How to configure AAA to assign different privileges for radius users to login on Omada Switch
147 Contents
This article describes in detail how to set the authentication method of users who access the standalone Omada Switch through HTTP/SSH/Telnet/Console to RADIUS, and uses FreeRADIUS as an example to introduce how to set different access privilege levels for these users in the RADIUS Server.
- Omada Switch (L3/L2+ Switch, Smart Switch)
- FreeRADIUS
For Omada Switch managed without an Controller, the username and password for accessing the device through HTTP/SSH/Telnet/Console are stored locally on the device by default, that is, the device itself authenticates the accessed users. To meet the actual configuration requirements of different types of customers and different application scenarios, Omada Switch supports setting the authentication method of users accessing it through HTTP/SSH/Telnet/Console as RADIUS, and it also allows different access privileges to be assigned to these users in RADIUS Server. What’s more, Omada Switch is able to support setting privilege escalation passwords to allow users with non-admin privilege (this privilege refers to Administrative-User in FreeRADIUS) to raise their current permission to admin privileges.
You can configure this function according to your own needs in the actual application scenario. In this article, FreeRADIUS is installed on the CentOS system as the Radius Server, it describes how to create 4 users with 4 different privilege levels in FreeRADIUS to limit only the permission for accessing Omada Switch through SSH.
- CentOS version:centos-release-7-5.1804.el7.centos.×86_64
- FreeRADIUS version:FreeRADIUS Version 3.0.13
Note: Please visit Building FreeRADIUS and follow the official instructions to download and install FreeRADIUS.
Step 1. Create multiple users with different privileges in FreeRADIUS
Open the Centos system with FreeRADIUS installed and go to the CLI, edit and save the users file to add 4 users with different access privilege levels as shown in the following figure.
In the above figure, user001, poweruser001, operator001, admin001 are custom user names; thisisuser, thisispoweruser, thisisoperator and thisisadmin are their passwords of the four users; Login-User, Framed-User, Outbound-User and Administrative-User are the access privileges granted to these four users respectively. Currently, Omada Switch only supports the configuration of these four privileges for users in FreeRADIUS. enable123 is the custom password for privilege escalation, when accessing switch via a non-Administrative-User, you can enter this password to elevate the current user’s privilege to Administrative-User.
- Login-User: Users are able to view function settings without the permission to modify them.
- Framed-User: Users are able to view and modify limited function settings.
- Outbound-User: Users are able to view and modify most function settings.
- Administrative-User: Users are able to view and modify all function settings.
Step 2. Restart FreeRADIUS
After editing and saving the user file, run the following two commands on the CLI to restart FreeRADIUS to ensure that the configuration takes effect:
service radiusd stop
radiusd –X
Note: The specific CLI commands you need to enter in this step vary with the Linux system you are installing. The preceding two commands apply only to the configuration environment in this article.
Step 3. Login on Omada Switch via entering its IP address in browser, go to SECURITY > Access Security > SSH Config to Enable SSH and configure the Port, and then click the Apply button.
Step 4. Go to SECURITY > AAA > RADIUS Config to click Add, then configure RADIUS Server as the figure below. The description of each parameter in this step is listed below:
- Server IP: The host’s IP address where the FreeRADIUS is installed.
- Shared Key: The key string customized in clients.conf file in FreeRADIUS, the RADIUS server and the switch use the key string to encrypt passwords and exchange responses.
- Authentication Port: The UDP destination port on the RADIUS server for authentication requests. The default setting is 1812.
- Accounting Port: The UDP destination port on the RADIUS server for accounting requests. The default setting is 1813. Usually, it is used in the 802.1X feature, no need to configure it in this article.
- Retransmit: The number of times a request is resent to the server if the server does not respond.
- Timeout: The time interval that the switch waits for the server to reply before resending.
