let's get started!
Authentication, authorization, and accounting (AAA) is a framework for controlling access to network resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. Authentication is the process of identifying users. Authorization is the process of granting access to network resources based on the identity of the user. Accounting is the process of tracking the use of network resources by users.
In this post, we will focus on user authentication and authorization performed by the FreeRADIUS server implementing the RADIUS-based authentication and authorization for the remote users.
User types in SR Linux
The SR Linux supports three user types: Linux users, local users, and remote users. Each user type is authenticated differently.
Remote users are users that are not configured either in /etc/passwd or within the SR Linux configuration. Remote users are configured on a remote server, which is queried when the user attempts to log in to the SR Linux device. In the context of this post, remote users are configured on the FreeRADIUS server.
By leveraging the RADIUS protocol, SR Linux can authenticate remote users against a RADIUS server. Using the centralized service for bears a number of benefits, including:
Centralized user authentication, authorization and management
Support for multiple authentication methods and protocols
As mentioned above, centrally managing user authentication and authorization has a number of benefits. For the sake of this post and the accompanying lab, we will use the FreeRADIUS server as the central authentication and authorization service. The FreeRADIUS server is a popular open-source RADIUS server that has an official container image available on Docker Hub and can be easily deployed in a containerized environment.
To keep things simple, we will configure the FreeRADIUS server with the following users:
alice - a user with the alice123 password that should have admin privileges on the SR Linux device
bob - a user with the bob123 password that should have read-only privileges on the SR Linux device
Authenticating users is the bread and butter of the RADIUS protocol, but how does the authorization work? It is all rooted in the SR Linux Role-Based Access Control (RBAC) model.
Authorization via role based access control is performed for all SR Linux user types including the default local user admin1. Users can be configured with a set of one or more roles that define the privileges for which they are authorized in the system.
A role consists of one or more rules, which specify a schema path the role can have privileges for, and a corresponding action, which can be read, write, or deny. After authentication, a user is authorized to perform the specified action defined in the path for the role the user is assigned.
In addition to the path-based access control, roles support service and plugin authorization. Service authorization allows you to limit the actions a user is authorized to perform to specific access types such as CLI and gNMI. CLI plug-in authorization gives you control over how operator-provided plug-ins are loaded.
By default, no roles are explicitly configured on the SR Linux device.
Here is how a system-view role can be defined in the SR Linux configuration that allows only read access to the /system subtree of the SR Linux YANG model:
--{ + candidate shared default }--[ ]--A:srl# set / system configuration role system-view rule "/system" action read
If SR Linux uses Roles to authorize users, you might be wondering how can the RADIUS server be configured to provide the associated roles for the users. And the answer is: Vendor-Specific Attribute, or VSA.
When a RADIUS administrator creates a list of users on the RADIUS server, they can also assign custom attributes to them. These attributes are sent back to the RADIUS client (SR Linux) in the Reply-Message attribute of the Access-Accept message. The SR Linux RADIUS client parses the Reply-Message attribute and extracts the custom attributes, which are then used to configure the roles for the user. And this is how the RADIUS server can be used to authorize users on SR Linux.
Consider the following authorize file for the FreeRADIUS server:
The Timetra-Profile attribute is a custom attribute that is used to convey the roles for the user. The authorize file above configures the alice user with the admin role and the bob user with the viewer role. The admin and viewer roles should be configured on the SR Linux device for the authorization to work.
Here is a flow diagram that illustrates the authentication and authorization process:
Don't fret if it is not crystal clear yet, we will go through the whole client and server configuration in the lab section below.
Deploy this lab with Containerlab >= 0.49.0 using the following command:
sudoclabdep-c-tsrl-labs/freeradius-lab
We assign the radius node with a static v4 address of 127.20.20.111 to make it deterministic and easy to rememeber when we get to configuring the SR Linux device. Additionally we add -X flag to the freeradius process to enable debugging output.
the clients.conf file that defines the SR Linux device as a RADIUS client. By default containerlab uses 172.20.20.0/24 network for the lab nodes so our clients.conf file will use this subnet address and a shared secret to encrypt the RADIUS messages:
the authorize file that defines the users and their roles. The authorize file lists two our users, alice and bob, and assigns them the admin and viewer roles respectively:
Both files are mounted into the FreeRADIUS container using bind mounts. When the lab is deployed, the FreeRADIUS server will already be configured with the users and the SR Linux device as a RADIUS client, so we can move on to configuring the SR Linux device.
