Configuring RADIUS Authentication

To successfully enable RADIUS authentication for CLI users and/or clients, the following must be configured:

Configuring RADIUS Servers

To successfully enable RADIUS authentication for CLI users and/or clients, a RADIUS administrator must install and configure up to three RADIUS servers on external host machines that user authentication and access information can be stored on. For information on choosing a host machine and installing the server software, refer to your third-party RADIUS server documentation.

When there are a large number of clients in the Solace messaging network, a RADIUS administrator must configure the RADIUS server to handle the peak rate of client authentication. If this is not done, the RADIUS server can drop the authentication requests, the client connection rate can become drastically reduced as it falls back on slow authentication retries, and the event broker can temporarily consume more connection resources. To troubleshoot this scenario, look at the output of a show radius-profile <profile> stats User EXEC command to ensure that there are no timeouts. Timeouts indicate that the RADIUS server is not configured to handle the peak rate of client authentication.

Assigning RADIUS Domains

To assign a RADIUS domain string for CLI users and/or clients, enter the following command:

solace(configure/authentication/user-class)# radius-domain <radius-domain>

Where:

<radius-domain> is the authentication domain string appended to user names in outgoing RADIUS Access-Requests. For example, testuser@<radius-domain string>.

Configuring RADIUS Profiles

A RADIUS profile contains authentication request retransmit and timeout values and RADIUS authentication configurations for each of RADIUS server that the RADIUS profile uses. Each RADIUS profile can use up to three RADIUS servers, and up to ten RADIUS profiles can be configured.

  • To create a new RADIUS profile, enter the following command:
    solace(configure/authentication)# create radius-profile <profile-name>
  • To edit the properties of an existing RADIUS profile, enter the following CONFIG commands:
    solace(configure/authentication)# radius-profile <profile-name> 

Where:

<profile-name> is the name of the RADIUS profile.

The no version of this command, no radius-profile <profile-name>, deletes the given RADIUS profile from the event broker (the RADIUS profile named default, however, cannot be deleted). Before deleting a RADIUS profile:

  • it must be disabled through the shutdown RADIUS Profile Authentication CONFIG command
  • no other configured objects can refer to it

For RADIUS profiles, you can perform any of the following configuration tasks:

Configuring Maximum Retransmit Attempts

Authentication requests are sent to the primary RADIUS host according to set interval, and a request can be retried up to ten times. If no response is received from the primary host and the maximum attempt value is reached, then requests are sent to the secondary host (if provisioned). If no response is received from the secondary host and the maximum attempt value is reached, then requests are sent to the tertiary host (if provisioned). If no response is received from the tertiary host and the maximum attempt value is reached, the process repeats. A Solace PubSub+ messager broker only cycles through hosts that are provisioned.

If a request is rejected by any server, it is not retried on other servers.

To set the number of times to retry a request to a RADIUS server, enter the following command:

solace(configure/authentication/radius-profile)# retransmit <attempts> 

Where:

<attempts> is an integer from 1 to 10 that indicates the number of times to retry a request.

Enabling RADIUS Profiles

When you shut down a RADIUS profile, all users and/or clients attempting to authenticate using the RADIUS profile will fail until it is enabled again .

  • To enable the current RADIUS profile on the event broker, enter the following command:
    solace(configure/authentication/radius-profile)# no shutdown
  • To disable the current RADIUS profile on the event broker, enter the following command:
    solace(configure/authentication/radius-profile)# shutdown

RADIUS profiles are disabled by default (that is, not enabled) on Solace PubSub+ event brokers.

Registering RADIUS Servers

To register the connection information for each RADIUS server that the RADIUS profile uses (up to three RADIUS servers can be used), enter the following command for each RADIUS host:

solace(configure/authentication/radius-profile)# radius-server <ip-port> index <server index> key <shared-secret-key>

Where:

<ip-port> is the IP address or fully qualified domain name (FQDN) and port of the RADIUS host. If you set this value using the FQDN of the RADIUS host, be aware that the system must perform a DNS lookup for each connection. In deployments with a large number of client connections, authentication time may increase.

<server index> is the priority index of the host to be provisioned. Valid values are 1, 2, or 3, where 1 is the primary, 2 is the secondary, and 3 is the tertiary. The default is next available.

<shared-secret-key> is the shared secret key words to exchange between the RADIUS host and Solace PubSub+ event brokers. If the secret key contains spaces, it must be placed inside quotation marks (for example, “shared secret with spaces”). This is a required parameter for new entries.

The no version of this command, no radius-server <ip-port>, deprovisions the RADIUS host and deletes the shared secret key.

Setting Retry Timeouts

To set the time to wait before retrying a request to a RADIUS server, enter the following command:

solace(configure/authentication/radius-profile)# timeout <duration> 

Where:

<duration> is an integer from 1 to 10 that specifies the amount of time in seconds to wait to retry a request.

