[LINUX] Cisco login authentication + MAC authentication + dynamic VLAN with Docker's Free RADIUS (CentOS8)

Introduction

This is my first challenge to Docker in order to replace FreeRADIUS, which I operate on my own, with Docker. In addition, although there are some fluctuations in the description of "MAC authentication" in the text, they are all used to mean "MACAddressBypass". (I understand that you don't "authenticate" using the MAC address.)

Fix

Target device and environment

Verification environment

Items that can be authenticated in the initial state

In the initial state, the following 2 users and enable password can be used.

User name password Remarks
foo bar Login as a normal user
hoge fuga Automatically promoted to privilege when logged in
$enab15$ fuga Password for transition with enable command

The MAC address + dynamic VLAN is registered with the following.

MAC address VLAN string
055dc061bf92 default_seg

Syslog remote transfer

Logs are being transferred to the following 2 hosts.

Forwarding destination facility severity syslogtag
10.254.10.104:514/udp local0 notice pseudolog_radius_log
10.254.10.112:514/udp local0 notice pseudolog_radius_log

Work content

Set masquerade in firewall

firewall-cmd --add-masquerade --zone=public --permanent
firewall-cmd --reload

Docker image preparation

Create an image so that it can be reused. Create an appropriate directory to put the Dockerfile and the configuration file.

mkdir -p /opt/docker/radius
cd /opt/docker/radius

Create a Dockerfile

/opt/docker/radius/radius.df


FROM centos:centos8
ENV TZ='Asia/Tokyo'
RUN dnf -y update ; dnf install -y freeradius freeradius-ldap rsyslog ; \
sed -i -e "s/auth = no/auth = yes/" /etc/raddb/radiusd.conf ;  \
mkdir /etc/raddb/mods-config/files/userlist
COPY clients.conf /etc/raddb/clients.conf
COPY authorize /etc/raddb/mods-config/files/authorize
COPY users.login /etc/raddb/mods-config/files/userlist/users.login
COPY mabs /etc/raddb/mods-config/files/userlist/mabs
COPY rsyslog.conf /etc/rsyslog.conf
RUN  ln -sf /usr/share/zoneinfo/Asia/Tokyo /etc/localtime ; systemctl enable radiusd 
CMD [ "/usr/sbin/init" ]

radius secret fix

~~ Since it is via bridge, the container is only accepted from the host (172.17.0.1/32) ~~ Fixed to 172.16.0.0/12 to respond to requests from the same Docker network. Align the following secret = RADIUS_SECRET line with your environment.

/opt/docker/radius/clients.conf


client radius_clients {
    ipaddr  = 172.16.0.0
    netmask = 12
    secret  = RADIUS_SECRET
}

Read user file

Create a definition file that reads the user for login and the MAC address list for MAB

/opt/docker/radius/authorize


$INCLUDE /etc/raddb/mods-config/files/userlist/mabs
$INCLUDE /etc/raddb/mods-config/files/userlist/users.login

Login user registration

MD5-Password can be generated with echo -n PASSWORD | openssl md5. Cisco enable is attempted with the username \ $ enab15 \ $. To automatically enable at login, set ~~ Service-Type and Cisco-AVPair in the line below the password. (Priv-lvl = 1 is a normal user, priv-lvl = 15 is a privileged user) ~~ Add Service-Type = Administrative-User to include it in the reply item. (Fixed because it was inconvenient when logging in to the Cisco WLC. It can also be enabled when logging in to IOS)

/opt/docker/radius/users.login

MAC address bypass registration

Enter the MAC address in the user name and password. (Remove hyphens and colons) If you do not add the NAS-Port-Type attribute, you will be able to log in with the UID / PWD as the MAC address when logging in to the device. Caution.

/opt/docker/radius/mabs


DEFAULT Auth-Type == PAP , NAS-Port-Type == Ethernet
        Tunnel-Type = 13 , Tunnel-Medium-Type = 6 , Tunnel-Private-Group-Id = "default_seg",
        Fall-Through = Yes

055dc061bf92 Cleartext-Password := "055dc061bf92"

Settings for syslog transfer

Transfer syslog to a remote location using the module ╩╗imfilethat detects changes in the local log file. Transfer using UDP / 514 to a server that can be calledsyslog`.

