blog/ posts/ Using freeRtr AAA daemon for VyOS
FRRouting routing protocol debugging using terminal monitor | posts | Using freeRtr as an GNS3 AAA appliance
  1. Terms
  2. Configuration
    1. VyOS (NAS)
    2. freeRtr
      1. RADIUS
      2. Authorisation
      3. Full configuration
  3. Verify
    1. VyOS
    2. IOS
  4. Summary
  5. References

Using the previous blog entry Using freeRtr as an GNS3 AAA appliance freeRtr configuration, this netlab explains the configuration of VyOS and configuring AAA using the RADIUS protocol VyOS is a free available firewall appliance. VyOS uses the RADIUS VSA's of Cisco IOS. In the login VyOS documentation there is a remark pointing out exactly this, here is a citation in case this remark will be removed or rewritten:

If you want to have admin users to authenticate via RADIUS it is essential to sent the Cisco-AV-Pair shell:priv-lvl=15 attribute. Without the attribute you will only get regular, non privilegued, system users.

Using this particular piece of information the authentication and authorization configuration process will be easy to handle. Either the authenticating user gets the privilege level at the authentication and will be authorized to configure, or not.

VyOS recently implemented also the AAA TACACS+ protocol, this document focuses only using AAA using RADIUS. One minor note before moving on to netlab. You can use only one protocol for AAA at time on a NAS, either RADIUS is used OR TACACS+ is used. It is not possible to use both at same time. There might be some few exceptions for networking gear operating system but until now I have not spot or discovered any.

Terms

Using term server in this context is problematic and leads to misunderstanding. These are the technical terms used here. The AAA RADIUS will be referred as AAA daemon:

  • AAA daemon - AAA appliance
  • NAC - Network Access Client
  • NAS - Network Access Server

Configuration

Most basic setup. One broadcast domain, network topology with following IP addressing:

Node Function Term IP address
node-10 Telnet client NAC 10.100.100.10
AAA-49 RADIUS daemon daemon 10.100.100.49/24
R106 VyOS firewall NAS 10.100.100.106/24

VyOS (NAS)

This netlab uses the rolling or the current train of VyOS:

dos@R106:~$ show ver
Version:          VyOS 1.4-rolling-202305180317
Release train:    current
...

At the time of writing the official documentation displays a warning:

This is the dev version. The latest stable version is Equuleus 1.3.x. The 1.4. version is called sagitta.

This is tested using the VyOS NAS. Following NAS configuration:

config
set system hostname R106
set interfaces ethernet eth0 address 10.100.100.106/24
set system login radius server 10.100.100.49 key 123-my_radius_key
set service ssh
commit
save

VyOS does not offer service telnet any more in current versions, the service ssh is used instead.

freeRtr

RADIUS

VyOS has its own VendorID that can bee looked up at the IANA private enterprise numbers list:

...
44641
    VyOS
        Daniil Baturin
            maintainers&vyos.net
...

The VendorID of VyOS is 44641, but for the AAA in this netlab the VendorID of Cisco is used which is 9, especially that particular prefix vendor 9 1.

vendor 9 1

9 is the vendor ID of Cisco systems. Here is one of the sources and citing below:

[...] The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." [...]

It might be possible that swapping the VendorID from Cisco to VyOS, swapping 9 to 44641 might work out. I did not try this to keep as close to the official VyOS documentation.

Authorisation

The prefix used 9 1 is named cisco-avpair. This is the RADIUS configure part, with a cross-reference to the USER-1 list for authentication in freeRtr:

configure
!
server radius RADIUS-1
 security authentication USER-1
 authentication USER-1
 secret 123-my_radius_key
 vendor 9 1 73 68 65 6c 6c 3a 70 72 69 76 2d 6c 76 6c 3d 31 35 0a
 vrf v1
exit

This binary encoded line shell:priv-lvl=15 setting is slightly longer compared to the used in previous netlab. This needs a short explanation. While Cisco IOS accepts priv-lvl=15 AND shell:priv-lvl=15, VyOS accepts only shell:priv-lvl=15 with the specific shell: prefixed. I do not have a technical explanation for this behaviour on IOS, both work.

The full RADIUS VSA for VyOS for authorizing users:

vendor 9 1 73 68 65 6c 6c 3a 70 72 69 76 2d 6c 76 6c 3d 31 35 0a

To generate the binary code use the tool od which is part of GNU coreutils:

user % echo shell:priv-lvl=15| od -t x1 -An 73 68 65 6c 6c 3a 70 72 69 76 2d 6c 76 6c 3d 31 35 0a

Full configuration

Using anypass here for simplicity. This is the fully working configuration for freeRtr AAA acting as a RADIUS daemon for VyOS:

configure
!
hostname AAA-49
!
aaa userlist USER-1
 username cisco
 username cisco anypass
 username linux
 username linux anypass
 username dos
 username dos anypass
 exit
!
vrf definition v1
 rd 1:1
 exit
!
interface ethernet1
 vrf forwarding v1
 ipv4 address 10.100.100.49 255.255.255.0
 no shutdown
 no log-link-change
 exit
!
proxy-profile p1
 vrf v1
 exit
!
server radius RADIUS-1
 authentication USER-1
 secret 123-my_radius_key
 vendor 9 1 73 68 65 6c 6c 3a 70 72 69 76 2d 6c 76 6c 3d 31 35 0a
 vrf v1
 exit
!
client proxy p1
!
end

That is the whole, working configuration. That is all that is needed to get it into full operating mode on that side. No local users are configured on the VyOS NAS. If the AAA daemon is not available VyOS falls back to the locally configured user credentials, this is the vyos user in the default setting. Now all is set up.

