Allied Telesis Support Portal

How to add an SSH user to the Radius configuration in Allied Ware Plus

I configured my switch to use a Radius Server, however I am unable to connect using SSH

Introduction

RADIUS (Remote Authentication Dial In User Service) is a networking protocol that provides centralized authentication, authorization, and accounting services for users who connect and use network services. The point at which the user connects to the network is known as the Network Access Server (NAS), while user authentication and account information is stored in a database on the Radius server. The Radius protocol is used to communicate between the Network Access Servers and the Radius server.

When a user connects to the network, the NAS challenges the user for authentication, and pass on the authentication to the Radius server to check. Based on the result of the check against the user database, the Radius server informs the NAS whether or not to allow the connected user access to the network.
 

Radius Authentication commands in AW+

If you want to configure a Radius Server so that users authenticate to an external database, you must set the name or IP address of the server together with a secret key, using the following command:

awplus# configure terminal
awplus(config)# radius-server host 10.0.0.20 key mySecret


The Local privilege level authentication is enabled by default, you will see this command in the configuration of your device:

aaa authentication enable default local


As well as the user login authentication to use only the local database with the following command line:

aaa authentication login default local


To set the Radius Server as the primary authentication method, you must use the following command:

awplus(config)# aaa authentication login default group radius


By adding the "radius" parameter, the device will use all Radius servers configured by the radius-server host command.

To configure the default authentication method list for user login to first use all available Radius servers for user login authentication, and then use the local user database, use the following command:

awplus(config)# aaa authentication login default group radius local


Note: Keep in mind that if you dont add the "local" parameter at the end, the Authentication will not be possible if the Radius Server is down, this is because when a user attempts to log in, the device sends an authentication request to the first authentication server in the method list (group radius). If the first server in the list is reachable and it contains a username and password matching the authentication request, the user is authenticated and the login succeeds. If the authentication server denies the authentication request because of an incorrect username or password, the user login fails. If the first server in the method list is unreachable, the device sends the request to the next server in the list, and so on.
 

The difference for SSH

If you try to authenticate via Telnet, or Console, and the user is configured in the Radius Server's database, the device allows the user to login, however SSH does not allow the user to authenticate.

And you will get the following logs:
 

10:03:01 DEVICE-HOSTNAME sshd[20770]: User USERNAME from 10.0.0.20 not allowed because not listed in AllowUsers
10:03:01 DEVICE-HOSTNAME sshd[20770]: Failed password for invalid user USERNAME from 10.0.0.20 port 58798 ssh2


The user must be allowed in the local database using the command:

awplus(config)# ssh server allow-users USERNAME


This can be a problem when you have a large number of users, the idea of ​​the Radius Server is not having to configure each user on multiple devices.

For this you can use an asterisk (*) as a wildcard, with this the device will allow all the users that are within the database of the Radius Server.

awplus(config)# ssh server allow-users *

For more information about Radius configuration, you can see the Radius Feature Overview and Configuration Guide