Hello.
We want to authenticate user access to RUTX(50) via Windows Radius (NPS)
The solution according to the documentation requires the user to be created on the Teltonika router. However, we want to authenticate all users via NPS > LDAP. This works without any problems for Cisco and HPE clients. What can we do?
Hi,
got the same request, the ability to authenticate user on TSW202 or RUT-2X via Windows Server against a LDAP group, it’s quite pointless to create a local user and then authenticate against a remote server…
Hello @service-wan @AMB ,
Thank you for your suggestion. I have forwarded it to our RnD team, and I will keep you updated as soon as I receive any feedback regarding this matter.
Best regards,
Hello.
Whats the status of troubleshooting?
Hello,
I don’t have any updates from the developers at the moment, but they are aware that this feature is important to our clients. I believe it will be implemented in the future.
Thank you for your understanding.
Best regards,
This topic was automatically closed after 15 days. New replies are no longer allowed.
Hello @service-wan @AMB,
I received feedback from the developers regarding WebUI/SSH authentication with RADIUS. They confirmed that RADIUS authentication is possible without local users.
Steps to Set Up RADIUS Authentication:
- Set up a FreeRADIUS server and define users with the
Management-Privilege-Levelattribute. Example:
demo Cleartext-Password := "demo123"
Management-Privilege-Level := 1
demo1 Cleartext-Password := "demo123"
Management-Privilege-Level := 2
demo3 Cleartext-Password := "demo123"
Management-Privilege-Level := 3
- Configure WebUI and SSH PAM instances to use the FreeRADIUS server.
- Enable the
Enable for all usersoption on both PAM instances. - Verify that users who do not exist locally can log in and have the correct user group assigned.
Configuration example for WebUI:
The Management-Privilege-Level values can be set for each group inside the /etc/config/rpcd configuration file if needed. If you want to disable a group, simply remove the option.
By default group values are:
- 1 - user
- 2 - admin
- 3 - root
-
For failover to local users configure two WebUI PAM instances.
-
WebUI Radius PAM configuration:
-
WebUI Local PAM configuration:
Configuration example for SSH:
- The RADIUS server must send
Management-Privilege-Level = 3for login to succeed. - If the user does not exist locally and no
Management-Privilege-Levelis provided, login will be denied. - Failover works similarly to WebUI. If the RADIUS server is unavailable, local users can be used as a fallback.
-
Create two SSH instances—one for RADIUS authentication and one for local fallback:
-
SSH Radius settings:
-
SSH Local settings for fallback:
Windows NPS Configuration:
It is also possible to configure authentication using Windows NPS.
The required attribute is defined in RFC 5607, Section 6.4: RFC 5607 - Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management
A summary of the Management-Privilege-Level (136) Attribute format is
show below. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
136 for Management-Privilege-Level.
Length
6
Value
The Value field is a four-octet Integer, denoting a management
privilege level.
You can find detailed instructions on configuring this attribute for Microsoft NPS RADIUS Server here: NPS support for Radius Attribute 136 Management-Privilege-Level - Microsoft Q&A
The RADIUS server must send an Access-Accept response regardless of the Management-Privilege-Level attribute. However, if the attribute is missing in the Access-Accept response, the router will reject the login, even if Access-Accept is received. This is explicitly stated in RFC 5607, Section 6.4.
Best regards,
This topic was automatically closed after 10 days. New replies are no longer allowed.