This article describes how to configure RADIUS based User Authentication for Versa FlexVNF CPE 


Prerequisite

  1. Versa Headend should be Deployed and Functional
  2. RADIUS  server is installed.(Here we have installed & configured FREERADIUS server Version 2.1.12 on Ubuntu 14.04).Configure management IP for the server.
  3. RADIUS server has an IP address 172.16.1.200 and is connected to the Versa SDWAN Controller in the same subnet as Versa SDWAN  Controller’s north bound IP address
  4. RADIUS server is reachable to Flex-VNF via Provider-Control-VR

 

Configuration

  1. Add Versa specific configuration to RADIUS



  • Define static route to control Network

 

 

  • Define clients  in  clients.conf  file in the vi editor
    sudo vi /etc/freeradius/clients.conf 
  • Give same Authentication key provided in FlexVNF CPE as secret key here.


 

  • Now create a new dictionary file to define Versa specific attributes. use the following commands
    sudo vi /usr/share/freeradius/dictionary.versa  as below.


 

  • Include this dictionary in the default RADIUS dictionary. Open the default dictionary
    sudo vi /etc/freeradius/dictionary
    Add following line in this file
    $INCLUDE        /usr/share/freeradius/dictionary.versa
    Save the file and exit.


 

  • Now we have to define the user which will be authenticated using RADIUS. Open the users file and edit he file as below.
    sudo vi /etc/freeradius/users 


SNAGHTML6e4ef0f

 

  • With this our required configuration is complete .For the configuration to take effect, we must restart  the RADIUS service.
    Use following command
    sudo service freeradius --full-restart

 

  1. Adding RADIUS configurations on the Template
  • Login to Versa Director and navigate to workflow>Template>select Template>Management servers. Select RADIUS sever as AAA sever by clicking radio button.Here we are using overlay reachability from Flex device to Radius server,RADIUS server IP is 172.16.1.200,Authentication key as ‘radkey’ and action as Authentication only.Click the + button.


 

Login to the FlexVNF CPE

Once we finish we can login to the FlexVNF CPE .

Username : alex

Password : versa123

 

 

We can verify the logs related in /var/log/versa/confd/audit.log

 

 

Using Config template

In the above Procedure, the RADIUS Configuration is done in Workflow Template on Versa Director.

Following Steps describes how to  add Configuration in Config Template

 

Create paired tvi interfaces

  1. Login to Versa Director GUI . Navigate to Configuration -> Interfaces -> Tunnel. Click ‘+’ button to add a new paired tunnel interfaces


SNAGHTML21b44b71

 

  1. Create two paired tunnel interfaces namely tvi-0/2600 and tvi-0/2601 and assign IP address to each.


 

SNAGHTML21b8a4c9

 

Configure traffic identification in Provider Organisation

  1. Navigate to Configuration -> others -> Limits .Click on Provider to open it.


 

  1. Select Traffic identification tab and click ‘ + “ button to add paired tvi interfaces to the list.


Configure Zones 

  1. Navigate through Configuration -> Networking -> Zones.Click on ‘ + ‘ button to create new zones.


SNAGHTML21bc11dc

 

  1. Create two zones   HOST-Overlay-Zone and  HOST-Overlay-GRT-Zone and add tvi interfaces to each as shown.


SNAGHTML21bd8c18


 

 

CGNAT configuration

  1. Navigate through Configuration ->Services -> CGNAT.Click  ‘ + ‘ button to add a CGNAT pool


 

  1. Give Name to the pool Pool-Overlay-ESP  on the name field


   

  1. Give IP address (10.1.128.101 is the IP of PTVI tunnel interface of this CPE ) and select routing instance as Provider-Control-VR


 

10.Select port as source port and check Allocate IP/Port randomly option.


SNAGHTML21c2e869

 

11.Go to Rules and click ‘+ ‘ button to add rules

 

 

12.Give name for the Rule HostRule-Overlay


 

13. Select HOST-Overlay-Zone in source zone for matching condition.


 

14.In Actions select NAT mode as napt-44 and source pool as  Pool-Overlay-ESP.


 

Configure routing options

  1. Configuration -> Networking ->Global Routers .click Global Router Instance to open it.

 

16. Click ‘ + ‘ button to add a static route entry.


 

17. Fill the fields for Destination as 172.16.1.200/32 :Radius Server IP  and Next Hop Ip address as 169.254.7.208 :It is IP address of the Paired TVI for management servers via overlay

 

 

18. Navigate through Configuration ->Networking ->Virtual Routers and then click Provider-Control-VR to open it.


 

19. Add  tvi interface tvi-0/2600 into the interfaces/Networks list.


 

External AAA configuration for device.

  1. Navigate through Configuration ->Others ->System ->Appliance User Management -> External AAA.
  2. Click on edit button.


 

  1. Select Protocol As Radius ,Auth-Order as remote-then-local, Action.Give the IP address 172.16.1.100 of Radius server and Authentication key string.Click ‘ + ‘ button and then OK.