EasyServer II: Setting Up Devices and Services (continued)

Contents: 

Part Eight: 

• Using the RADIUS Protocol
  • Radius Web Configuration
    
  • Command Line Configuration
    Basic Configuration and Testing 
    Advanced Configuration 
    PPP Configuration 
    Accounting

---

Using the RADIUS Protocol

The RADIUS (Remote Authentication Dial In User Service) protocol  is an upgradable feature. RADIUS enables the Communications Server to communicate with a RADIUS server. Working on a client/server model, it permits a more sophisticated and uniform method of authentication  and accounting than generic authentication services. 
Note: RADIUS support can be set up and tested on Communications Server either by using the web configuration facility, or by the manual command line method. 

The following topics are covered in this section: 

1. RADIUS Web Configuration. 
2. Command line configuration.

• Basic configuration and testing.
• Advanced configuration.
• PPP configuration
• Accounting

RADIUS Web Configuration

Using Web Configuration.   
Invoke the Server's setup utility by entering its IP address in a network-connected web-browser, (i.e. http://123.456.789.001).  When the Setup front page is displayed: 

Step 1. 
Press the 'Setup' button. Specify a valid user name and password, if prompted. 

Step 2.  
Select the 'Server' hyperlink from the main Setup screen. 

Step 3.  
Select 'RADIUS' to display the Setup RADIUS Authentication, Accounting screen. Note, if the RADIUS option does not appear, you need to upgrade the Server, using the Feature Key facility. See your distributor or Stallion Technologies. 

Step 4.  
Specify the following parameters: 

• Ports to be configured for RADIUS - Port 01 to 08 or 16.

• Authentication Server and Port Address to be used for authentication (up to two)
• Accounting Server and Port to be used for accounting (up to two)
• RADIUS secret. The encryption key used by RADIUS to send authentication information over the LAN.  Must match on the Server and the host. 
• Retransmit timeout  in seconds. 
• Retransmit retry count .

Step 5.  
Press the Configure button when ready. The input parameters are implemented immediately. The setup program now confirms that the input has been accepted by displaying the Configuration Results screen. 

Note: Modifying the radius secret will prevent further access until the RADIUS server(s) have also been updated. 

Command Line Configuration

Basic Configuration and Testing

Using Command Line Configuration.   
To set up and test RADIUS support on Communications Server, perform the following steps. To do this, a RADIUS server must be first installed and configured on a network host. 

Note: You may wish to use the web browser interface to perform the setup tasks. 

1.  Simple radius configuration.   
Enable RADIUS support with FALLBACK mode (which allows you to access the server in the event that the RADIUS configuration is incorrect or the RADIUS server is down). 

SET RADIUS SUPPORT ENABLED 
SET RADIUS FALLBACK ENABLED 

Set up the RADIUS accounting and authentication servers and the shared secret. Normally the same host will be used for both authentication and accounting. Use the PORT option if not using the standard port numbers. 

SET RADIUS AUTHENTICATION SERVER host_name 
SET RADIUS ACCOUNTING SERVER host_name 
SET RADIUS SECRET `your-secret' 

2. RADIUS Server configuration.  
Add the shared secret (same as above) for the Communications Server to your RADIUS server configuration. 

Set up a user (i.e. admin) so that when a request with: 

Service-Type=NAS-Prompt is received,  

a response with 

Service-Type=Administrative-User is returned. 

Start/restart you RADIUS server and login as admin (on port 1). 

3. Test the RADIUS Configuration.  
Connect via a terminal or terminal emulator to port 1 and login as admin. 

If successful, the logon is authenticated via RADIUS. Privileged mode applies. Also an accounting  record is be sent to the RADIUS accounting server. 

If not successful, examine the log file(s) from your RADIUS server to determine why access was not allowed. 

If access is denied, but not immediately, it is likely that the shared secret is not correct. Check whether the hostname/IP address of the Communications Server correct in the RADIUS server configuration. 

Once successfully logged on as admin, you may wish to turn off FALLBACK mode and add more users/user types to the RADIUS server configuration. 

Advanced Configuration

The RADIUS authentication protocol works by having the Communications Server send an Access-Request message to a RADIUS server whenever a user requests access to a service. The request message contains all the details about the user and what service they are requesting. The RADIUS server replies with Access-Accept or Access-Reject to specify whether the user is permitted to access the requested service. 

If access is accepted, the Access-Accept message may contain attributes which indicate what service should be provided to the user (which may be different from the requested service) and configuration of that service. 

The tables below describes when the Communications Server sends an Access-Request message and the attributes in that message, as well as the action taken based on the attributes in the returned Access-Accept message. 

1. Local login to port.   
Communications Server sends the following attributes in the Access-Request message. 

Service-Type=NAS-Prompt 
User-Name 
User-Password 
NAS-IP-Address 
NAS-Port 
NAS-Port-Type=Async 
NAS-Identifier 

The service provided is based on the returned Service-Type attribute. 

Note: The callback service types require a Login-Callback-Number attribute to be returned which contains a dial script. 

Note: Telnet or Rlogin is chosen based on Login-Service. If Login-Service is not specified, Telnet is used. If Telnet or Rlogin is explicitly requested by the Communications Server, then that service is used and Login-Service is ignored. The host/port to connect to is chosen based on Telnet-TCP-Port and Login-IP-Host. If Login-IP-Host is 255.255.255.255 or 255.255.255.254, the host requested by the Communications Server is used. 

2. [CONNECT] TELNET|RLOGIN.   
Communications Server sends the following attributes in the Access-Request message. 

Service-Type=Login 
Login-Service=Telnet or Rlogin 
Login-IP-Host=<allIP addresses of specified host> 
Telnet-TCP-Port=<specified port or default Telnet or Rlogin port> 
User-Name 
User-Password 
NAS-IP-Address 
NAS-Port 
NAS-Port-Type=Async 
NAS-Identifier 

The returned Service-Type and Login-Service are ignored and the requested service is started. host/port is chosen as for a local login as shown above. 

3. CONNECT PPP|SLIP.   
See the RADIUS PPP tutorial for details on configuring RADIUS for use with PPP and/or SLIP. 

4. Dedicated PPP service.   
See the RADIUS PPP section below for details on configuring RADIUS for use with PPP and/or SLIP. 

Note: Dedicated SLIP connections are NOT authenticated. 

5.  CONNECT LOCAL PORT.   
Communications Server sends the following attributes in the Access-Request message. 

Service-Type=Outbound-User 
User-Name 
User-Password 
NAS-IP-Address 
NAS-Port=<target port> 
NAS-Port-Type=Async 
NAS-Identifier 

All returned attributes are ignored. 

6. SET PRIVILEGED.  
Communications Server sends the following attributes in the Access-Request message. 

Service-Type=Administrative 
User-Name 
User-Password 
NAS-IP-Address 
NAS-Port 
NAS-Port-Type=Async 
NAS-Identifier 

If the returned Service-Type=Administrative, privileged mode is entered, otherwise the request fails. 

7. Access PRIVILEGED Web page.  
As for SET PRIVILEGED above. 

PPP Configuration

This section explains the various ways of using RADIUS to authenticate and configure either a PPP or SLIP connection. 

For all of these options, various configuration attributes may be included in the authentication reply to allow for configuration of the connection. 

See the section on configuration attributes below for details. 

1. Setting up a dedicated PPP service with RADIUS authentication. 
When using a PPP connection, RADIUS authentication may be done through the mechanism of either CHAP or PAP. (This method is not available for authenticating SLIP as SLIP does not support any internal authentication mechanism.) 

In either case, instead of the Communications Server authenticating the user against its own user database or CHAP secret, it passes the information through to the RADIUS server for authentication as follows: 

Service-Type=Framed 
Framed-Protocol=PPP 
User-Name (remote host identifier) 
User-Password (calculated from radius secret) 
NAS-IP-Address 
NAS-Port 
NAS-Port-Type=Async 
NAS-Identifier 

The RADIUS server must return Service-Type=Framed and Framed-Protocol=PPP. 

In order to use RADIUS, CHAP or PAP authentication for a dedicated PPP connection, first setup the dedicated PPP connection for the port. Then enable either PAP or CHAP authentication (for PAP authentication, either USER mode or PORT mode are equivalent). Finally, enable RADIUS for the port. You may also wish to set the CHARACTER MAP and MTU since these will not be set via RADIUS. 

CHANGE PORT x DEDICATED PPP 
CHANGE PORT x PPP CHAP ENABLED CHARACTER MAP A000 MTU 892 
CHANGE PORT x RADIUS ENABLED 

2. Setting up login-based PPP or SLIP RADIUS authentication. Rather than using a dedicated service, a login-based approach may be used. This may allow the user to select the service required (by using different user names) and does not require the client to support PAP or CHAP, but it does require that the username and password be entered directly (rather than being handled automatically within the PPP protocol). 

In order to use this method, set up your RADIUS server such that when a request with Service-Type=NAS-Prompt is received, the response sets Service-Type=Framed and Framed-Protocol as PPP or SLIP. 

This will cause the Communications Server to start a PPP or SLIP session on the connection as soon as the user logs in. 

3. Explicit connection from the local prompt.  
Option 2, above, has the disadvantage that it requires a single user to have multiple usernames if the user is to be able to select different services. This may be avoided if the user is required to login to the local prompt before establishing the PPP or SLIP connection. 

With this method, set up your RADIUS server as for a local login (explained in the RADIUS Advanced section above). Then, the user is required to do a CONNECT PPP or CONNECT SLIP. This will cause the Communications Server to send the following request to the RADIUS server: 

Service-Type=Framed 
Framed-Protocol=PPP or SLIP 
User-Name=username entered by user 
User-Password=password entered by userRADIUS 
NAS-IP-Address 
NAS-Port 
NAS-Port-Type=Async 
NAS-Identifier 

The RADIUS server must return Service-Type=Framed and Framed-Protocol the same as that sent. The Communications Server will then establish a PPP or SLIP connection on the link. 

Configuration Attributes.  
RADIUS allows you to specify configuration attributes as part of a successful authentication. The table belows shows the attributes which may be specified for a Framed service (PPP or SLIP) and the default settings which will be used if the attribute is not supplied. Note that locally set values will not be used for these values, even if no RADIUS attribute is supplied. 

Note: When using option 1 for authentication, the Framed-MTU attribute is ignored since it is not available until too late in the PPP negotiation.  Instead the default value is always used. 
 

Accounting

There are 4 different RADIUS accounting messages which are sent by the Communications Server (if a RADIUS accounting server is configured).  These messages are described below. 

Start\r  
The Start accounting message is sent whenever a session is successfully established on a port which has RADIUS enabled. 

The message contains the following attributes: 

Acct-Status-Type=Start 
User-Name 
NAS-IP-Address 
NAS-Port 
NAS-Port-Type 
NAS-Identifier 
Acct-Session-Id 
Service-Type 
Login-IP-Host (if Service-Type=Login) 
Framed-Protocol (if Service-Type=Framed) 
 

 

Copyright © 2007 Lantronix. All rights reserved