As part of the security hardening policies, I needed to secure access to the Riverbed Steelhead with RADIUS authentication. Since I already have a FreeRADIUS (v.2.2.5) in Debian Linux (8.6) running in the environment (currently used to authenticate with our network devices i.e. Cisco, Comware, Junos, Brocade), I only needed to follow the Steelhead Deployment Guide for RADIUS Configuration. However, it seem Riverbed forgot to update their documentation to reflect the latest FreeRADIUS.
I will post here my configuration experience for RADIUS configuration of Steelhead with FreeRADIUS. The first few steps are similar to the Deployment Guide.
First, update the FreeRADIUS clients file (/etc/freeradius/clients)
I will post here my configuration experience for RADIUS configuration of Steelhead with FreeRADIUS. The first few steps are similar to the Deployment Guide.
First, update the FreeRADIUS clients file (/etc/freeradius/clients)
# Steelhead device
client <device_mgmt_ip> {
secret = <radius_key>
nastype = other
shortname = <device_name>
}
Then create a dictionary file (/usr/share/freeradius/dictionary.rbt)
VENDOR RBT 17163
ATTRIBUTE Local-User 1 string RBT
Update the dictionary file (/usr/share/freeradius/dictionary) and insert this line.
$INCLUDE dictionary.rbt
.
Add a Steelhead administrator in the FreeRADIUS users file (/etc/freeradius/users). In my case, I used "steelhead.admin" account.
Add a Steelhead administrator in the FreeRADIUS users file (/etc/freeradius/users). In my case, I used "steelhead.admin" account.
steelhead.admin Auth-Type := Local,
Cleartext-Password := "admin"
Local-User = "admin",
Reply-Message = "Hello, %u"
By default, all accounts in the FreeRADIUS will have access to the Steelhead device, so I have explicitly specified the local user account as "admin" to ensure this account is equivalent to the Steelhead device local admin account.
Restart the FreeRADIUS service
Restart the FreeRADIUS service
systemctl restart freeradius.service
After some testing, I managed to use the same network administrator account which manages the network devices to be able to manage the Steelhead device. Below is the user configuration
network.admin Crypt-Password := "4aVF7suvbRkmg"
Local-User = "admin",
Service-Type = Administrative-User,
Login-Service = 50,
Huawei-Exec-Privilege = "3",
Cisco-AVPair = "shell:priv-lvl=15",
Cisco-AVPair += "shell:roles=\"network-admin\""
Kindly take note that I don't know for what reason but ensure the "Local-User" avpair is configured first before any avpairs.
On the Steelhead Device, you need to configure for RADIUS Authentication. First, configure the RADIUS server (Administration -> Security -> RADIUS -> Add a RADIUS Server)
On the Steelhead Device, you need to configure for RADIUS Authentication. First, configure the RADIUS server (Administration -> Security -> RADIUS -> Add a RADIUS Server)
Next, update the Authentication Methods with RADIUS authentication as primary and Local authentication as fallback (Administration -> Security -> General Settings)
Update the "monitor" account as the AAA default user (Administration -> User Permission). This ensure this account as the default role for all RADIUS authentication.
This should be how the user permission list looks like.
Afterwards, this should enable the Steelhead device to accept RADIUS authentication access.
By explicitly configuring Steelhead admin accounts in FreeRADIUS, only these accounts have admin privilege on the device. You should be able to see the role of the RADIUS account once logged in to the device. The upper right account information should be indicate the role of the account (see below)
By explicitly configuring Steelhead admin accounts in FreeRADIUS, only these accounts have admin privilege on the device. You should be able to see the role of the RADIUS account once logged in to the device. The upper right account information should be indicate the role of the account (see below)