06 Mar

Response attributes on Synology RADIUS server

You can use Synology NAS products not only as file storage. The DSM system provides a broad spectrum of additional services via packages – either signed by Synology or provided by third-party communities – the SynoCommunity repository is the most known. The only limitation you have is your NAS hardware platform and its performance. I own DS211 model which reached its End of Sale status already. I run several network services like DNS server there, and I use it as remote storage for SMB and AFP shares as well as for iSCSI LUNs. It also provides some services for my home network and lab. One of them is RADIUS server.

I want to show you how you can use the Synology products as RADIUS server which will use LDAP database for user authentication. This way local accounts that I use for network shares authentication remains separated from any additional accounts dedicated to RADIUS service. Both RADIUS and LDAP runs on the NAS itself.

The DSM web interface does not allow you to configure additional RADIUS attributes. I think that developers thought most people would not need to use them. In my opinion, this is the wrong approach – if someone decides to use RADIUS setting up additional attributes is usually necessary.

To make the change, we need to edit the configuration files manually. You will find them in /usr/local/synoradius/.

-rwxr-xr-x 1 root root 48 Mar 1 01:09 rad_site_def
-rwxr-xr-x 1 root root 832 Jan 20 22:05 rad_site_def_ad
-rwxr-xr-x 1 root root 869 Jan 23 01:46 rad_site_def_ldap
-rwxr-xr-x 1 root root 596 Jan 20 22:23 rad_site_def_local
-rwxr-xr-x 1 root root 1000 Jan 22 22:11 rad_site_def_local_ad
-rwxr-xr-x 1 root root 866 Jan 22 22:14 rad_site_def_local_ldap

You can configure three different methods of user authentication on RADIUS server. The user database can be either local authentication file (same DSM use to authenticate SSH and Web access), Active Directory service or LDAP service. Depending which authentication methods you select on the RADIUS web interface, you need to edit a different configuration file. You can also find the reference to the active configuration file in rad_site_def file. Because my RADIUS server uses LDAP database, I need to edit the rad_site_def_ldap file.

 

Juniper authentication attribute

If you want to use RADIUS to authenticate users on Juniper products you need to define a local account on the JunOS device and assign a class. You don’t configure any authentication method for this user.

set system login user radius-user uid 2001
set system login user radius-user class super-user

RADIUS server, after successful user authentication, needs to include this login name in response using the Juniper-Local-User-Name attribute. Let’s put our modification in the separate file and only add it in the main config. This way we can manage the changes easier. Also, it may happen that during the software upgrade this configuration file will be replaced with a newer version – in such case, we only need to restore INCLUDE references, not whole applied changes.

Our change is straightforward. If you are curious about the syntax you can look into FreeRADIUS documentation.

update reply {
 Juniper-Local-User-Name := "radius-user"
}

We save it in the file /usr/local/synoradius/juniper-superuser.

In the active configuration file, we need to find section post-auth. It defines actions performed after successful user authentication. We need to add the following line in this section

$INCLUDE /usr/local/synoradius/juniper-superuser

The same way we can add other attributes, in an example for Cisco NX-OS systems. Remeber after each change you need to make RADIUS reread the configuration

xargs kill -HUP < /var/packages/RadiusServer/target/var/run/radiusd/radiusd.pid

 

 

 

 

 

 

2 thoughts on “Response attributes on Synology RADIUS server

  1. Wouldn't this method enable super user access for *anyone* who can authenticate successfully through LDAP? I would think that a more restrictive control would be needed, like being able to hand out permissions based on group membership. That is what I am attempting, my web search brought me to this page.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.