6.4 FreeRADIUS with Some NAS Gear

For a variety of reasons, vendors have been known to not adhere to RFC specifications. Often their products are based on an early draft of a proposed specification, sometimes vendors fail to update their products to the revised guidelines, and sometimes vendors simply choose to ignore the specification entirely. In any case, as an administrator you must cope. Unfortunately, the concept of vendor-specific irregularities and peculiarities is not foreign to NAS gear.

This section is designed to at least familiarize you with the vagaries of using some models of terminal server equipment with FreeRADIUS. Wherever possible, I will offer a workaround, another option, or some other recommendation to assist you in compensating for the problem.

6.4.1 Ascend Equipment

Traditionally, the attributes specific to Ascend terminal server gear are sent by FreeRADIUS as vendor-specific attributes, as per the RADIUS RFC. However, the Ascend NAS equipment itself sends its own attributes (those that are specific to the Ascend equipment) as regular, global space attributes, which, of course, causes problems with other attributes as specified in the RFC. If you suffer from a problem related to Ascend's non-standard way of dealing with its specific attributes, you will see invalid Message-Authenticator messages in your log files.

There are two options to fix this problem. The first is to enable support for vendor-specific attributes on the Ascend equipment. There are different steps to follow depending on which model of terminal server you have. If your model is the Max6000 or Max4000 series with the menu-style TAOS interface, follow these instructions:

If you have the Max TNT model or the Apex 8000 series with the command-line-driven TAOS system, execute the following commands from a shell prompt.

nas> read external-auth
nas> set rad-auth-client auth-radius-compat = vendor-specific
nas> set rad-acct-client acct-radius-compat = vendor-specific
nas> write

The other option is to perform the opposite change: enable the old attributes on the FreeRADIUS machine. This is a bit easier to do, since all that is required is preceding the Ascend attributes with X- wherever they're found. For example, the vendor-specific attribute Ascend-Data-Filter would become, in old-style attribute naming, X-Ascend-Data-Filter. It's worth noting that some Cisco equipment has the capability to emulate Ascend NAS gear with 100% compatibility, so consider whether you have mixed gear when choosing the option to rid yourself of the Ascend integration problems.

6.4.2 Cisco Equipment

Cisco equipment runs the IOS software and, while it's become a common piece of equipment to find in an ISP, it does have some quirks of its own. Let's take a look at a few.

If you are running IOS Version 12 (either the .0 or .1 releases), then set the following configuration commands:

    aaa new-model
    aaa authentication login default group radius local
    aaa authentication login localauth local
    aaa authentication ppp default if-needed group radius local
    aaa authorization exec default group radius local
    aaa authorization network default group radius local
    aaa accounting delay-start
    aaa accounting exec default start-stop group radius
    aaa accounting network default start-stop group radius
    aaa processes 6

If you are running IOS Version 11.1, then set the following configuration commands:

    aaa new-model
    aaa authentication ppp radppp if-needed radius
    aaa authorization network radius none
    aaa accounting network wait-start radius
    aaa accounting network wait radius
    radius-server timeout 3

This instructs the NAS to communicate with a RADIUS server and eliminates a lot of duplicate log entries. If you run IOS Version 11.3, then add the following command to the previous list:

aaa accounting update newinfo

This allows the IP address assigned to the user to be displayed upon running the radwho program (discussed earlier in the chapter). By default, the default Accounting Start packet sent from the NAS doesn't include the new client's IP address. This command tells IOS to send another packet that updates the accounting records with the client's IP address when it is assigned.

Perhaps the most critical of these new settings is the aaa accounting delay-start attribute. This directive tells the NAS equipment not to send the Accounting Start packet until the client has received an IP address. This eliminates some of the lag problems found with IOS Version 11 equipment and the need to send IP address updates (known as "alive" packets) to the RADIUS server during the negotiation process. By using the configuration settings above, the FreeRADIUS machine will authenticate all requests for Telnet sessions automatically. To gain access to a terminal server itself that is running IOS 12, you need to create an entry in the users file similar to this (you may change either the username or password; they are not required to be as they are in this example): !superuserUser-Password == "ciscoios" Service-Type = NAS-Prompt-User This will grant you access. You will still need to use your secret in conjunction with the enable command to perform high-level configuration modification.

6.4.3 Nortel Equipment

All Nortel equipment using the Bay software with a revision prior to Version 18.0.2 must upgrade to at least that version. There is a bug in the encoding of the secret passed between the RADIUS server, the NAS gear, and the client: versions prior to the desired revision pass a secret that is encoded purely with MD5, while the RADIUS RFC requires it differently. You will know if you have this problem if you have log file messages relating to invalid Message-Authenticators.

6.4.4 3Com and US Robotics Equipment

You may see the following error entry in your log files if you use HiPerArc 4.1.11 equipment from 3Com/US Robotics:

Wed Jun 19 14:50:32 2002: Error: Accounting: logout: entry for NAS tc-if5 port 1 has 
wrong ID

The software has a hard time telling FreeRADIUS about its port numbers. The manufacturer has updated firmware available at http://totalservice.usr.com, which you should install immediately. If you're outside the United States, call the Global Response Center at (800) 879489, and they'll assist you with the upgrade.