Configuring RADIUS Authentication
To successfully enable RADIUS authentication for CLI users and/or clients, the following must be configured:
- on external host machines, up to three RADIUS servers (refer to Configuring RADIUS Servers)
- on the Solace PubSub+ event broker:
- RADIUS domains (refer to Assigning RADIUS Domains)
- RADIUS profiles (refer to Configuring RADIUS Profiles)
Configuring RADIUS Servers
To successfully enable RADIUS authentication for CLI users and/or clients, a RADIUS administrator must install and configure up to three RADIUS servers on external host machines that user authentication and access information can be stored on. For information on choosing a host machine and installing the server software, refer to your third-party RADIUS server documentation.
When there are a large number of clients in the Solace messaging network, a RADIUS administrator must configure the RADIUS server to handle the peak rate of client authentication. If this is not done, the RADIUS server can drop the authentication requests, the client connection rate can become drastically reduced as it falls back on slow authentication retries, and the event broker can temporarily consume more connection resources. To troubleshoot this scenario, look at the output of a show radius-profile <profile> stats
User EXEC command to ensure that there are no timeouts. Timeouts indicate that the RADIUS server is not configured to handle the peak rate of client authentication.
Assigning RADIUS Domains
To assign a RADIUS domain string for CLI users and/or clients, enter the following command:
solace(configure/authentication/user-class)# radius-domain <radius-domain>
Where:
<radius-domain>
is the authentication domain string appended to user names in outgoing RADIUS Access-Requests. For example, testuser@<radius-domain string>
.
Configuring RADIUS Profiles
A RADIUS profile contains authentication request retransmit and timeout values and RADIUS authentication configurations for each of RADIUS server that the RADIUS profile uses. Each RADIUS profile can use up to three RADIUS servers, and up to ten RADIUS profiles can be configured.
- To create a new RADIUS profile, enter the following command:
solace(configure/authentication)# create radius-profile <profile-name>
- To edit the properties of an existing RADIUS profile, enter the following CONFIG commands:
solace(configure/authentication)# radius-profile <profile-name>
Where:
<profile-name>
is the name of the RADIUS profile.
The no version of this command, no radius-profile <profile-name>
, deletes the given RADIUS profile from the event broker (the RADIUS profile named default
, however, cannot be deleted). Before deleting a RADIUS profile:
- it must be disabled through the
shutdown
RADIUS Profile Authentication CONFIG command - no other configured objects can refer to it
For RADIUS profiles, you can perform any of the following configuration tasks:
- Configuring Maximum Retransmit Attempts
- Enabling RADIUS Profiles
- Registering RADIUS Servers
- Setting Retry Timeouts
Configuring Maximum Retransmit Attempts
Authentication requests are sent to the primary RADIUS host according to set interval, and a request can be retried up to ten times. If no response is received from the primary host and the maximum attempt value is reached, then requests are sent to the secondary host (if provisioned). If no response is received from the secondary host and the maximum attempt value is reached, then requests are sent to the tertiary host (if provisioned). If no response is received from the tertiary host and the maximum attempt value is reached, the process repeats. A Solace PubSub+ messager broker only cycles through hosts that are provisioned.
If a request is rejected by any server, it is not retried on other servers.
To set the number of times to retry a request to a RADIUS server, enter the following command:
solace(configure/authentication/radius-profile)# retransmit <attempts>
Where:
<attempts>
is an integer from 1 to 10 that indicates the number of times to retry a request.
Enabling RADIUS Profiles
When you shut down a RADIUS profile, all users and/or clients attempting to authenticate using the RADIUS profile will fail until it is enabled again .
- To enable the current RADIUS profile on the event broker, enter the following command:
solace(configure/authentication/radius-profile)# no shutdown
- To disable the current RADIUS profile on the event broker, enter the following command:
solace(configure/authentication/radius-profile)# shutdown
RADIUS profiles are disabled by default (that is, not enabled) on Solace PubSub+ event brokers.
Registering RADIUS Servers
To register the connection information for each RADIUS server that the RADIUS profile uses (up to three RADIUS servers can be used), enter the following command for each RADIUS host:
solace(configure/authentication/radius-profile)# radius-server <ip-port> index <server index> key <shared-secret-key>
Where:
<ip-port>
is the IP address or fully qualified domain name (FQDN) and port of the RADIUS host. If you set this value using the FQDN of the RADIUS host, be aware that the system must perform a DNS lookup for each connection. In deployments with a large number of client connections, authentication time may increase.
<server index>
is the priority index of the host to be provisioned. Valid values are 1, 2, or 3, where 1 is the primary, 2 is the secondary, and 3 is the tertiary. The default is next available.
<shared-secret-key>
is the shared secret key words to exchange between the RADIUS host and Solace PubSub+ event brokers. If the secret key contains spaces, it must be placed inside quotation marks (for example, “shared secret with spaces”). This is a required parameter for new entries.
The no version of this command, no radius-server <ip-port>
, deprovisions the RADIUS host and deletes the shared secret key.
