Enabling Radius in PicOS OVS Mode

Perform the following steps to enable Radius in PicOS OVS mode:

  1. Enable user map

    admin@PicOS-OVS$sudo /pica/bin/usermap_disable.sh false
  2. Enable Radius on the PicOS switch.

    admin@PicOS-OVS$sudo /pica/bin/radius_disable.sh false
  3. Configure the IP address of the external Radius server on the PicOS switch. In the following example, IP address of the Radius server is 1.1.5.41 and the shared key is abc.

    admin@XorPlus$cat /etc/pam_radius_auth.conf 
    1.1.5.41:1812 abc 1
  4. Users on the Radius server must be super users. The following example shows the Radius record for user test8

    test8 Cleartext-Password := "pica8"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Framed-IP-Address = 172.16.3.33,
    Framed-IP-Netmask = 255.255.255.0,
    Framed-Routing = Broadcast-Listen,
    Framed-Filter-Id = "std.ppp",
    Framed-MTU = 1500,
    Framed-Compression = Van-Jacobsen-TCP-IP,
    Class = "super-user"
  5. Login to the switch via SSH and execute Linux shell commands.

    build@dev-18:$ ssh 10.10.51.145 -l test8
    test8@10.10.51.145's password: 
    test8@PicOS-OVS:~$ version
    Copyright (C) 2009-2014 Pica8, Inc.
    ===================================
    Hardware Model                : P-3290
    Linux System Version/Revision : 1.1/20809
    Linux System Released Date    : 03/21/2015
    L2/L3 Version/Revision        : 1.1/20809
    L2/L3 Released Date           : 03/21/2015
    OVS/OF Version/Revision       : 1.1/20809
    OVS/OF Released Date          : 03/21/2015 
    test8@PicOS-OVS:~$ pwd
    /home/test8
    test8@PicOS-OVS:~$
  6. The Radius user must use the full path to execute OVS commands, as shown below:

    test8@PicOS-OVS$sudo /ovs/bin/ovs-ofctl show br0
    OFPT_FEATURES_REPLY (OF1.4) (xid=0x2): dpid:5e3ee89a8f503d30
    n_tables:254, n_buffers:256
    capabilities: FLOW_STATS TABLE_STATS PORT_STATS GROUP_STATS
    OFPST_PORT_DESC reply (OF1.4) (xid=0x3):
     1(ge-1/1/1): addr:e8:9a:8f:50:3d:30
         config:     0
         state:      LINK_DOWN
         current:    COPPER AUTO_NEG
         advertised: 10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER AUTO_NEG
         supported:  10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER AUTO_NEG
         speed: 0 Mbps now, 1000 Mbps max
     LOCAL(br0): addr:e8:9a:8f:50:3d:30
         config:     0
         state:      LINK_UP
         current:    10MB-FD COPPER
         supported:  10MB-FD COPPER
         speed: 10 Mbps now, 10 Mbps max
    OFPT_GET_CONFIG_REPLY (OF1.4) (xid=0x5): frags=normal miss_send_len=0
     
    test8@PicOS-OVS:~$ sudo ovs-vsctl show  
    395575df-5939-45af-8e4c-d99da4c442dc
        Bridge "br0"
            Port "ge-1/1/1"
                tag: 1
                Interface "ge-1/1/1"
                    type: "pica8"
            Port "br0"
                Interface "br0"
                    type: internal
  7. User can also modify the path by editing the /etc/sudoers file, so that Radius users can execute OVS commands directly. Change the value of Defaults secure_path from "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/ovs/bin:/ovs/sbin" to another desired value.

    test8@PicOS-OVS:~$ sudo cat /etc/sudoers
    #
    # This file MUST be edited with the 'visudo' command as root.
    #
    # Please consider adding local content in /etc/sudoers.d/ instead of
    # directly modifying this file.
    #
    # See the man page for details on how to write a sudoers file.
    #
    Defaults        env_reset
    Defaults        mail_badpass
    Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/ovs/bin:/ovs/sbin"
    # Host alias specification
    # User alias specification
    # Cmnd alias specification
    # User privilege specification
    root    ALL=(ALL:ALL) ALL
    # Allow members of group sudo to execute any command
    %sudo   ALL=(ALL:ALL) ALL
    %xorp ALL=(ALL) NOPASSWD: NOPASSWD: ALL
    %root ALL=(ALL) NOPASSWD: NOPASSWD: ALL
    # See sudoers(5) for more information on "#include" directives:
    #includedir /etc/sudoers.d

Copyright © 2024 Pica8 Inc. All Rights Reserved.