RADIUS or TACACS Authentication Setup

  1. Edit the client file /etc/raddb/clients.conf by adding the following:
    # CVP
    client 172.31.0.0/16 {
    secret = cvpsecret
  2. To add more, enter the following.
    # Arista Networks
    client 172.17.0.0/16 {
    secret = cvpsecret
    }
    client 172.18.0.0/16 {
    secret = cvpsecret
    }
    client 172.20.0.0/16 {
    secret = cvpsecret
    }
    client 172.22.0.0/16 {
    secret = cvpsecret
    }
The default clients.conf file will have a section for local host. The user should either delete the whole section or comment it out. If CVP will be connecting to RADIUS on local host. You have to add a client entry for 127.0.0.0/16 (same as above).
  1. Edit the users file /etc/raddb/users by adding the following:
    # CVP
    cvpuser Cleartext-Password := "cvpuser"
    Service-Type = NAS-Prompt-User
    
    start radiusd:sudo service radiusd start
    enable radiusd on boot: sudo chkconfig radiusd on
  2. If RADIUS is not working, run the server in debug mode.
    # service radiusd stop
    # /usr/sbin/radiusd -X -f

RADIUS will now run on the terminal with verbose output. This will let you know if RADIUS is receiving auth requests and what failure is being hit for the request. After you are done debugging, Control-C the process and start radiusd as a service.

Note: You may have to either disable iptables or firewall.serviced depending on the OS version. You could also configure it to allow traffic on ports 1812 and 1813 on the Radius server.
Related topics: