Enabling Radius in PicOS OVS Mode

Perform the following steps to enable Radius in PicOS OVS mode:

1. Enable user map

   admin@PicOS-OVS$sudo /pica/bin/usermap_disable.sh false

2. Enable Radius on the PicOS switch.

   admin@PicOS-OVS$sudo /pica/bin/radius_disable.sh false

3. Configure the IP address of the external Radius server on the PicOS switch. In the following example, IP address of the Radius server is 1.1.5.41 and the shared key is abc.

   admin@XorPlus$cat /etc/pam_radius_auth.conf 
   1.1.5.41:1812 abc 1

4. Users on the Radius server must be super users. The following example shows the Radius record for user test8. 

   test8 Cleartext-Password := "pica8"
   Service-Type = Framed-User,
   Framed-Protocol = PPP,
   Framed-IP-Address = 172.16.3.33,
   Framed-IP-Netmask = 255.255.255.0,
   Framed-Routing = Broadcast-Listen,
   Framed-Filter-Id = "std.ppp",
   Framed-MTU = 1500,
   Framed-Compression = Van-Jacobsen-TCP-IP,
   Class = "super-user"

5. Login to the switch via SSH and execute Linux shell commands.

   build@dev-18:$ ssh 10.10.51.145 -l test8
   test8@10.10.51.145's password: 
   test8@PicOS-OVS:~$ version
   Copyright (C) 2009-2014 Pica8, Inc.
   ===================================
   Hardware Model                : P-3290
   Linux System Version/Revision : 1.1/20809
   Linux System Released Date    : 03/21/2015
   L2/L3 Version/Revision        : 1.1/20809
   L2/L3 Released Date           : 03/21/2015
   OVS/OF Version/Revision       : 1.1/20809
   OVS/OF Released Date          : 03/21/2015 
   test8@PicOS-OVS:~$ pwd
   /home/test8
   test8@PicOS-OVS:~$

6. The Radius user must use the full path to execute OVS commands, as shown below:

   test8@PicOS-OVS$sudo /ovs/bin/ovs-ofctl show br0
   OFPT_FEATURES_REPLY (OF1.4) (xid=0x2): dpid:5e3ee89a8f503d30
   n_tables:254, n_buffers:256
   capabilities: FLOW_STATS TABLE_STATS PORT_STATS GROUP_STATS
   OFPST_PORT_DESC reply (OF1.4) (xid=0x3):
    1(ge-1/1/1): addr:e8:9a:8f:50:3d:30
        config:     0
        state:      LINK_DOWN
        current:    COPPER AUTO_NEG
        advertised: 10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER AUTO_NEG
        supported:  10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER AUTO_NEG
        speed: 0 Mbps now, 1000 Mbps max
    LOCAL(br0): addr:e8:9a:8f:50:3d:30
        config:     0
        state:      LINK_UP
        current:    10MB-FD COPPER
        supported:  10MB-FD COPPER
        speed: 10 Mbps now, 10 Mbps max
   OFPT_GET_CONFIG_REPLY (OF1.4) (xid=0x5): frags=normal miss_send_len=0
    
   test8@PicOS-OVS:~$ sudo ovs-vsctl show  
   395575df-5939-45af-8e4c-d99da4c442dc
       Bridge "br0"
           Port "ge-1/1/1"
               tag: 1
               Interface "ge-1/1/1"
                   type: "pica8"
           Port "br0"
               Interface "br0"
                   type: internal

7. User can also modify the path by editing the /etc/sudoers file, so that Radius users can execute OVS commands directly. Change the value of Defaults secure_path from "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/ovs/bin:/ovs/sbin" to another desired value.

   test8@PicOS-OVS:~$ sudo cat /etc/sudoers
   #
   # This file MUST be edited with the 'visudo' command as root.
   #
   # Please consider adding local content in /etc/sudoers.d/ instead of
   # directly modifying this file.
   #
   # See the man page for details on how to write a sudoers file.
   #
   Defaults        env_reset
   Defaults        mail_badpass
   Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/ovs/bin:/ovs/sbin"
   # Host alias specification
   # User alias specification
   # Cmnd alias specification
   # User privilege specification
   root    ALL=(ALL:ALL) ALL
   # Allow members of group sudo to execute any command
   %sudo   ALL=(ALL:ALL) ALL
   %xorp ALL=(ALL) NOPASSWD: NOPASSWD: ALL
   %root ALL=(ALL) NOPASSWD: NOPASSWD: ALL
   # See sudoers(5) for more information on "#include" directives:
   #includedir /etc/sudoers.d