Skip to content

Commit

Permalink
Merge pull request #770 from 128technology/6.3.0-update-download-upgr…
Browse files Browse the repository at this point in the history 
…ade-procedure

6.3.0 update download upgrade procedure
  • Loading branch information
@Chr1st0ph3rTurn3r
Chr1st0ph3rTurn3r authored Oct 24, 2024
2 parents 1882bec + 08da1d0 commit 8fd8397
Show file tree
Hide file tree
Showing 11 changed files with 661 additions and 115 deletions.
186 changes: 177 additions & 9 deletions docs/config_radsec.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,9 @@ sidebar_label: Configuring RADIUS over TLS

RADIUS over TLS is designed to provide secure communication of RADIUS requests using the Transport Secure Layer (TLS) protocol. RADIUS over TLS, also known as RADSEC, redirects regular RADIUS traffic to remote RADIUS servers connected over TLS. RADSEC allows RADIUS authentication, authorization, and accounting data to be passed safely across untrusted networks.

In this section:
- Configuring RADSEC
- Signing and Importing Webserver Certificates
- Syslog over TLS
## RADSEC Configuration - Existing Certificate

## Configuring RADSEC

Use the following information to configure RADIUS over TLS (RADSEC).
Use the following information to configure RADIUS over TLS (RADSEC) using an existing certificate.

#### 1. Configure the RADSEC server.

Expand All @@ -29,7 +24,7 @@ [email protected] (radius-server[name=radsec])# server-name t327-dut1.opensta
[email protected] (radius-server[name=radsec])# top
```

#### 2. Configure the trusted CA certificate.
#### 2. Configure the Trusted CA Certificate.

The trusted CA certificate is necessary to validate the incoming client certificate. Certificates are pasted in as a multi-line config.

Expand All @@ -42,7 +37,11 @@ Enter plain for content (Press CTRL-D to finish):
<paste-cert-file-content-here>
```

#### 3. Configure a client certificate to be used for the RADIUS client.
:::note
The `trusted-ca-certificate` is a list and may contain different CA roots used for different certificates. In that case, naming them all `ca_root` would not be suitable. In that case, choose a name that is meaningful to the user and CA, eg: `globalsign_root`.
:::

#### 3. Configure a Client Certificate to be used for the RADIUS client.

Repeat the previous step to create a client certificate named `radsec`.

Expand Down Expand Up @@ -78,5 +77,174 @@ Account 'test1' successfully created

When the user logs into the node `t327-dut1` via ssh, the authentication request is sent via RADSEC to the server `172.18.5.224` and the user is authenticated.

## RADSEC Configuration - Generate Certificate

Use the following examples to generate a client certificate for use on the device.

#### 1. Generate the Signing Request

Use the `create certificate request client` command to generate the signing request.

```
[email protected]# create certificate request client radsec
Country name (2 letter code): US
State or province name (full name): MA
Locality name (eg: city): Westford
Organization name (eg: company): Juniper
Organization unit (eg: engineering):
Common name: dut1
Email address:
Subject Alternative Name - DNS (fully qualified domain name):
Subject Alternative Name - IP Address:
% Error: Could not create request: Subject Alternative Name (DNS or IP address) is required
[email protected]# create certificate request client radsec
Country name (2 letter code): US
State or province name (full name): MA
Locality name (eg: city): Westford
Organization name (eg: company): Juniper
Organization unit (eg: engineering):
Common name: dut1
Email address:
Subject Alternative Name - DNS (fully qualified domain name): dut1
Subject Alternative Name - IP Address: 10.27.32.203
Request successfully generated:
-----BEGIN CERTIFICATE REQUEST-----
MIIC1jCCAb4CAQAwTjENMAsGA1UEAwwEZHV0MTELMAkGA1UEBhMCVVMxETAPBgNV
BAcMCFdlc3Rmb3JkMRAwDgYDVQQKDAdKdW5pcGVyMQswCQYDVQQIDAJNQTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ8WwHXP/z49sFsxpN5L9THO5y8N
f/as8Nn6XUyG86YyxcR5IYL5gKR5//EunoVjLAUCHgBqxwaUa3enhNEQS97N4Bcs
E7YygMkI7oAnHCioslB+x2Am/xKPRosh3s50fIN3mY409/byMGipfGcyNlMT8XbS
XF/zmGBI1/4aRbeqL5VMDPO+9DNRxXMgqBs2y48WanGvZeZTP5B/sSczlhOSxHnu
DxNYQ7+rZs9NpKzktCXOSA8nsz
.
.
.
wp4dOHuKsnf+ZsfNK4AGUYdh3qEa1/xJxyug1R3AGjItbkUzbJpR6hp7B0YYWV87
QALMf6F0SKBDXg++
-----END CERTIFICATE REQUEST-----
```

#### 2. Configure the Trusted CA Certificate

The trusted CA certificate is necessary to validate the incoming client certificate. Certificates are pasted in as a multi-line config.

