Radius Authentication with User based privilege levels on Ubiquity Edge Switches
After a long struggle (about a days worth) I finally managed to get our Ubiquity switches to authenticate to a radius server.
There is not a lot of documentation and howtos available on the subject, which is why I have taken it upon myself to write this quick guide.
The config below is a copy/paste into your switch, with the relevant values substituted, obviously
configure aaa authentication login "networkList" local radius ip http authentication local radius ip https authentication local radius aaa authorization exec "dfltExecAuthList" radius none radius server host auth "$host" name "Default-RADIUS-Server" radius server key auth "$host" encrypted $psk radius server primary "$host"
This sets up the correct configuration on the server to auth ssh, telnet and http[s] (old UI only) to the radius server. Unfortunately I could not get the new UI on 1.7.4 to auth, I will report this to Ubiquity.
Also note, that Ubiquity does a PAP auth to your radius server, thus sending your password in plain text. I could not find a way to transform this into any of the chap’s
On the radius side, the switch sends an Access-Request packet like:
User-Name = "" User-Password = "" NAS-Identifier = "" Message-Authenticator =
if the username and password matches the radius then replies with an Access-Accept:
Cisco-AVPair = "shell:priv-lvl=15"
The important part in this reply is the shell:priv-lvl=15. The 15 tells the switch to grant this user level 15 privileges (highest possible). You can change this to level 1 to drop the user’s privilege level to a non enabled shell. They will not be able to enter enable mode though, even with the correct enable password. For a radius user to enter an enable shell you need to tell the switch to look for the enable password on the radius server using this command:
configure aaa authentication enable "enableList" enable local radius
Local users will still be able to enter the enable shell using the local defined enable password, in case your radius server is down for some reason.