Setting Retry Timeouts
To set the time to wait before retrying a request to a RADIUS server, enter the following command:
solace(configure/authentication/radius-profile)# timeout <duration>
Where:
<duration>
is an integer from 1 to 10 that specifies the amount of time in seconds to wait to retry a request.
Showing RADIUS Profile Information
To query configuration details on a currently provisioned RADIUS profile, enter the following command:
solace> show radius-profile <profile-name> [detail | stats]
Where:
<profile-name>
is the name of the specified RADIUS profile.
detail
specifies to show detailed information on the RADIUS profile.
stats
specifies to show statistics on the RADIUS profile.
To clear statistics associated with a currently provisioned RADIUS profile, enter the following command:
solace> enable
solace# clear radius-profile <profile-name> stats
RADIUS Server Configuration Example
The following sample session shows how to set the primary RADIUS host to 192.168.1.4:1812 with a shared secret of sharedSecret1
, and the secondary host to 192.168.1.5:1812 with a shared secret of sharedSecret2
:
solace(configure)# authentication
solace(configure/authentication)# radius-profile solace1
solace(configure/authentication/radius-profile)# radius-server 192.168.1.4 index 1 key sharedSecret1
solace(configure/authentication/radius-profile)# radius-server 192.168.1.5 index 2 key sharedSecret2
The following sample session shows how to display the provisioned RADIUS profile solace 1
.
solace> show radius-profile solace1 Radius Profile Name: solace1 Shutdown: Yes Retransmit: 3 attempts/server Timeout: 5 secs/attempt Index | Radius Servers ------+---------------------------- 1 | 192.168.1.4:1812 2 | 192.168.1.5:1812 3 | N/A solace> show radius-profile solace1 stats Radius Profile Name: solace1 Host | Requests | Requests | Timeouts | Server | Errors | Accepted | Rejected | | Unavail | ----------------------+-----------+-----------+-----------+----------+---------- 192.168.1.4:1812 | 0 | 0 | 0 | 0 | 0 192.168.1.5:1812 | 0 | 0 | 0 | 0 | 0 N/A | 0 | 0 | 0 | 0 | 0 solace> show radius-profile solace1 detail Radius Profile Name: solace1 Shutdown: Yes Retransmit: 3 attempts/server Timeout: 5 secs/attempt Radius Server: Host: 192.168.1.4:1812 Index 1 -------- Last reply message -------- ------------------------------------ Radius Server: Host: 192.168.1.5:1812 Index 2 -------- Last reply message -------- ------------------------------------ Radius Server: Host: N/A Index 3 -------- Last reply message -------- ------------------------------------
RADIUS Attributes Used by Event Brokers
Solace PubSub+ event brokers use the following RADIUS attributes in a RADIUS profile to define specific authentication and authorization elements for users and/or clients. The profile is stored on the RADIUS server. RADIUS messages contain these attributes to communicate information between Solace PubSub+ messsage brokers and the RADIUS server, such as the supported access levels.
The RADIUS vendor identifier for Solace is 17337.
Access-Request Attributes
The following table lists the RADIUS Access-Request attributes sent from the Solace PubSub+ event broker to the RADIUS server to determine whether a specific user and/or client is allowed event broker access.
Attribute | Type Code | Description |
---|---|---|
User-Name |
1 |
CLI user or client username, followed by “@<domain name>”, where the domain name is provisionable. The username is not modified if the provisioned domain name is NULL. |
User-Password |
2 |
CLI user or client password |
NAS-IP |
4 |
Management interface IP address of the Solace PubSub+ event broker. |
Access-Accept Attributes
The following three tables list the RADIUS Access-Accept attributes sent from the RADIUS server to the Solace PubSub+ event broker. The RADIUS Access-Accept message is a reply to an Access-Request message. When the Access‑Accept message is received by the event broker, its contents are examined to determine the action to take.
Attribute | Type Code | Vendor Specific Attribute (VSA) Type | Description |
---|---|---|---|
Service-Type |
6 |
n/a |
If value is not |
Vendor-Specific |
26 |
1 |
For CLI user connections, a VSA value of |
5 |
|
||
6 |
|
||
7 |
|
Name | Value | Description |
---|---|---|
cli_user |
0x00000002 |
A CLI user; it is restricted to the event broker’s SSH port. A |
client_user |
0x00000003 |
A client; it is restricted to posting SMF requests. |
Name | Description |
---|---|
none |
The CLI user has no global access. |
read-only |
The CLI user is only allowed to perform show commands. |
read-write |
The CLI user is allowed to perform all commands except for those related to the creation and modification of CLI user accounts. |
admin |
The CLI user is allowed to perform all CLI commands. |
Access-Reject Attributes
The following table lists the RADIUS Access-Reject attributes sent from the RADIUS server to the Solace PubSub+ event broker when an unauthorized CLI user is identified.
Attribute | Type Code | Description |
---|---|---|
Reply-Message |
18 |
Upon receipt of an Access-Reject message, the Solace PubSub+ event broker closes the SSH session. |