RADIUS parameters
Digi TransPort User Guide 682
RADIUS parameters
RADIUS parameters are configured on the Configuration > Security > Radius pages.
About using a RADIUS client for authentication
A RADIUS client may be used for authentication purposes at the start of remote command
sessions, SSH sessions, FTP sessions, HTTP sessions and Wi-Fi client connections (PEAP & EAP-
TLS). Depending on how the RADIUS client is configured, the router may authenticate with one or
two RADIUS servers, or may authenticate a user locally using the existing table configured on the
router.
There are 2 RADIUS client configurations: RADIUS Client 0 and RADIUS Client 1. Both have
specific functions and the correct instance (0, 1, or both) should be configured depending on the
requirements.
To use RADUIUS for authenticating router administration access, configure RADIUS Client 0.
To use RADIUS for authenticating Wi-Fi clients, configure RADIUS Client 1.
When the router has obtained the remote user username and password, the RADIUS client is
used to pass this information (from the Username and Password attributes) to the specified
RADIUS server for authorization. The server should reply with an ACCEPT or REJECT message.
The RADIUS client may be configured with up to two Network Access Servers (NAS). It may also
have local authentication turned on or off depending on system requirements.
When a user is authenticated, the configured RADIUS servers are contacted first. If a valid
ACCEPT or REJECT message is received from the server, the user is allowed or denied access
respectively. If no response is received from the first server, the second server is tried (if
configured). If that server fails to respond, local authentication is used unless disabled. If both
servers are unreachable and local authentication is disabled, all authentication attempts fail.
If a RADIUS server replies with a REPLY-MESSAGE attribute (18), the message is displayed after
the login attempt and after any configured “post-banner” message. The router will then display a
Continue Y/N? prompt to the user. If N is selected, the remote session is terminated. This
applies to remote command sessions and SSH sessions only.
If the login attempt is successful and the server sends an IDLE-TIMEOUT attribute (28), the idle
time specified will be assigned to the remote session. If no IDLE-TIMEOUT attribute is sent, the
router applies the default idle timeout values to the session.
The access level is determined by the value of the SERVICE-TYPE attribute returned by the
RADIUS server. Administrative access is determined by the value 6 being returned by the server.
Any other value or no value returned will result in the access level low being assigned.
When the session starts and ends, the router will send the RADIUS accounting START/STOP
messages to the configured server. Again, if no response is received from the primary accounting
server, the secondary server will be tried. No further action is taken if the secondary accounting
server is unreachable.
As a consequence of the fact that the router has separate configurations for authorization
and accounting servers, it is possible to configure the router to perform authorization
functions only, accounting only, or both. An example of how this might be used could be
to perform local authorizations but send accounting start/stop records to an accounting
server.
To Next Page
Loading...