Verify

Set of verification commands to show the privilege level

show login

show login level

VyOS

This is the SSH login procedure, user linux tested from node10.

user % ssh linux@10.100.100.106

linux@10.100.100.106's password: Welcome to VyOS! Check out project news at https://blog.vyos.io and feel free to report bugs at https://vyos.dev You can change this banner using 'set system login banner post-login' command. VyOS is a free software distribution that includes multiple components, you can check individual component licenses under /usr/share/doc/*/copyright Last login: Tue Aug 31 07:02:50 2023 from 10.100.100.10 linux@R106:~$ linux@R106:~$ show login login : linux pts/0 2023-08-31 07:39 (10.100.100.10) level : admin user : linux groups : vyattaop adm disk sudo dip users vyattacfg frrvty frr linux@R106:~$configure [edit] linux@R106#

The command to verify the priviledge level

The login user linux has the admin privilege. Works.

IOS

📘 Note
This step is not part of the netlab, this shows current freeRtr settings work for IOS too

To show the debug in IOS console output use this command below:

debug radius

This is the RADIUS debug during authentication/authorization phase on the IOS router R101, using the user cisco here. 

*Aug 31 06:52:03.432: RADIUS/ENCODE(0000000D): ask "Username: "
*Aug 31 06:52:03.432: RADIUS/ENCODE(0000000D): send packet; GET_USER
R101#
*Aug 31 06:52:06.100: RADIUS/ENCODE(0000000D): ask "Password: "
*Aug 31 06:52:06.100: RADIUS/ENCODE(0000000D): send packet; GET_PASSWORD
R101#
*Aug 31 06:52:07.145: RADIUS/ENCODE(0000000D):Orig. component type = Exec
*Aug 31 06:52:07.145: RADIUS/ENCODE: Skip encoding 0 length AAA Cisco vsa password
*Aug 31 06:52:07.145: RADIUS/ENCODE(0000000D): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Aug 31 06:52:07.145: RADIUS(0000000D): Config NAS IP: 0.0.0.0
*Aug 31 06:52:07.145: RADIUS(0000000D): Config NAS IPv6: ::
*Aug 31 06:52:07.145: RADIUS/ENCODE(0000000D): acct_session_id: 3
*Aug 31 06:52:07.145: RADIUS(0000000D): sending
*Aug 31 06:52:07.146: RADIUS/ENCODE: Best Local IP-Address 10.100.100.101 for Radius-Server 10.100.100.49
*Aug 31 06:52:07.146: RADIUS(0000000D): Send Access-Request to 10.100.100.49:1812 id 1645/2, len 69
*Aug 31 06:52:07.146: RADIUS:  authenticator 5A 35 5A 60 A6 D7 40 F3 - 99 22 50 68 8A 2A F3 63
*Aug 31 06:52:07.146: RADIUS:  User-Name           [1]   7   "cisco"
*Aug 31 06:52:07.146: RADIUS:  User-Password       [2]   18  *
*Aug 31 06:52:07.146: RADIUS:  NAS-Port            [5]   6   2
*Aug 31 06:52:07.146: RADIUS:  NAS-Port-Id         [87]  6   "tty2"
*Aug 31 06:52:07.146: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Aug 31 06:52:07.146: RADIUS:  NAS-IP-Address      [4]   6   10.100.100.101
*Aug 31 06:52:07.146: RADIUS(0000000D): Sending a IPv4 Radius Packet
*Aug 31 06:52:07.147: RADIUS(0000000D): Started 5 sec timeout
*Aug 31 06:52:07.155: RADIUS: Received from id 1645/2 10.100.100.49:1812, Access-Accept, len 64
*Aug 31 06:52:07.155: RADIUS:  authenticator 67 D9 0B 6A 62 1A C4 DC - 81 51 6E 82 A5 32 8A 9C
*Aug 31 06:52:07.155: RADIUS:  Reply-Message       [18]  12
*Aug 31 06:52:07.155: RADIUS:   73 75 63 63 65 73 73 66 75 6C        [ successful]
*Aug 31 06:52:07.155: RADIUS:  Ascend-Client-Second[136] 6
*Aug 31 06:52:07.155: RADIUS:   00 00 00 0F
*Aug 31 06:52:07.155: RADIUS:  Vendor, Cisco       [26]  26
R101#
*Aug 31 06:52:07.155: RADIUS:   Cisco AVpair       [1]   20  "shell:priv-lvl=15
"
*Aug 31 06:52:07.155: RADIUS(0000000D): Received from id 1645/2
*Aug 31 06:52:07.155: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes
*Aug 31 06:52:07.155: RADIUS:  Ascend-Client-Second[136] 6
*Aug 31 06:52:07.155: RADIUS:   00 00 00 0F

The authorisation is working. The shell:priv-lvl=15 is set. So this works too.

user % telnet 10.100.100.101

Trying 10.100.100.101... Connected to 10.100.100.101. Escape character is '^]'. User Access Verification Username: cisco Password: successful R101#

Summary

The Cisco RADIUS VSA's work for VyOS. Proved. This is the easiest setup to have Authentication and Authorization working, for both NAS VyOS and IOS. Everything setup using the command line interface.

References