Cisco Community
English
Register
Announcing the Project Gallery! Click here to read community member deployment stories and share your projects!
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
486
Views
10
Helpful
2
Replies
Highlighted
Koji Yokoe
Cisco Employee
Cisco Employee
‎03-08-2019 03:40 AM
‎03-08-2019 03:40 AM

NSO RADIUS Authentication Sample Executable Script

Hi.

My customer is trying to authenticate NSO user using Radius server.

I referred NSO Administration Guide, Chapter 9. The AAA infrastructure, External authentication.

It seems like ncs.conf should be set this way.

<external-authentication>
<enabled>true</enabled>
<executable>my-test-auth.sh</executable>
</external-authentication>

And executable script (my-test-auth.sh in this case) is required.

 

Does someone have sample executable script for Radius?

I found this one, but it has only LDAP sample script.

https://community.cisco.com/t5/nso-developer-hub-documents/nso-developer-days-external-authentication-presentation/ta-p/3652885

0 Helpful
Reply
2 REPLIES 2
Highlighted
hniska
Cisco Employee
Cisco Employee
‎03-11-2019 05:48 AM
‎03-11-2019 05:48 AM

Re: NSO RADIUS Authentication Sample Executable Script

Here is a really old script that might work. Hasnt been tested in years though. 

#!/usr/bin/python

import sys
import subprocess

def check_credentials(username, password):
   radhost = '192.168.1.99:1812'
   radsecret = 'veryverysecret'

   log.write("Using RADIUS/radclient to authenticate\n")

   # build and send radclient command
   radcommand = 'echo \"User-Name=%s,User-Password=%s\" | radclient %s auth %s' % (username,password,radhost,radsecret)
   cmdstr = "Radcommand: %s\n" % radcommand
   log.write(cmdstr)

   radresponse = subprocess.Popen(radcommand, stdout=subprocess.PIPE, shell=True)
   (reply, err) = radresponse.communicate()

   # reply = 'Received response ID 212, code 2, length = 51\n Callback-ID = "admin wheel  1010  500 501 502"'
   replystr = "Rad Reply: %s\n" % reply
   log.write(replystr)

   if reply.find("code 3,") > 0 :
      log.write("Response is access-reject\n")
      return "reject RADIUS server rejects login"

   if reply.find("code 2,") < 0 :
      log.write("Response is not access-accept (no code 2)\n")
      return "reject RADIUS server doesn't accept login"

   if reply.find("Callback-Id") > 0 :
       authinfo = reply.split('"')
       authstr = "Found user auth info: %s\n" % authinfo[1]
       log.write(authstr)
       accept = "accept %s /home/%s" % (authinfo[1],username)
       acceptstr = "Returning: %s\n" % accept
       log.write(acceptstr)
       return accept

   log.write("Returning: reject RADIUS server provides no authorization information")
   return "reject RADIUS server provides no authorization information"


def get_credentials():
  # read username and password from stdin
  # comes in [username;password;]\n format
  # just reading form stdin does not work for some reason.
  # might be that NCS does not send line break?
  # c = sys.stdin.read()

  c = ""
  while len(c) == 0 or c[-1] <> ']' :
     c += sys.stdin.read(1)
  cstr = c + "\n"
  log.write(cstr)

  #Remove [ and ], split on ; and assign to username and password
  username = c.replace("\\n","").strip('"[]').split(";")[0]
  password = c.replace("\\n","").strip('"[]').split(";")[1]
  return (username, password)

#
# Main
# NCS External Authentication script interface to RADIUS
# Tested with NCS 3.3.2 and FreeRadius radclient and radiusd
# Could upgrade to use python radius client package.
#

# Open a log file to debug this
log = open('radauth.log', 'a', 0)
log.write("\n**************************\n")
log.write("External Auth - Radius....\n")

# Get the input credentials from NCS
usernamePassword = get_credentials()
creds="CheckCreds.. username: %s password; %s \n" % (usernamePassword[0], usernamePassword[1])
log.write(creds)

# Authenitcate the credentials with Radius server
ncsreply = check_credentials(usernamePassword[0],usernamePassword[1])
print ncsreply
log.close()
Reply
Highlighted
Koji Yokoe
Cisco Employee
Cisco Employee
‎03-12-2019 06:25 PM
‎03-12-2019 06:25 PM

Re: NSO RADIUS Authentication Sample Executable Script

Hi hniska.

It is so helpful.

I really appreciate your help.

 

Koji Yokoe

0 Helpful
Reply
Latest Contents
CISCO CSP 2100 APIs and Postman
Created by jegarnie on 08-05-2020 02:01 AM
0
5
0
5
Hi,   In order to ease the use of the CSP 2100 APIs, I've created a new repo which is containing the Postman collection. Have a look at it: https://github.com/jgarnier/csp_2100_postman, there is details on importing the collection, creating the ... view more
Deploying NSO in Brownfield Networks
Created by KJ Rossavik on 08-03-2020 07:49 AM
0
5
0
5
It is very rare to be building a brand-new network from scratch. A much more common scenario is to introduce automation into a pre-existing network, which is already delivering services to customers. With NSO having been deployed in more than 200 customer... view more
Sample CSE moderation video
Created by HimanshuVarma06 on 07-13-2020 12:02 AM
0
0
0
0
This video is currently being processed. Please try again in a few minutes.(view in My Videos)
The first-ever virtual NSO Developer Days is over!
Created by Nicklas Wagerth on 06-26-2020 05:00 AM
6
5
6
5
Developer Days 2020 is over. With 1,998 registered attendees it was a huge success! We now have more than 20 hours of on-demand content from our fantastic speakers on YouTube. Soon, you will be able to find this material along with previous Developer Days... view more
Reconciliation IV: Rise of the Robots - The Trailer
Created by sbarvick on 06-18-2020 06:43 AM
0
0
0
0
In the NSO universe there a number of heroes and just a few villains.  The clear uber-hero is FastMap, the one algorithm to diff them all.     Other demi-heroes include Yang, Nanoservices, and Netsim.  Most villains are vanquished quic... view more