Method: RADIUS authentication and authorization

  • Updated on Jun 27, 2025
  • Published on Feb 20, 2025
  • 3 minute(s) read
Prev Next

RADIUS (Remote Access Dial In User Service ) provides central authentication for users.

It is a client-server protocol that runs on the application layer. It can use either TCP or UDP as transport. Normally, all users have access to all devices without restriction.

Configuration

Step 1 - On the Nodegrid side:

  1. Log in in as admin into Nodegrid and go to Security.

  2. Select Authentication and click Add.

  3. Select Radius as the method and enter the IP address of the remote server.
     

  4. Select the Fallback if denied access option. This option enables you to log into the Nodegrid with local accounts in case you cannot authenticate with the Radius users.

  5. Enter the IP address of the Radius accounting server.

    NOTE:

    The accounting server is optional, and in case no accounting server is available this setting can be left blank.

  6. Enter the secret key and confirm it.

  7. Select the authentication method as one of the following:

    1. PAP(default): PAP (Password Authentication Protocol) is a method that sends password hashed using MD5.

    2. MSCHAPV2: MSCHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) is a password-based authentication protocol. Users provide their username and password, and MSCHAPv2 uses these credentials to verify their identity. The authentication server sends a random challenge to the client, which responds with a hashed value generated using the challenge and the user’s password. The server verifies this response to authenticate the user.

    3. EAP MSCHAPV2: EAP-MSCHAPv2 (Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2) integrates MSCHAPv2 into the EAP framework for secure authentication. When a user or device attempts to authenticate on a network using EAP-MSCHAPv2, the authentication process follows the MSCHAPv2 protocol. Users provide their username and password, which the authentication server verifies. EAP-MSCHAPv2 enhances security by encapsulating MSCHAPv2 within the EAP framework. This enables secure transport of authentication data and supports mutual authentication, where both the client and the server verify each other’s identities.

  8. Select the checkbox Require Message Authenticator. When this option is enabled, the RADIUS authentication server includes a Message-Authenticator attribute in all authentication packets.
    CLI method to configure authentication method:

    [admin@nodegrid /]# cd settings/authentication/servers/
[admin@nodegrid servers]# add
[admin@nodegrid {servers}]# set method=radius
[admin@nodegrid {servers}]# set radius_authentication_method=
eapmschapv2  mschapv2     pap
[admin@nodegrid {servers}]# set radius_authentication_method=eapmschapv2
[admin@nodegrid {servers}]# set radius_require_message_authenticator=yes

  9. Click Save.

  10. Go back to Security and select Services.

  11. Look in to Manage devices portion and select Device access enforced via user group authentication option.

  12. Click Save.

Log in as a user and one can see that user does not have access to any devices. To give access to a user:

  1. Log in as admin and go to Security.

  2. Select Authorization and select the group needed and click Add.

  3. Enter the user one wants to add. If more users needs to be added then separate each username with a comma.

  4. Click Save.

Log in back as user and one can see that user will have access to devices allowed by the group.

To match the Radius group, Go to Security :: Authorization, select or create a new group. In Profile, assign the permissions of that group. In Remote Groups, enter the name of group as per declared on the Radius server.

Step 2 - On the RADIUS server side

In this example, the free radius server (opensource) is used. It is assumed that the free radius server is installed.

  1. Go to the location /etc/freeradius/3.0/clients.conf.

  2. Declare the Nodegrid, following the format:

    client your_nodegrid_device {
    ipaddr = 10.10.10.6
    secret = your_secret_password
    require_message_authenticator = no
    nastype = other
}

    NOTE: The secret must match the secret entered, during the first step, on the Nodegrid side.

  3. Create a new file usr/share/freeradius/dictionary.zpe with the following content:

    VENDOR ZPE 42518

    BEGIN-VENDOR ZPE

          ATTRIBUTE ZPE-User-Groups 1 string

    END-VENDOR ZPE

  4. Edit the existing file "usr/share/freeradius/dictionary" and add the following line to include the newly created “dictionary.zpe”:

    $INCLUDE dictionary.zpe

  5. Then, in /etc/freeradius/users, assign user groups.

  6. Define the "Framed-Filter-ID" attribute (as before) or define a new attribute "ZPE-User-Groups".
    user_radius Cleartext-Password := "password_user_radius"

           ZPE-User-Groups = "radius_network_admin"

  7. Restart the radius server: systemctl restart freeradius

NOTE: If both attributes are defined, "ZPE-User-Groups" takes precedence.

Troubleshooting

  1. Make a local test, on the Radius server, with the command:

    radtest user_radius password_user_radius localhost 0 your_secret_password

  2. Log in to the Nodegrid, using the Radius user of the Radius group:

The permissions of that user shall match the ones of the local and associated group.