/opt/docker/radius/rsyslog.conf


module(load="imfile")
input(type="imfile"
      file="/var/log/radius/radius.log"
      tag="pseudolog_radius_log"
      facility="local0"
      severity="notice")
:syslogtag, isequal, "pseudolog_radius_log" @syslog:514

Build an image from a Dockerfile to create a container

Once you have created the Dockerfile, build it. --privileges seems to have a bad reputation (?), So create a container using the recommended method.

# docker build --force-rm -t infraserv:radius . -f ./radius.df && \
  docker run --cap-add sys_admin --security-opt seccomp:unconfined \
    -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
    -it -d --name radius --hostname radius \
    -p 1812:1812/udp infraserv:radius

Connection test

Test the connection from the Docker host and another host. radtest is included in freeradius-utils. Please install with yum -y install freeradius-utils etc.

# radtest  hoge fuga 10.254.10.251 123 RADIUS_SECRET
Sent Access-Request Id 41 from 0.0.0.0:36748 to 10.254.10.251:1812 length 74
        User-Name = "hoge"
        User-Password = "fuga"
        NAS-IP-Address = 10.254.10.101
        NAS-Port = 123
        Message-Authenticator = 0x00
        Cleartext-Password = "fuga"
Received Access-Accept Id 41 from 10.254.10.251:1812 to 0.0.0.0:0 length 51
        Service-Type = NAS-Prompt-User
        Cisco-AVPair = "shell:priv-lvl=15"

It's OK.

Cisco device settings

After enabling and conf t, enter the following settings. Perform login authentication and MAC address bypass settings at the same time.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!Common setting
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!Adoption of aaa
aaa new-model
aaa session-id common

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!Login authentication settings
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!Create radius server group and perform login authentication
aaa group server radius ForLogin
 server-private 10.254.10.251 auth-port 1812 acct-port 1813 timeout 1 retransmit 1 key RADIUS_SECRET

!Settings that use login authentication, enable authentication, and authority attributes
aaa authentication login default group ForLogin local-case
aaa authentication enable default group ForLogin enable
aaa authorization  exec default group ForLogin if-authenticated

!Local account is used when communication with radius server is not possible
enable secret ENABLE_PASSWORD
username LOCAL_UID password LOCAL_PWD

!Settings for using RADIUS at login
line vty 0 4
 login authentication ForLogin


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!MAC address bypass configuration
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!Character string flying in the attribute of dynamic VLAN
vlan 2022
 name default_seg

!radius server group creation and 802.Perform 1X certification
aaa group server radius ForDot1X
 server-private 10.254.10.251 auth-port 1812 acct-port 1813 timeout 1 retransmit 1 key RADIUS_SECRET

!Enable attributes for MAC address bypass, dynamic VLAN
dot1x system-auth-control
aaa authentication dot1x default group ForDot1X
aaa authorization network default group ForDot1X if-authenticated

!Apply MAB to interface
interface Giga0/3
 description ## AuthPort : mac address bypass ##
 switchport mode access
 authentication order mab
 authentication priority mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast

end

Just in case, log in at another terminal while maintaining the logged-in session. If you can log in, check the operation.

radiusd log The log of login OK for each user and login OK with MAC address (= MAB is OK) are recorded.

Sat Feb  8 15:48:24 2020 : Auth: (0) Login OK: [hoge](from client radius_clients port 35)
Sat Feb  8 15:48:53 2020 : Auth: (1) Login OK: [foo](from client radius_clients port 35)
Sat Feb  8 15:48:56 2020 : Auth: (2) Login OK: [$enab15$](from client radius_clients port 35 cli 10.254.10.101)
Sat Feb  8 15:49:04 2020 : Auth: (3) Login OK: [hoge](from client radius_clients port 35)
Sat Feb  8 15:49:49 2020 : Auth: (4) Login OK: [9cb6541e0363](from client radius_clients port 50003 cli 9C-B6-54-1E-03-63)

Cisco Log (MAB) In the set Gi0 / 3, SUCCESS and VLAN2022 of MAB are assigned by the corresponding MAC address. (Although it cannot be read from the log, the attribute string default_seg matches the vlan name string and is assigned 2022)