Following the SR Linux User Guide, we create an AAA group called "RADIUS-DEMO" that lists our RADIUS server IP:
set / system aaa server-group RADIUS-DEMO type radiusset / system aaa server-group RADIUS-DEMO server 172.20.20.111 network-instance mgmtset / system aaa server-group RADIUS-DEMO server 172.20.20.111 radius secret-key clab-demo
Note, that we use the statically assigned IP address of the RADIUS server and the shared secret that we defined in the clients.conf file.
Next, we create the admin and viewer roles that we defined in the authorize file on the FreeRADIUS server:
set / system aaa authorization role "admin" services [ cli gnmi gnoi json-rpc ftp ]set / system configuration role "admin" rule / action writeset / system aaa authorization role "viewer" services [ cli gnmi gnoi json-rpc ftp ]set / system configuration role "viewer" rule / action read
Pay attention to the way we configure the roles. First we configure the services that the role is authorized for, and then we configure the rules that defines the path and the allowed action for the role. The admin role is authorized for all services and has write access to the entire YANG tree. The viewer role is authorized for all services and has read access to the entire YANG tree.
We apply the configuration and exit the configuration mode:
--{ * candidate shared default }--[ ]--A:srl# commit nowAll changes have been committed. Leaving candidate mode.
Now that we have the SR Linux device and the FreeRADIUS server configured, we can test the authentication and authorization process. The simplest way to do that is to perform SSH log in to the SR Linux device as the alice user and verify that the user has the admin role and can write to the entire YANG tree.
sshalice@clab-radius-srl
Using the alice123 password that we provided in the authorize file, we should successfully log in to the SR Linux device. To ensure that RADIUS server was used for authentication, we can run sudo docker logs -f clab-radius-radius in a separate tab to see how RADIUS processed the authentication request.
Let's verify that SR Linux sees alice user as a remote user:
--{ + running }--[ ]--A:srl# show system aaa authentication session * +----+-----------+--------------+-----------------------+----------+-----+-------------------+--------------------------+-------+ | ID | User name | Service name | Authentication method | Priv-lvl | TTY | Remote host | Login time | Role | +====+===========+==============+=======================+==========+=====+===================+==========================+=======+ |47| alice* | sshd | RADIUS-DEMO | | ssh | 2001:172:20:20::1 | 2024-01-05T00:27:43.299Z | admin | +----+-----------+--------------+-----------------------+----------+-----+-------------------+--------------------------+-------+
As the table shows, our alice user is indeed authenticated via RADIUS for the sshd service and has the admin role. Let's verify that the user can write to the entire YANG tree:
--{ + running }--[ ]--A:srl# enter candidate--{ + candidate shared default }--[ ]--A:srl# set / system information contact alice@clab--{ +* candidate shared default }--[ ]--A:srl# commit nowAll changes have been committed. Leaving candidate mode.
Beatiful! Now let's log out and log in as the bob user and verify that the user has the viewer role and can only read the YANG tree.
sshbob@clab-radius-srl
Using the bob123 password that we provided in the authorize file, we should successfully log in to the SR Linux device. Checking the authenticated user session we can ensure that the viewer role was assigned to the user:
--{ + running }--[ ]--A:srl# show system aaa authentication session * +----+-----------+--------------+-----------------------+----------+-----+-------------------+--------------------------+--------+ | ID | User name | Service name | Authentication method | Priv-lvl | TTY | Remote host | Login time | Role | +====+===========+==============+=======================+==========+=====+===================+==========================+========+ |48| bob* | sshd | RADIUS-DEMO | | ssh | 2001:172:20:20::1 | 2024-01-05T00:34:34.942Z | viewer | +----+-----------+--------------+-----------------------+----------+-----+-------------------+--------------------------+--------+
Can bob write to the YANG tree? Let's try:
--{ + running }--[ ]--A:srl# enter candidate--{ + candidate shared default }--[ ]--A:srl# set / system information contact bob@clabError: No authorization to execute command: 'delete / system information contact alice@clab'
Oh ho! Looks like bob is not authorized to write to the YANG tree (as intended). Let's try to read the YANG tree:
--{ + candidate shared default }--[ ]--A:srl# info from state /system information contact system { information { contact alice@clab } }
Bob reads the YANG tree just fine, as we intended!
If you are curious to see how the RADIUS messages look like, there is no better way to do that than to capture the RADIUS traffic. Containerlab makes it easy to capture the traffic on the lab nodes. And here is a pcapng I captured while logging in as the alice user.
Here is how the Access-Accept message looks like with the vendor-specific attribute that contains the roles for the user: