Security Remote Authentication Dial-In User Service (RADIUS)
Digi TransPort WR Routers User Guide
90
Remote Authentication Dial-In User Service (RADIUS)
TransPort supports Remote Authentication Dial-In User Service (RADIUS), a networking protocol that
provides centralized authentication and authorization management for users who connect to the
device.
With RADIUS support, the TransPort acts as a RADIUS client, which sends user credentials and
connection parameters to a RADIUS server over UDP. The RADIUS server then authenticates the
RADIUS client requests and sends back a response message to the TransPort.
When you are using RADIUSauthentication, you can have both local users and RADIUSusers able to
log in to the device.
Note All TransPort usernames—RADIUS usernames and local usernames—must be unique. If a
RADIUS user has the same username as a local user, the RADIUS user cannot log in.
Set up a RADIUS server
To use RADIUS authentication, you must set up a RADIUS server accessible by the TransPort prior to
configuration. The process of setting up a RADIUS server varies by the server environment. An
example of a RADIUS server is freeRADIUS and a quick-start guide for setting up a freeRADIUS server
is here: http://wiki.freeradius.org/guide/Getting%20Started.
Set up a RADIUS backup server
TransPort also supports the use of a backup RADIUS server to which authentication requests are
automatically sent when the primary RADIUS server is unavailable.
If both the primary and backup RADIUS servers are unavailable, the local-auth configuration can be
used to fall back to local TransPort authentication. If the RADIUS servers are unavailable and the
TransPort falls back to local authentication, only local device users are able to log in. In other words,
after a fall-back event, RADIUS users cannot log in until the RADIUS servers are brought back up.
Use the local-auth parameter
The local-auth parameter configures how the TransPort behaves when all configured RADIUS servers
are unavailable. In most situations, Digi recommends you enable local-auth. In this way, when the
RADIUS servers are unavailable for any reason, local users can log in to the TransPort and configure
other available servers.
If the RADIUS servers become unavailable and local-auth is disabled, no users can log in to the
TransPort. Also, even if local-auth is disabled, no RADIUS user may have the same username as a user
defined locally. If a RADIUS user has the same username as a local user, the RADIUS user cannot log
in.
The table below shows how the primary RADIUS server, the backup RADIUS server, and local
authorization work together.
Primary server
available
Backup server
available
Local
authorization Who can log in?
Yes No N/A RADIUSand local users can log in.
To Next Page
Loading...