Create a root certificate named `ca_root` and paste the certificate file content into the command:

```
[email protected]# configure authority trusted-ca-certificate ca_root
*[email protected] (trusted-ca-certificate[name=ca_root])# content
Enter plain for content (Press CTRL-D to finish):
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCqfzVmeFPMA+Jc
53MlVF3LoYZAkqh1Dz3+HFnegcAU3/tCGSdfJad/PeF5KEQDDnF0vc9XbfS2/wJC
wHAt15TH3iarSPE3dV3L0c1tyOFaMUNLAd3nsPArR0w/1YAfr1cAN0rEUZ4WmkZK
vyFx6AsuVm5MpXR4z7U4j955sqRkWsi3I1hLtMPzuWEJA/AbpTCxb1k2xJDQWira
/NALlz6NPVRcngBt56ZDhMNmy/g2zGEcmitEqMUOS7apvRk6hZK94dfjSQe4iEpX
Sdd6vvZxdrWGV10lmDDH0SPtmGBE+34r1UNIbp/XVRh6KxiNcjFVNBwlwqATmTYh
xkXAPw1pAgMBAAECggEACZ3YNLnnvBOiAmx5larvCWvIZz7+am/cJseRmBfIbkT9
5ooFqvu0OVyTqaJIR8XaR2PnXH6StXmntnqDpHWQTqUvlbGANIqWsyiig26zFCEu
IAXwr0TKRERzKAWT4lwmOAGi4LuQa6Ty/wdNyx9z9f6hBQi2C5Rnm9OdkE6vsAtJ
NbNcsV+bvedfLoJqG1MM3sh3LT3RAltaM0ntw3PdFiMVcQIJgGr85nVJcg4SCUkh
JKlfUE83IqkwAd1V0jn/2yopCmQBLrpyqlRu2MmwFiIS+IUcoReemNK8mlfd8hbR
.
.
.
2P6CP4iOY1EjsxNssrLJKkxXdagYeZo5X2KOIqZ8FeVli4BM0mqX96UPN2zV3dNP
eN1DF6VSLghh30ITUauYdQ++
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDlDCCAnygAwIBAgIVAJHxzhL42q7io2PBDPR+TCeBsyQgMA0GCSqGSIb3DQEB
CwUAMFExCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD
VQQKDAhUZXN0IEluYzEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wHhcNMjQxMDIy
MTYzODI1WhcNMjUxMDIyMTYzODI1WjBRMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN
TWFzc2FjaHVzZXR0czERMA8GA1UECgwIVGVzdCBJbmMxFzAVBgNVBAMMDmNhLmV4
YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqn81ZnhT
zAPiXOdzJVRdy6GGQJKodQ89/hxZ3oHAFN/7QhknXyWnfz3heShEAw5xdL3PV230
tv8CQpHKHjWWQzG1MM3sh3LT3RAltaM0NT6shNXE3va46f3zotWBd6PK9jC/Tpme
.
.
.
qynFiqlV0UDGgH+e8hCp41Seva5vBGYvwMVHPU80rhoAsTh1BNpM1r9xbvDQs5ui
3QyeFCt/O0A=
-----END CERTIFICATE-----
```

#### 3. Import the Client Certificate

After the certificate is signed and returned, it is imported into the SSR for use by the client using the `import certificate client` command. It is validated against any trusted certificates entered using `trusted-ca-certificate`.

