/
Configuration of RADIUS Server Attributes, Users, and Group Definitions
Document toolboxDocument toolbox

Configuration of RADIUS Server Attributes, Users, and Group Definitions

Owned by Panna .
Oct 04, 2023
2 min read

The RADIUS server or servers require the following additional configurations to inter-operate with NetMRI:

  • Set up an entry on the RADIUS server to allow NetMRI to access the RADIUS server.

  • Edits to the Dictionary file.

  • A new RADIUS attribute to identify the group names.

When you configure your RADIUS server files to support the Infoblox attributes, you can use modifiable RADIUS service parameters to support Infoblox features. On a basic level, the Infoblox Vendor ID (7779) and Vendor Attribute ID (10) values reflected in the following example should not be changed. Other RADIUS service parameters and attributes are described in this section. All examples use FreeRADIUS syntax, but many other RADIUS server types follow similar principles.

You must configure the RADIUS server to allow the NetMRI connection. To do so, the administrator adds the appliance IP address to the configuration and defines a shared secret. in the case of FreeRADIUS, you add an entry in the /etc/raddb/clients.conf file. The following example shows IPv4 and IPv6 entries:

#Allow NetMRI

client 172.16.1.23/24 {

secret = #$*&@#$!

shortname = netmri

}

client 2001::db8:56ff:feb8:875c/96 {

secret = #$*&@#$!
shortname = ipv6_netmri

}

The FreeRADIUS server uses a primary dictionary file in its main /etc/raddb directory. A reference to an external dictionary file, such as dictionary.infoblox, should be added as follows:

$INCLUDE            dictionary.infoblox

You can declare the custom attribute using any name, but references must be consistent in the rest of the server configuration files that you create.

To support the custom dictionary, create a new text file named dictionary.infoblox in the /etc/raddb directory, containing the following Vendor ID value and attribute ID number:

#  Add a new vendor and specific attribute to store the group value, and add into the answering Access-Accept packet
VENDOR infoblox 7779
ATTRIBUTE      NA-group-info           10             string infoblox

This declaration in the new dictionary file supports the default values that are reflected in the Add Authentication Service dialog in NetMRI when you configure a new RADIUS service. As previously noted, you can use whichever values you want, but those values must be correctly applied throughout the configuration.

Finally, for a query from the NetMRI appliance about a valid user/password, the Radius administrator must ensure that a response will contain the 'na-group-info' attribute with the list of groups' names of which the user is a member.