Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: changed headings (from gerund)

...

Expand
titleThis topic describes ...

Table of Contents
maxLevel3
excludeContents

...

Install the RADIUS Packages

The RADIUS packages are not included in the base Cumulus Linux image; there is no RADIUS metapackage.

...

  • The PAM configuration is modified automatically using pam-auth-update (8), and the NSS configuration file /etc/nsswitch.conf  is modified to add the mapuser and mapuid plugins. If you remove or purge the packages, these files are modified to remove the configuration for these plugins.
  • The radius_shell package is added, which installs the /sbin/radius_shell and setcap cap_setuid program used as the login shell for RADIUS accounts. The package adjusts the UID when needed, then runs the bash shell with the same arguments. When installed, the package changes the shell of the RADIUS accounts to /sbin//radius_shell, and to /bin/shell if the package is removed. This package is required for privileged RADIUS users to be enabled. It is not required for regular RADIUS client use.
  • The radius_user account is added to the netshow group and the radius_priv_user account to the netedit and sudo groups. This change enables all RADUS logins to run NCLU net show commands and all privileged RADIUS users to also run net add, net del, and net commit commands, and to use sudo.

...

Configure the RADIUS Client

To configure the RADIUS client, edit the /etc/pam_radius_auth.conf file:

...


As an optional step, you can set PAM configuration keywords by editing the /usr/share/pam-configs/radius file. After you edit the file, you must run the  pam-auth-update --package command. PAM configuration keywords are described in the pam_radius_auth (8) man page. 

...

Enable Login without Local Accounts

Because LDAP is not commonly used with switches and adding accounts locally is cumbersome, Cumulus Linux includes a mapping capability with the libnss-mapuser package.

...

  1.  Add a local privileged user account. For example, if the radius_priv_user account in the /etc/passwd file is radius_priv_user:x:1002:1001::/home/radius_priv_user:/sbin/radius_shell, run the following command to add a local privileged user account named johnadmin:

    Code Block
    languagetext
    cumulus@switch:~$ sudo useradd -u 1002 -g 1001 -o -s /sbin/radius_shell johnadmin
  2. To enable the local privileged user to run sudo and NCLU commands, run the following commands:

    Code Block
    languagetext
    cumulus@switch:~$ sudo adduser johnadmin netedit
    cumulus@switch:~$ sudo adduser johnadmin sudo
    cumulus@switch:~$ sudo systemctl restart netd
  3. Edit the /etc/passwd file to move the local user line before to the radius_priv_user line:

    Code Block
    languagetext
    cumulus@switch:~$ sudo vi /etc/passwd
     
    ...
    johnadmin:x:1002:1001::/home/johnadmin:/sbin/radius_shell
    radius_priv_user:x:1002:1001::/home/radius_priv_user:/sbin/radius_shell
  4. To set the local password for the local user, run the following command:

    Code Block
    languagetext
    cumulus@switch:~$ sudo passwd johnadmin

...

Verify RADIUS Client Configuration

To verify that the RADIUS client is configured correctly, log in as a non-privileged user and run a net add interface command.

...

Code Block
languagetext
admin@leaf01:~$ net add interface swp1
admin@leaf01:~$ net pending
--- /etc/network/interfaces    2018-04-06 14:49:33.099331830 +0000
+++ /var/run/nclu/iface/interfaces.tmp    2018-04-06 16:01:16.057639999 +0000
@@ -3,10 +3,13 @@

 source /etc/network/interfaces.d/*.intf

 # The loopback network interface
 auto lo
 iface lo inet loopback

 # The primary network interface
 auto eth0
 iface eth0 inet dhcp
+
+auto swp1
+iface swp1
...

Anchor
remove
remove

...

Remove RADIUS Client Packages

Remove the RADIUS packages with the following command:

...