- NAS Identifier: The name of the NAS (Network Access Server) to be contained in RADIUS packets for identification. It can range from 1 to 31 characters. The default value is the MAC address of the switch. Generally, the NAS refers to the switch itself, no need to configure it in this article.
Step 5. Go to SECURITY > AAA > Server Group to click Add, then configure Server Group as the figure below. The description of each parameter in this step is listed below:
- Server Group: Specify a name for the server group.
- Server Type: Select the server type for the group.
- Server IP: Select the IP address of the server created in last step. If multiple servers are added to the server group, the server that is first added to the group has the highest priority and authenticates the users trying to access the switch, the others act as backup servers in case the first one breaks down.
Note: In this configuration, please be sure to select the Server Type as RADIUS.
Step 6. Go to SECURITY > AAA > Method Config to click Add in the Authentication Login Method Config list and Authentication Enable Method Config list, then configure them, the description of each parameter in this configuration step is listed below:
- Method list Name: The custom name for the method.
- Pri1-Pri4: The authentication methods in order. The method with Pri1 authenticates a user first, the method with Pri2 is tried if the previous method does not respond, and so on. In my configuration, I will select the server group created by myself in Pri1.
- Local: The local database in the switch for authentication.
- None: No authentication is used.
- Radius: The remote RADIUS server/server groups for authentication.
- Tacacs: The remote TACACS+
- Other user-defined server groups: The user-defined server groups created in the previous step for authentication
Note: Local/None/Radius/Tacacs are four built-in authentication modes.
A method list describes the authentication methods and their sequence to authenticate the users. The switch supports Login Method List for users of all types to gain access to the switch, and Enable Method List for none-admin users to get administrative privileges. You can edit the default methods or add a new method on this page.
Step 7. Go to SECURITY > AAA > Global Config to select the access way according to your needs, and select the Login Method and Enable Method set in the previous step, then click Apply and Save button in the upper right corner. At this point, the configuration is complete.
Step 1. Open an SSH connection tool such as Putty on a PC in the same LAN as the Switch, enter the Switch’s IP and SSH port in Host Name (or IP address) and Port respectively, select Connection type as SSH, then click Open button.
Step 2. Enter the username and its password in the pop-up terminal. Here, we use a user (its username and password are user001 and thisisuser, respectively) with Login-User privilege as an example to verify that the configuration can take effect normally. Now we can successfully enter User EXEC Mode.
Step 3. Enter enable to enter Privileged EXEC Mode.
Step 4. Enter configure to enter Global Configuration Mode, and it’s coming with a prompt of “Error: Bad Command” which indicates that the current user's permissions are indeed Login-User.
Step 5. Enter enable-admin and the password (it’s enable123 in this configuration) for elevated privilege to get the Administrative-User privilege.
Note: To improve security, the password entered here will not be displayed in the terminal.
Step 6. Enter configure again, and it’s turned out that we successfully enter the Global Configuration Mode. By enter?, it can be found that we can configure all functions and modules at this time.
So far, we have successfully verified that the previous configurations on the Switch and FreeRADIUS are correct and effective. In the same way, you can also use SSH to access the Switch with several other users with different privilege levels to verify their effectiveness.
At this point, we have completed the entire configuration and verification of this function. We can access our Switch through various access methods (HTTP/Telnet/SSH/Console) via users with different privilege levels.
Get to know more details of each function and configuration please go to Download Center to download the manual of your product.
How many ways are there to access an Omada switch? Do they all apply the configuration process in this article?
Re: There are up to 4 access methods, which are HTTP/Telnet/SSH/Console, but since some models do not have a console port, they can only be accessed through HTTP/Telnet/SSH. As long as the access method is supported by the Switch, it’s applicable to the configuration process in this article.
Is this faq useful?
Your feedback helps improve this site.
1.0_Omada_Enterprise_L3_Switch-1000px_normal_20231110114352k.png)
1.0_Omada_Enterprise_L3_Switch-Front_normal_20231109113449q.png)
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.