Radius clients don't have simple permissions for diagnostics, for example, ping or traceroute
set system login radius server 192.168.122.14 key 'foo'
Connect to VyOS node with radius client and try to ping:
[email protected]> ping 192.0.2.1 [sudo] password for foo: Sorry, user foo is not allowed to execute '/usr/sbin/ip vrf exec default /bin/ping 192.0.2.1' as root on r1. [email protected]>
Radius-server users file:
foo Cleartext-Password := "bar"
A workaround is add permissions for group users
echo "%users ALL=(ALL) NOPASSWD: /usr/sbin/ip vrf exec * " | sudo tee /etc/sudoers.d/radius_clients
Check ping after workaround:
[email protected]> ping 184.108.40.206 count 2 PING 220.127.116.11 (18.104.22.168) 56(84) bytes of data. 64 bytes from 22.214.171.124: icmp_seq=1 ttl=56 time=37.1 ms 64 bytes from 126.96.36.199: icmp_seq=2 ttl=56 time=37.0 ms --- 188.8.131.52 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2ms rtt min/avg/max/mdev = 37.032/37.060/37.088/0.028 ms [email protected]>
I guess it should be some separate group with required permissions.