Showing RADIUS Profile Information

To query configuration details on a currently provisioned RADIUS profile, enter the following command:

solace> show radius-profile <profile-name> [detail | stats]

Where:

<profile-name> is the name of the specified RADIUS profile.

detail specifies to show detailed information on the RADIUS profile.

stats specifies to show statistics on the RADIUS profile.

To clear statistics associated with a currently provisioned RADIUS profile, enter the following command:

solace> enable
solace# clear radius-profile <profile-name> stats

RADIUS Server Configuration Example

The following sample session shows how to set the primary RADIUS host to 192.168.1.4:1812 with a shared secret of sharedSecret1, and the secondary host to 192.168.1.5:1812 with a shared secret of sharedSecret2:

solace(configure)# authentication
solace(configure/authentication)# radius-profile solace1
solace(configure/authentication/radius-profile)# radius-server 192.168.1.4 index 1 key sharedSecret1
solace(configure/authentication/radius-profile)# radius-server 192.168.1.5 index 2 key sharedSecret2

The following sample session shows how to display the provisioned RADIUS profile solace 1.

RADIUS Attributes Used by Event Brokers

Solace PubSub+ event brokers use the following RADIUS attributes in a RADIUS profile to define specific authentication and authorization elements for users and/or clients. The profile is stored on the RADIUS server. RADIUS messages contain these attributes to communicate information between Solace PubSub+ messsage brokers and the RADIUS server, such as the supported access levels.

The RADIUS vendor identifier for Solace is 17337.

Access-Request Attributes

The following table lists the RADIUS Access-Request attributes sent from the Solace PubSub+ event broker to the RADIUS server to determine whether a specific user and/or client is allowed event broker access.

RADIUS Access-Request Attributes

Attribute Type Code Description

User-Name

1

CLI user or client username, followed by “@<domain name>”, where the domain name is provisionable. The username is not modified if the provisioned domain name is NULL.

User-Password

2

CLI user or client password

NAS-IP

4

Management interface IP address of the Solace PubSub+ event broker.

Access-Accept Attributes

The following three tables list the RADIUS Access-Accept attributes sent from the RADIUS server to the Solace PubSub+ event broker. The RADIUS Access-Accept message is a reply to an Access-Request message. When the Access‑Accept message is received by the event broker, its contents are examined to determine the action to take.

RADIUS Access-Accept Attributes

Attribute Type Code Vendor Specific Attribute (VSA) Type Description

Service-Type

6

n/a

If value is not Login, message completes parsing as Access-Accept, then is treated as Access-Reject and the connection is terminated. This is the most generic of the Service-Type values—it states that the user or client should be connected to a server. The other RADIUS-defined values for this field do not adequately define the provided service. Instead, vendor-specific attributes are used to determine the type of service to grant.

Vendor-Specific

26

1

User-Type: The value may be cli_user or client_user.

For CLI user connections, a VSA value of cli_user User-Type is expected. Any other type results in the termination of the CLI and the SSH session.

5

CliGlobalAccessLevel: This is only valid when the User-Type is cli_user. The value may be none, read-only, mesh-manager, read-write, or admin.

6

CliDefaultMessageVpnAccessLevel: This is only valid when the User-Type is cli_user. The value may be none, read-only, or read-write.

7

CliMessageVpnAccessLevelException: This is only valid when the User-Type is cli_user. The format is <access-level>@<vpn-name>, where access-level may be none, read-only, or read-write. This overrides the default access level specified by CliDefaultMessageVpnAccessLevel.

User-Type VSA Values

Name Value Description

cli_user

0x00000002

A CLI user; it is restricted to the event broker’s SSH port.

A CliGlobalAccessLevel value may be sent to grant the CLI user a particular access level. This value is a string that must be one of the values listed in the table below CliGlobalAccess VSA Values. If a CliGlobalAccessLevel is not sent, then the CLI user is assigned the privileges specified by the default global access level, as configured on the event broker.

client_user

0x00000003

A client; it is restricted to posting SMF requests.

CliGlobalAccess VSA Values

Name Description

none

The CLI user has no global access.

read-only

The CLI user is only allowed to perform show commands.

mesh-manager

The CLI user is allowed to perform all show commands and some configuration commands, including all aspects related to client connectivity, mesh connectivity, and client security features.

read-write

The CLI user is allowed to perform all commands except for those related to the creation and modification of CLI user accounts.

admin

The CLI user is allowed to perform all CLI commands.

Access-Reject Attributes

The following table lists the RADIUS Access-Reject attributes sent from the RADIUS server to the Solace PubSub+ event broker when an unauthorized CLI user is identified.

RADIUS Access-Reject Attributes

Attribute Type Code Description

Reply-Message

18

Upon receipt of an Access-Reject message, the Solace PubSub+ event broker closes the SSH session.