Configuring RADIUS

 

IOCOMM RADIUS client

RADIUS server on Unix

RADIUS server on Windows® NT

Adding User to RADIUS system

RADIUS Accounting

Setting the IP address of the IOCOMM for PPP and SLIP

Interpreting IOCOMM port numbers on a RADIUS server

 

RADIUS is a client/server system allowing access servers (clients) to exchange authentication and accounting information with database servers.

IOCOMM RADIUS client

  1. On the IOCOMM Main menu, select Global configuration.
  2. Select RADIUS.
  3. Select Enable RADIUS authentication.

    Note: Without this option selected, other settings will have no effect except Enable special login prefix recognition.

  4. Select Enable RADIUS accounting if you require the accounting function.
  5. Select Enable special login prefix recognition if required. This allows login names prefixed with P or S to request PPP or SLIP services respectively.

    Note: Any user login that starts with a capital P or capital S will not work. The IOCOMM assumes that the leading P or S is a request for either a PPP or SLIP service and that the remainder of the text is the login name, so a login such as Peter would request PPP but leave a login name of eter which would not be recognised.

  6. For the First server, in the Host name field, enter the name or IP address of the host running the RADIUS server.
  7. For the First server, in the Shared secret field, enter the shared secret string. The server requires that the string be matched to that specified for the IOCOMM in the clients file on the RADIUS server for the login to succeed.
  8. Select the logical network ports (UDP ports) by choosing one of the following options:

    This uses the port numbers specified in the RADIUS draft standard. This remains selected as the default port.

    This uses port numbers specified by the RADIUS RFCs 2138 & 2139.

    This allows you to set your own port numbers.
     
  9. Select the Expert button, which provides further administration settings, allowing you to set the number of retries and time-out values.
  10. Enter the appropriate values in the following fields:

    Re-send to server after

    [6 seconds ]

    This sets the time-out value

    Number of attempts

    [3 ]

    This sets the number of attempts
     
  11. Repeat for the Second server and Third server if required.

    Note: These servers are used as backup units.

  12. Select Submit.
  13. Select Return to the Main menu.

Note: If RADIUS authenticates a user but does not come back with a service, the connection is auto-terminated and a syslog entry is generated. If there is no authentication, the default command will be run (e.g. shell).

RADIUS server on Unix

Exact operation will depend on which vendor's RADIUS server is being used.

The basic steps are:

  1. Install the software, if necessary.
  2. Add the IOCOMM to the clients file.

    This file contains one line for each access server allowed to use the RADIUS server. Each line contains Name and Shared secret which must match those configured on the relevant access server.

  3. Add the dial-in users to the users file.

    The format of this file is broadly similar between vendors, but there may be some differences. Refer to the vendor's instructions.

  4. Restart the server, if required.

RADIUS server on Windows® NT

The method employed for configuring RADIUS on a Windows® NT server will depend upon the particular version of RADIUS used. Consult the vendor's documentation.

Adding User to RADIUS system

Users must be added to a RADIUS server's database in order for them to be authenticated. This procedure depends upon the RADIUS server being used. Consult the documentation provided.

RADIUS Accounting

The procedure for configuring RADIUS accounting on the IOCOMM is as follows:

  1. On the IOCOMM Main menu, select Global configuration.
  2. Select the RADIUS option.
  3. Check that at least one RADIUS Server is specified on this page (i.e. the First server section is filled in), and the Enable RADIUS authentication option is already selected.
  4. Select Enable RADIUS accounting. This option allows you to use the accounting function.
  5. Select Submit. The IOCOMM will now send accounting information to a RADIUS server.
  6. Select Return to the Main menu .

Note: If you have not already done so, the RADIUS server will need to be instructed to maintain a log of accounting information sent to it.

Setting the IP address of the IOCOMM for PPP and SLIP

When configuring a user for Framed access (PPP or SLIP) on a RADIUS server it may be necessary to specify the IP address of the IOCOMM as one of the reply items. Because standard RADIUS doesn't provide this facility it is done by using vendor-specific attribute 224, namely Framed-NAS-Address. To add this capability it will be necessary to edit the RADIUS server's dictionary file to include a line similar to the following (see the documentation with your RADIUS server for details of the correct syntax):

ATTRIBUTE	Framed-NAS-Address	224	ipaddr

After the dictionary file has been edited it may be necessary to restart the RADIUS server for the changes to take effect.

Once this has been done the Framed-NAS-Address attribute can be used in the reply items section of a user entry in the RADIUS users file, for example: 

fred Password = "basingstoke"
     Service-Type = Framed-User,
Framed-Protocol = PPP,
     Framed-IP-Address = 10.0.0.6,
     Framed-IP-Netmask = 255.0.0.0,
     Framed-NAS-Address = 10.0.0.7,
     Framed-Routing = None

Interpreting IOCOMM port numbers on a RADIUS server

Because the RADIUS NAS-Port attribute is an integer, and the IOCOMM uses letters as well as numbers for its ports, there is a discrepancy between the IOCOMM's port numbers and the values actually sent to the RADIUS server. This means that port values appearing on the RADIUS server, for example in the accounting information, will differ as follows:

IOCOMM port
	port value shown on RADIUS server
   LAN			  0
     A			  1
     B			  2
     1			  3
     2			  4
     3			  5
   ....			....
    16			 18

In order to make the port values displayed by the RADIUS server match the true IOCOMM port values it is necessary to edit the dictionary file to include a section to translate the NAS-Port values. The following is an example (see the documentation with your RADIUS server for details of the correct syntax):

#		   IOCOMM Port   NAS-Port Value
#		   -----------   --------------
VALUE	NAS-Port	LAN		0
VALUE	NAS-Port	A		1
VALUE	NAS-Port	B		2
VALUE	NAS-Port	1		3
VALUE	NAS-Port	2		4
VALUE	NAS-Port	3		5
VALUE	NAS-Port	4		6
VALUE	NAS-Port	5		7
VALUE	NAS-Port	6		8
VALUE	NAS-Port	7		9
VALUE	NAS-Port	8		10
VALUE	NAS-Port	9		11
VALUE	NAS-Port	10		12
VALUE	NAS-Port	11		13
VALUE	NAS-Port	12		14
VALUE	NAS-Port	13		15
VALUE	NAS-Port	14		16
VALUE	NAS-Port	15		17
VALUE	NAS-Port	16		18

After the dictionary file has been edited it may be necessary to restart the RADIUS server for the changes to take effect.

000127

Links to Configuration Tasks

Getting Started | Web Access | First Time Configuration Tour | Configuring DNS on IOCOMM | Changing Serial Line Configuration | Resetting a Serial Port | Using a Modem for Dial-in Operation | Outgoing Services | Disable Access | Adding a Terminal | Configuring the Synchronous Port (B) | Printing | Configuring RADIUS | Local Authentication | Dynamic Routing (RIP) | Enabling TCP Security | Global Messages | Configuring Status Logging | Telnet Service (telnetd) | Monitoring Status | Making Changes to IOCOMM