RADIUS Authentication on ERS8600

    The RADIUS authentication configuration on official configuration guide is not clear enough to be understood. The server configuration example of that guide only mentions  BaySecure Access Control (BSAC) RADIUS server. But, I have never seen anyone who uses this RADIUS server.  So, I would like to have a note for RADIUS authentication on ERS8600 with Windows Internet Authentication Service (IAS)./


Lab Scenario:
 
ERS8600 Software version 5.0.0.1: The IP address of management port is 192.168.10.226/24 and authentication is done via this port. (Authentication can be done via any interface on modules as well)

Windows Server 2003 R2 Enterprise : The IP address is 192.168.10.231/24


 

1. Configure RADIUS authentication on ERS8600: Only one step should be done on ERS8600 and the RADIUS shared secret is set to 123456.

ERS-8606:5# config radius server create 192.168.10.231 secret 123456 source-ip 192.168.10.226
ERS-8606:5# config radius enable true

2. Create a RADIUS client: Specify the IP address and name of ERS8600 and choose RADIUS Standard for Client-Vendor option. Of course, don’t forget set the same shared secret.

client

3. Crease a new Remote Access Policy:

  • Choose “Set up a custom policy” and name the policy

custom

  • Configure the Policy Conditions: Select a group permitted to access ERS8600. I choose the default domain user group but we can create a dedicated group for access control in a real case.

user group

  • Configure the permissions: Choose “Grant Remote Access Permission” to allow a user who matches the conditions we created previously login.

grant

  • Edit the profile: Click the “Edit Profile” and choose “Authentication” tab. PAP is only one authentication method we need.

pap

  • Choose “Advanced” tab and add a return attribute to control a user’s access priority. The format should be

    Attribute Name: Vendor-Specificvendor

    Attribute Number: 26

    Attribute Format: OctetString

    Vendor Code: 1584

    Access Priority Value:

    None-Access c00600000000
    Read-Only-Access c00600000001
    L1-Read-Write-Access c00600000002
    L2-Read-Write-Access c00600000003
    L3-Read-Write-Access c00600000004
    Read-Write-Access c00600000005
    Read-Write-All-Access  c00600000006

 

 

 

 

I used a “test” account to login ERS8600 with RWA priority. That was successful and had an even log in Windows server.

even

Posted in Labels: , , |

0 comments: