NSO RADIUS Authentication Sample Execut...

Koji Yokoe · ‎03-08-2019

Hi.

My customer is trying to authenticate NSO user using Radius server.

I referred NSO Administration Guide, Chapter 9. The AAA infrastructure, External authentication.

It seems like ncs.conf should be set this way.

<external-authentication>
<enabled>true</enabled>
<executable>my-test-auth.sh</executable>
</external-authentication>

And executable script (my-test-auth.sh in this case) is required.

Does someone have sample executable script for Radius?

I found this one, but it has only LDAP sample script.

https://community.cisco.com/t5/nso-developer-hub-documents/nso-developer-days-external-authentication-presentation/ta-p/3652885

hniska · ‎03-11-2019

Here is a really old script that might work. Hasnt been tested in years though.

#!/usr/bin/python

import sys
import subprocess

def check_credentials(username, password):
   radhost = '192.168.1.99:1812'
   radsecret = 'veryverysecret'

   log.write("Using RADIUS/radclient to authenticate\n")

   # build and send radclient command
   radcommand = 'echo \"User-Name=%s,User-Password=%s\" | radclient %s auth %s' % (username,password,radhost,radsecret)
   cmdstr = "Radcommand: %s\n" % radcommand
   log.write(cmdstr)

   radresponse = subprocess.Popen(radcommand, stdout=subprocess.PIPE, shell=True)
   (reply, err) = radresponse.communicate()

   # reply = 'Received response ID 212, code 2, length = 51\n Callback-ID = "admin wheel  1010  500 501 502"'
   replystr = "Rad Reply: %s\n" % reply
   log.write(replystr)

   if reply.find("code 3,") > 0 :
      log.write("Response is access-reject\n")
      return "reject RADIUS server rejects login"

   if reply.find("code 2,") < 0 :
      log.write("Response is not access-accept (no code 2)\n")
      return "reject RADIUS server doesn't accept login"

   if reply.find("Callback-Id") > 0 :
       authinfo = reply.split('"')
       authstr = "Found user auth info: %s\n" % authinfo[1]
       log.write(authstr)
       accept = "accept %s /home/%s" % (authinfo[1],username)
       acceptstr = "Returning: %s\n" % accept
       log.write(acceptstr)
       return accept

   log.write("Returning: reject RADIUS server provides no authorization information")
   return "reject RADIUS server provides no authorization information"


def get_credentials():
  # read username and password from stdin
  # comes in [username;password;]\n format
  # just reading form stdin does not work for some reason.
  # might be that NCS does not send line break?
  # c = sys.stdin.read()

  c = ""
  while len(c) == 0 or c[-1] <> ']' :
     c += sys.stdin.read(1)
  cstr = c + "\n"
  log.write(cstr)

  #Remove [ and ], split on ; and assign to username and password
  username = c.replace("\\n","").strip('"[]').split(";")[0]
  password = c.replace("\\n","").strip('"[]').split(";")[1]
  return (username, password)

#
# Main
# NCS External Authentication script interface to RADIUS
# Tested with NCS 3.3.2 and FreeRadius radclient and radiusd
# Could upgrade to use python radius client package.
#

# Open a log file to debug this
log = open('radauth.log', 'a', 0)
log.write("\n**************************\n")
log.write("External Auth - Radius....\n")

# Get the input credentials from NCS
usernamePassword = get_credentials()
creds="CheckCreds.. username: %s password; %s \n" % (usernamePassword[0], usernamePassword[1])
log.write(creds)

# Authenitcate the credentials with Radius server
ncsreply = check_credentials(usernamePassword[0],usernamePassword[1])
print ncsreply
log.close()

Koji Yokoe · ‎03-12-2019

Hi hniska.

It is so helpful.

I really appreciate your help.

Koji Yokoe

NSO RADIUS Authentication Sample Executable Script

Re: NSO RADIUS Authentication Sample Executable Script

Re: NSO RADIUS Authentication Sample Executable Script