Configuring security Use a RADIUS client for authentication
Digi TransPort® Routers User Guide
801
Use a RADIUS client for authentication
You can use a RADIUS client for authentication purposes at the start of remote command sessions,
SSH sessions, FTP sessions, HTTP sessions and Wi-Fi client connections (PEAP & EAP-TLS). Depending
on how the RADIUS client is configured, the router may authenticate with one or two RADIUS servers,
or may authenticate a user locally using the existing table configured on the router.
There are two RADIUS client configurations: RADIUS Client 0 and RADIUS Client 1. Both have specific
functions and the correct instance (0, 1, or both) should be configured depending on the requirements.
To use RADIUS for authenticating router administration access, configure RADIUS Client 0. To use
RADIUS for authenticating Wi-Fi clients, configure RADIUS Client 1.
When the router has obtained the remote user username and password, the RADIUS client passes this
information (from the Username and Password attributes) to the specified RADIUS server for
authorization. The server should reply with an ACCEPT or REJECT message.
You can configure the RADIUS client with up to two Network Access Servers (NAS). Depending on
system requirements, you can turn on or off local authentication.
During user authentication, the configured RADIUS servers are contacted first. If a valid ACCEPT or
REJECT message is received from the server, the user is allowed or denied access respectively. If no
response is received from the first server, the second server is tried (if configured). If that server fails
to respond, the router uses local authentication unless disabled. If both servers are unreachable and
local authentication is disabled, all authentication attempts fail.
If a RADIUS server replies with a REPLY-MESSAGE attribute (18), the message is displayed after the
login attempt and after any configured “post-banner” message. The router will then display a
Continue Y/N? prompt to the user. If N is selected, the remote session is terminated. This applies to
remote command sessions and SSH sessions only.
If the login attempt is successful and the server sends an IDLE-TIMEOUT attribute (28), the idle time
specified will be assigned to the remote session. If no IDLE-TIMEOUT attribute is sent, the router
applies the default idle timeout values to the session.
The access level is determined by the value of the SERVICE-TYPE attribute returned by the RADIUS
server. Administrative access is determined by the value 6 being returned by the server. Any other
value or no value returned will result in the access level low being assigned.
When the session starts and ends, the router sends the RADIUS accounting START/STOP messages to
the configured server. Again, if no response is received from the primary accounting server, the
secondary server will be tried. No further action is taken if the secondary accounting server is
unreachable.
Because the router has separate configurations for authorization and accounting servers, you can
configure the router to perform authorization functions only, accounting only, or both. An example of
how to use this is to perform local authorizations, but send accounting start/stop records to an
accounting server.
É
Web
1. Go to the Configuration > Security> Radius > RADIUS Client n.
2. Configure the RADIUS client settings for the route:
To Next Page
Loading...
