Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Durin
Contributor

NPS Radius Gaia admin authenication

Jump to solution
Click to Expand
 

Hi,

 

I am authenticating Gaia web/ssh admins using Windows Server 2019 NPS Radius with MFA.

It works fine, it is possible to login and the MFA is working as well but i have issues with ssh users, it seems they do not get correct permissions.

The gaia config is as follows:

add rba role radius-group-RW domain-type System all-features

add aaa radius-servers priority 1 host ip_radius1 port 1812 secret ***** timeout 15
add aaa radius-servers priority 2 host ip_radius2 port 1812 secret ***** timeout 15
set aaa radius-servers NAS-IP PUBLIC_IP_OF_GW
set aaa radius-servers default-shell /bin/bash
set aaa radius-servers super-user-uid 96

Windows NPS Radius configured according to sk72940 (The NPS path, and also tried the Radius which had some different values.)

radius.jpg

 

Now to the problem, when admin logins with an AD (Radius) account it is not possible to run cphaprob for example.

[Expert@gw1:0]# cphaprob
-bash: cphaprob: command not found
[Expert@gw:0]# clish
gw1> cphaprob
/tmp/.CPprofile.sh: line 1: /opt/CPshrd-R80.30/scripts/cpprofile_functions.sh: Permission denied

gw1> [Expert@gw1:0]#
[Expert@gw1:0]#
[Expert@gw1:0]#
[Expert@gw1:0]# id
uid=96(_nonlocl) gid=100(users) groups=100(users)

Clish commands seem to run fine.

Gateway version is R80.30 Take 219

We have tried many things to overcome this issue, like changing group names etc.

Also changed the superuser id for radius to 0

set aaa radius-servers super-user-uid 0

But it makes no difference.

If i create an local user on the gw and make it member of same group as the radius users should have then it runs without issues.

For what i can understand, the radius user does not simply have permissions to run this command, since it is member of group 100 users.

-rwxr-x--- 1 admin bin 2982 Apr 30 2019 /opt/CPshrd-R80.30/scripts/cpprofile_functions.sh

The webgui seems to work as it should.

Would be grateful for any pointers or assistance here, this is a new setup so it has not worked before.

Thanks, Rickard

0 Kudos
1 Solution

Accepted Solutions
Durin
Contributor
0 Kudos
4 Replies
PhoneBoy
Admin
Admin

I’m not clear what the intended goal is here in terms of permissions.
Do you want the users to be “admin” level or just to be able to run certain commands?

0 Kudos
Durin
Contributor

Hi,

Yes correct, the users should be able to run all commands. Same as admin user.

Best Regards,Rickard

0 Kudos
PhoneBoy
Admin
Admin
0 Kudos
Durin
Contributor
0 Kudos