Management Access using SSH Keys and Radius Authentication Methods

Table of Contents

1  Introduction

          1.1 Features

2  SSH KEYS

          2.1 Feature Description

          2.2 SSH KEY Generation with Windows Host

          2.3 SSH KEY Generation with LINUX Host

          2.4 Configuration

3  Radius Auth based Management

         3.1 Feature Description

         3.2 Configuration

1.Introduction

This document details the enhancements for Device Management access with SSH Keys and Radius Authentication.

Device can be managed using CLI (SSH and Telnet), GUI, SNMP. With the new enhancements in addition to above, management with SSH Keys and Radius Authentication are included.

Feature Introduced in AP Software Release: 3.10.1

2. SSH Keys

2.1 Feature Description

SSH keys are also used to connect remote machines securely. They are based on the SSH cryptographic network protocol, which is responsible for the encryption of the information stream between two machines. Ultimately, using SSH keys user can connect to remote devices without even entering a password and much more securely too.

SSH works based on "public-key cryptography". For simplicity, let us consider that SSH keys come in pairs. There is a private key, that is safely stored to the home machine of the user and a public key, which is stored to any remote machine (AP) the user wants to connect.

So, whenever a user initiates an SSH connection with a remote machine, SSH first checks if the user has a private key that matches any of the public keys in the remote machine and if not, it prompts the user for password.

2.2 SSH Keys Generation with Windows Host

Using Putty in Windows:

  • Generate a key pair in Puttygen and save private and public key.

SSHKey-1.png

SSHKey-2.png

  • Save the public key and private key once key pair is generated.

SSHKey-3.png

  • Import the private key into Pageant so putty will start to use it when you open ssh.

SSHKey-4.png

  • Add the public key into the GUI on the AP and hit save.
  • Locate private key path under SSH -> Auth.

SSHKey-5.png

  • From Putty do SSH to AP IP

SSHKey-6.png

Note:  for the public key what we copy-paste into the GUI will be “ssh-rsa THE-KEY-STRING” (make sure the key string is one continuous thing, no spaces etc).

Key will start with some capital letters and end with “=”.

2.2 SSH Keys Generation with Linux Host

If using a Linux PC and ssh from the Linux host, then you can generate the keys with the following steps:

  • Generate key pair executing below mentioned command on Linux console.
  • Once you have entered the Gen Key command, you will get a few more questions:

Enter file in which to save the key (/home/saidell/.ssh/id_rsa):”

You can press enter here, saving the file to the user home (in this case, my example user is called saidell).

Enter passphrase (empty for no passphrase):” 

It's up to you whether you want to use a passphrase. Entering a passphrase does have its benefits: the security of a key, no matter how encrypted, still depends on the fact that it is not visible to anyone else.

Below is the snapshot of the KeyGen procedure.

SSHKey-9.png

  • The public key is now located in /home/saidell/.ssh/id_rsa.pub.
  • The private key (identification) is now located in /home/saidell/.ssh/id_rsa.

SSHKey-10.png

  • Copy the public key and configure it in the AP.
  • Now from Linux Host do SSH to AP IP like below.

SSHKey-11.png

It will not prompt for Password; once KEY verification is successful, AP config will come directly. 

If the key is wrong/mismatched, then the password prompt will still come. Factory reset or ‘no management user admin key’ will wipe the key off the AP.

2.4 Configuration

SSH Keys configuration is supported in CLI, GUI and from cnMaestro.

From GUI: Configure Generated Public Key in SSH Key field.

SSHKey-7.png

From CLI:

SSHKey-8.png

3. Radius Authentication based Management

3.1 Feature Description

Device management using Radius Authentication supports that Host machine can access the AP with different username and password means other than default login password admin/admin, which are validated, with Radius Server.

On AP, we provide Radius server details and Shared Secret Key. This is normal Radius based authentication but only username and password are challenged. When the credentials are valid, radius server accept is sent and AP management access is allowed to remote host.

3.2 Configuration

Configure RADIUS server authentication, server IP address and shared secret using CLI:

radius-1.png

From GUI:

radius-2.png

Login Procedure from CLI:

  • From CLI you should login with ‘radius’ as username over ssh/cli and it’ll prompt you for another username/password which is looked up on RADIUS

radius-3.png

  • If the credentials are wrong at this point, it will disconnect the CLI session.

From GUI you can enter any username/password, not just admin and it will look up RADIUS server.

radius-4.png

 Useful links:

https://www.ssh.com/ssh/putty/windows/puttygen

https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2

1 Like