Issue
RADIUS set up with APC Network Management Card enabled products.
Product Line
- Network Management Card 1 (NMC1) - AP9617, AP9618, AP9619
Devices with an embedded Network Management Card 1 include (but are not limited to): Metered/Switched Rack PDUs (AP78XX, AP79XX), Rack ATS (AP77XX, Environmental Monitoring Units (AP9320, AP9340, Netbotz 200)
-
Network Management Card 2 (NMC2) - AP9630/AP9630CH, AP9631/AP9631CH, AP9635/AP9635CH
Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84xx, AP86XX, AP88XX, AP89XX), Rack ATS (AP44xx), Certain SmartUPS online (SRT) Certain Audio/Video Network Management Enabled products.
- Network Management Card 3 (NMC3) - AP9640/AP9641/AP9643
Devices with an embedded Network Management Card 3 include (but are not limited to): Certain 2G Metered/Switched RackPDU's manufactured after 2021 (AP84xx, AP86xx, AP88xx, AP89xx), APDU9XXX RackPDU's, RackATS (AP44xxA), Certain SmartUPS online (SRT)
- Network Management Card 4 (NMC4) - AP9644
Environment
- All serial numbers
- Firmware versions v2.X.X and higher
Cause
Configuration can vary based on the RADIUS server being used. Below is a successful configuration taken from a FreeRADIUS server. Though this configuration worked through testing, APC by Schneider Electric cannot guarantee that this configuration will work on your RADIUS server. Configuring of your RADIUS server should be provided by your RADIUS server administrator.
Note: Further information on using the specific variety of FreeRADIUS (v2.1.10) included in Zentyal Linux 3.3 is also available in knowledge base article ID FA232648.
Resolution
The three files that need to be edited in order for FreeRADIUS to authenticate properly are:
1) clients.conf
2) dictionary
3) users file
Below are examples of entries that should be entered into each file.
1) clients.conf
client xxx.xxx.xxx.xxx (you would enter the IP address or IP address range of devices authenticating through RADIUS)
secret = radius
shortname = apc
2) dictionary
VENDOR APC 318
BEGIN-VENDOR APC
ATTRIBUTE APC-Service-Type 1 integer APC
VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3
3) users
# APC local radius authentication (working)
apcradius (username) Auth-Type := Local, User-Password == "apcradius"
APC-Service-Type = 1
Once these entries are made, you should be able to access your APC product via RADIUS authentication.
In some cases, you do need to specify Vendor Specific Attributes. For example, APC part number AP7900 (Switched Rack PDU) uses the same login accounts as listed in the previous example. However, the AP7900 also allows specific outlets to have their own separate accounts/logins. Therefore, you must create additional entries in the event that a user has a login for specific outlets.
1) clients.conf
client xxx.xxx.xxx.xxx {IP address or IP address range of devices using RADIUS authentication}
secret = radius
shortname = ap7900
2) dictionary
VENDOR APC 318
BEGIN-VENDOR APC
ATTRIBUTE APC-Service-Type 1 integer APC
ATTRIBUTE APC-Outlets 2 string APC
VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3
VALUE APC-Service-Type Outlet 4
3) users
VSAAdmin Auth-Type = Local, Password = "admin"
APC-Service-Type = Admin
VSADevice Auth-Type = Local, Password = "device"
APC-Service-Type = Device
VSAReadOnly Auth-Type = Local, Password = "readonly"
APC-Service-Type = ReadOnly
userA Auth-Type = Local, Password = "apc"
APC-Service-Type = Outlet, APC-Outlets = "1,3,5"
userB Auth-Type = Local, Password = "apc"
APC-Service-Type = Outlet, APC-Outlets = "1,2,3,4,5,6,7,8"
UserA will now have access to outlets 1,3,5 and userB will have access to outlets 1,2,3,4,5,6,7,8.
RADIUS and Network Port Sharing with Switched Rack PDU 2G (AP86XX, AP89XX)
Note: See the Security Handbook for APC Network Management Cards for more information on using RADIUS.
For RADIUS users file with VSAs, outlets on guest Rack PDUs can be associated to RADIUS users by using the following method.
# give user access to outlets 1, 2, and 3 on PDU 1,
# outlet 7 on PDU 2, outlets 1 through 6
# on PDU 3, and outlets 1,2,4 through 6, 7 through 10,
# and 20 on PDU 4
newOutletUser Auth-Type = Local, User-Password = "newoutlets"
APC-Service-Type = Outlet,
APC-Outlets = "1[1,2,3];2[7];3[1-6];4[1,2,4-6,7-10,20];"
If you have trouble configuring your RADIUS server, it is advised that you contact your RADIUS server vendor for assistance.
NOTE: To create a "network only" user for supported AOS files, the following line must be added to the dictionary file: VALUE APC-Service-Type NetworkOnly 6