How do I configure my RADIUS server to authenticate my APC Network Enabled device?

FA156083

03 March 2023

Issue

RADIUS set up with APC Network Management Card enabled products.


Product Line

  • Network Management Card 1 (NMC1) - AP9617, AP9618, AP9619

Devices with an embedded Network Management Card 1 include (but are not limited to): Metered/Switched Rack PDUs (AP78XX, AP79XX), Rack ATS (AP77XX, Environmental Monitoring Units (AP9320, AP9340, Netbotz 200)

  • Network Management Card 2 (NMC2) - AP9630/AP9630CH, AP9631/AP9631CH, AP9635/AP9635CH

Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84xx, AP86XX, AP88XX, AP89XX), Rack ATS (AP44xx), Certain SmartUPS online (SRT) Certain Audio/Video Network Management Enabled products.

  • ​​​​​​​Network Management Card 3 (NMC3) - AP9640/AP9641/AP9643

Devices with an embedded Network Management Card 3 include (but are not limited to): Certain 2G Metered/Switched RackPDU's manufactured after 2021 (AP84xx, AP86xx, AP88xx, AP89xx), APDU9XXX RackPDU's, RackATS (AP44xxA), Certain SmartUPS online (SRT)

  • Network Management Card 4 (NMC4) - AP9644
​​​​​​​The Network Management Card 4 is supported on the Galaxy VS, Galaxy VL, and Galaxy PX units. These units also include a built-in network management card.

Environment
 
  • All serial numbers
  • Firmware versions v2.X.X and higher


Cause

Configuration can vary based on the RADIUS server being used. Below is a successful configuration taken from a FreeRADIUS server. Though this configuration worked through testing, APC by Schneider Electric cannot guarantee that this configuration will work on your RADIUS server. Configuring of your RADIUS server should be provided by your RADIUS server administrator.

Note: Further information on using the specific variety of FreeRADIUS (v2.1.10) included in Zentyal Linux 3.3 is also available in knowledge base article ID FA232648.


Resolution

The three files that need to be edited in order for FreeRADIUS to authenticate properly are:

1) clients.conf
2) dictionary
3) users file

Below are examples of entries that should be entered into each file.

1) clients.conf

client xxx.xxx.xxx.xxx (you would enter the IP address or IP address range of devices authenticating through RADIUS)
secret = radius
shortname = apc

2) dictionary

VENDOR APC 318

BEGIN-VENDOR APC

ATTRIBUTE APC-Service-Type 1 integer APC

VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3

3) users

# APC local radius authentication (working)
apcradius (username) Auth-Type := Local, User-Password == "apcradius"
     APC-Service-Type = 1


Once these entries are made, you should be able to access your APC product via RADIUS authentication.

In some cases, you do need to specify Vendor Specific Attributes. For example, APC part number AP7900 (Switched Rack PDU) uses the same login accounts as listed in the previous example. However, the AP7900 also allows specific outlets to have their own separate accounts/logins. Therefore, you must create additional entries in the event that a user has a login for specific outlets.

1) clients.conf

client xxx.xxx.xxx.xxx {IP address or IP address range of devices using RADIUS authentication}
secret = radius
shortname = ap7900

2) dictionary

VENDOR APC 318

BEGIN-VENDOR APC

ATTRIBUTE APC-Service-Type 1 integer APC
ATTRIBUTE APC-Outlets 2 string APC

VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3
VALUE APC-Service-Type Outlet 4

3) users

VSAAdmin Auth-Type = Local, Password = "admin"
     APC-Service-Type = Admin

VSADevice Auth-Type = Local, Password = "device"
     APC-Service-Type = Device

VSAReadOnly Auth-Type = Local, Password = "readonly"
     APC-Service-Type = ReadOnly

userA Auth-Type = Local, Password = "apc"
     APC-Service-Type = Outlet, APC-Outlets = "1,3,5"

userB Auth-Type = Local, Password = "apc"
     APC-Service-Type = Outlet, APC-Outlets = "1,2,3,4,5,6,7,8"

UserA will now have access to outlets 1,3,5 and userB will have access to outlets 1,2,3,4,5,6,7,8.



RADIUS and Network Port Sharing with Switched Rack PDU 2G (AP86XX, AP89XX)


Note: See the Security Handbook for APC Network Management Cards for more information on using RADIUS.

For RADIUS users file with VSAs, outlets on guest Rack PDUs can be associated to RADIUS users by using the following method.

# give user access to outlets 1, 2, and 3 on PDU 1,
# outlet 7 on PDU 2, outlets 1 through 6
# on PDU 3, and outlets 1,2,4 through 6, 7 through 10,
# and 20 on PDU 4

newOutletUser Auth-Type = Local, User-Password = "newoutlets"
APC-Service-Type = Outlet,
APC-Outlets = "1[1,2,3];2[7];3[1-6];4[1,2,4-6,7-10,20];"


If you have trouble configuring your RADIUS server, it is advised that you contact your RADIUS server vendor for assistance.

NOTE: To create a "network only" user for supported AOS files, the following line must be added to the dictionary file: VALUE APC-Service-Type NetworkOnly 6
 

;