Feb  9 00:49:48: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
Feb  9 00:49:49: %AUTHMGR-5-START: Starting 'mab' for client (9cb6.541e.0363) on Interface Gi0/3 AuditSessionID 000000000000000520203B8C
Feb  9 00:49:49: %MAB-5-SUCCESS: Authentication successful for client (9cb6.541e.0363) on Interface Gi0/3 AuditSessionID 000000000000000520203B8C
Feb  9 00:49:49: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (9cb6.541e.0363) on Interface Gi0/3 AuditSessionID 000000000000000520203B8C
Feb  9 00:49:49: %AUTHMGR-5-VLANASSIGN: VLAN 2022 assigned to Interface Gi0/3 AuditSessionID 000000000000000520203B8C
Feb  9 00:49:50: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (9cb6.541e.0363) on Interface Gi0/3 AuditSessionID 000000000000000520203B8C
Feb  9 00:49:51: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2022, changed state to up
Feb  9 00:49:51: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up

Cisco Logs (AAA)

#sh aaa servers
(~~ Omitted ~~)
RADIUS: id 3, priority 0, host 10.254.10.251, auth-port 1812, acct-port 1813
     State: current UP, duration 1177s, previous duration 0s
     Dead: total time 0s, count 0
     Quarantined: No
     Authen: request 7, timeouts 1, failover 0, retransmission 1
             Response: accept 4, reject 2, challenge 0
             Response: unexpected 1, server error 0, incorrect 0, time 467ms
             Transaction: success 6, failure 0
             Throttled: transaction 0, timeout 0, failure 0
(~~ Omitted ~~)

It's OK.

By the way, I wanted to see the log in the docker container, and when I tried tailf, there was no command, so I watched it. -d inverts the changed part in black and white. -n 1 updates the display every second. is.

# watch -d -n 1 'tail /var/log/radius/radius.log'
Every 1.0s: tail /var/log/radius/radius.log                                                      25dda9131ea4: Sat Feb  8 15:21:53 2020

Sat Feb  8 14:06:01 2020 : Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
Sat Feb  8 14:06:01 2020 : Warning: Ignoring "ldap" (see raddb/mods-available/README.rst)
Sat Feb  8 14:06:01 2020 : Info: Loaded virtual server default
Sat Feb  8 14:06:01 2020 : Info:  # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:331
Sat Feb  8 14:06:01 2020 : Info: Loaded virtual server inner-tunnel
Sat Feb  8 14:06:01 2020 : Info: Ready to process requests
Sat Feb  8 14:06:11 2020 : Auth: (0) Login OK: [hoge](from client radius_clients port 123)
Sat Feb  8 15:14:31 2020 : Auth: (1) Login OK: [hoge](from client radius_clients port 123)
Sat Feb  8 15:21:38 2020 : Auth: (2) Login OK: [hoge](from client radius_clients port 123)
Sat Feb  8 15:21:40 2020 : Auth: (3) Login OK: [hoge](from client radius_clients port 123)

802.1X EAP-TLS authentication

Wireless LAN EAP-TLS is described in EAP-TLS Authentication Using Cisco WLC and FreeRADIUS.

at the end

Actually, after starting with --privileges, I was addicted to the service not starting with systemctl start radius.

Source

[Login Authentication Using FreeRADIUS and Cisco Devices](http://www.prosper2.org/devwiki/index.php?FreeRADIUS%E3%81%A8Cisco%E6%A9%9F%E5%99%A8%E3% 82% 92% E5% 88% A9% E7% 94% A8% E3% 81% 97% E3% 81% 9F% E3% 83% AD% E3% 82% B0% E3% 82% A4% E3% 83% B3% E8% AA% 8D% E8% A8% BC) http://docs.docker.jp/engine/articles/dockerfile_best-practice.html https://hub.docker.com/r/centos/systemd/ https://unix.stackexchange.com/questions/452249/docker-container-with-centos-7-and-systemd https://stackoverflow.com/questions/33439230/how-to-write-commands-with-multiple-lines-in-dockerfile-while-preserving-the-new

Recommended Posts

Cisco login authentication + MAC authentication + dynamic VLAN with Docker's Free RADIUS (CentOS8)