Radius authentification via Windows NPS

NETWORKING SOLUTIONS
9

Hello @service-wan @AMB,

I received feedback from the developers regarding WebUI/SSH authentication with RADIUS. They confirmed that RADIUS authentication is possible without local users.

Steps to Set Up RADIUS Authentication:

  1. Set up a FreeRADIUS server and define users with the Management-Privilege-Level attribute. Example:
demo    Cleartext-Password := "demo123"
       Management-Privilege-Level := 1

demo1    Cleartext-Password := "demo123"
       Management-Privilege-Level := 2

demo3    Cleartext-Password := "demo123"
       Management-Privilege-Level := 3
  1. Configure WebUI and SSH PAM instances to use the FreeRADIUS server.
  2. Enable the Enable for all users option on both PAM instances.
  3. Verify that users who do not exist locally can log in and have the correct user group assigned.

Configuration example for WebUI:

The Management-Privilege-Level values can be set for each group inside the /etc/config/rpcd configuration file if needed. If you want to disable a group, simply remove the option.
image

By default group values are:

  • 1 - user
  • 2 - admin
  • 3 - root

  1. For failover to local users configure two WebUI PAM instances.
    Screenshot_from_2024-02-15_07-53-49

  2. WebUI Radius PAM configuration:
    Screenshot_from_2024-02-15_07-53-16

  3. WebUI Local PAM configuration:
    Screenshot_from_2024-02-15_07-53-26

Configuration example for SSH:

  • The RADIUS server must send Management-Privilege-Level = 3 for login to succeed.
  • If the user does not exist locally and no Management-Privilege-Level is provided, login will be denied.
  • Failover works similarly to WebUI. If the RADIUS server is unavailable, local users can be used as a fallback.

  1. Create two SSH instances—one for RADIUS authentication and one for local fallback: image

  2. SSH Radius settings: image

  3. SSH Local settings for fallback: image

Windows NPS Configuration:

It is also possible to configure authentication using Windows NPS.

The required attribute is defined in RFC 5607, Section 6.4: RFC 5607 - Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management

   A summary of the Management-Privilege-Level (136) Attribute format is
   show below.  The fields are transmitted from left to right.


        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |    Length     |             Value
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                  Value (cont)         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

       Type

          136 for Management-Privilege-Level.

       Length

          6

       Value

          The Value field is a four-octet Integer, denoting a management
          privilege level.

You can find detailed instructions on configuring this attribute for Microsoft NPS RADIUS Server here: NPS support for Radius Attribute 136 Management-Privilege-Level - Microsoft Q&A

The RADIUS server must send an Access-Accept response regardless of the Management-Privilege-Level attribute. However, if the attribute is missing in the Access-Accept response, the router will reject the login, even if Access-Accept is received. This is explicitly stated in RFC 5607, Section 6.4.

Best regards,