The following example shows an valid self-signed certificate being imported:

```
[email protected]# import certificate client radsec
Enter the end point certificate in PEM format (Press CTRL-D to finish):
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFrn/2q4mijt14
gjmN2agDfu6sykg4OJ2NDy4IRrBYilExRJHllAndtc04rp7EQ544Z+/J/dNJrmXK
GnHvm/Rg0UdKnbFrw5aentpx3rFefdaf8nlJLW5rFH1wxDqUhE+y5q+s+8k3ESt0
9L/26OxTQP11t5Vh/BEkK5iVHLDBGyHntUvEnM5tFWL7+NvefhuZ6McvY7GPDR8c
bkuNHXlv9laeXQlI6IiiYum8waQDnJBGEx2wPTUguZJWP0YgxLinKiCDIINNEf+Y
dGqxf7I/h01yH4nDGR3nad30fAN+10chzjMHYhmpPVR0K9IAPbyGucK0aOriJqZ5
91wL39G5AgMBAAECggEAE2/xDSQYyG8bv7muRxBbwNw+Q6cwKrcGZtRTRmUM+ee/
zAReBCDmR3KU1zn0SoALkqhFn6rhl6EaSSEIivLeuJZbWC7hPyNgMACWohOvhQcC
.
.
.
WiYWxHz5Q4wUxV5uTJR3Jq5rzcHr1shyVDT+aFf9tyNdcLFfbziZ1y/EfAPkOOoH
jLD4SXCWbmRxHYVMn3yhqK4=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDpDCCAoygAwIBAgIVAL1k460IeyrQWoU82ZVHZ2asUrTuMA0GCSqGSIb3DQEB
CwUAMFExCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD
VQQKDAhUZXN0IEluYzEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wHhcNMjQxMDIy
MTYzODI4WhcNMjUwMTIwMTYzODI4WjBVMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN
TWFzc2FjaHVzZXR0czERMA8GA1UECgwIVGVzdCBJbmMxGzAZBgNVBAMMEmNsaWVu
dC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWu
f/ariaKO3XiCOY3ZqAN+7qzKSDg4nY0PLghGsFiKUTFEkeWUCd21zTiunsRDnjhn
78n900muZcoace+b9GDRR0qdsWvDlp6e2nHesV591p/yeUktbmsUfXDEOpSET7Lm
r6z7yTcRK3T0v/bo7FNA/XW3lWH8ESQrmJUcsMEbIee1S8Sczm0VYvv4295+G5no
xy9jsY8NHxxuS40deW/2Vp5dCUjoiKJi6bzBpAOckEYTHbA9NSC5klY/RiDEuKcq
IIMgg00R/5h0arF/sj/fL0cKofSeAgu11z1891d1sc0OMwdiGak9VHQr0gA9vIa5
.
.
.
9cgLsL60tukLdwxH5S6gAw/MSm6ABYjdv
-----END CERTIFICATE-----
/usr/lib/128technology/unzip/pcli/runfiles/pypi__36__cryptography_40_0_2/cryptography/x509/base.py:576: CryptographyDeprecationWarning: Parsed a negative serial number, which is disallowed by RFC 5280.
return rust_x509.load_pem_x509_certificates(data)
✔ Importing...
Certificate imported successfully
Would you like to add the certificate to your configuration? [y/N]: y
Which router is this certificate for? (Select all if it applies to the entire authority) [all]: all
% Warning:
1. certificate contains the following issues: does not have the extendKeyUsage extension
config
authority
client-certificate radius
content
2. certificate contains the following issues: does not have the extendKeyUsage extension
config
authority
client-certificate conductor-radius
content
Certificate imported successfully
Would you like to clean up the temporary certificate and key files? [Y/n]: Y
```

#### 4. Configure the Device to Accept the Client Certificate

Use the following example command to configure your device to accept the certificate.

` configure authority router ComboWest node combo-west radius client-certificate-name radsec`

6 changes: 3 additions & 3 deletions docs/config_reference_guide.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2086,8 +2086,8 @@ This controls which repository or repositories a router will use to retrieve sof

| Element | Type | Description |
| --- | --- | --- |
| offline-mode | boolean | Default: false. Controls whether the router will only be able to retrieve software upgrade images via its conductor.|
| source-type | enumeration | Valid values: conductor-only, prefer-conductor, internet-only. Default: internet-only. To use the conductor as a proxy server to reach the SSR public internet repository, set this to `conductor-only` or `prefer-conductor`. To reach it via the public internet and not use the conductor as a proxy, set it to `internet-only`.|
| offline-mode | boolean | Default: `false`. Set this to `true` to limit the router to only retrieve software upgrade images from its conductor.|
| source-type | enumeration | Valid values: `conductor-only`, `prefer-conductor`, `internet-only`. Default: `internet-only`. To use the conductor as a proxy server to reach the SSR public internet repository, set this to `conductor-only` or `prefer-conductor`. To reach it via the public internet and not use the conductor as a proxy, set it to `internet-only`.|

## reverse-packet-session-resiliency

Expand Down Expand Up @@ -2708,7 +2708,7 @@ By default, an SSR retrieves software from a public software repository hosted b
| Element | Type | Description |
| --- | --- | --- |
| max-bandwidth | enumeration | Valid values: unlimited, 1-999999999999. This value is in bits/second. This represents the bandwidth limiter applied to software downloads. |
| repository | sub-element | Which repository/repositories the SSR will use.|
| [repository](#repository) | sub-element | Which repository/repositories the SSR will use.|

## ssh-keepalive

Expand Down
Loading

0 comments on commit 8fd8397

Please sign in to comment.