RSA Security RSA RADIUS Server 6.1 Administrator'S Manual Download Page 97

Page: 97 / 118

RSA RADIUS Server 6.1 Administrator’s Guide

Using the LDAP Configuration Interface

199.198.197.196
196.197.198.199

If the [LDAPAddresses] section is omitted or empty, RSA RADIUS Server
listens for LCI requests on all bound IP interfaces.

Specify the same port number using the

-p

option on the LDAP command

line. For example:

ldapsearch -V 2 -p 354 -D "cn=admin,o=radius" -w radius
-s sub -T -b "radiusclass=Client,o=radius" radiusname=*

LDAP Virtual Schema

The LDAP server uses the virtual schema (illustrated in

Figures 26

–

) to format

configuration data so that this data can be understood by the
RSA RADIUS Server database.

NOTE:

radiusstatus

items can be read, but they cannot be modified.

Figure 26

LDAP Schema (Slide 1 of 4)

1...n

Available Attributes:

Available Child Objects:

radiuslist=reply
radiuslist=check

radiusclass=

profile

radiusname=

MYPROFILE

1...n

radiusclass=
securid-user

radiusname=

MYPROFILE

radiusclass=

server

Available Attributes:

Server-Password <string>
Server-Password-Enabled 0|1
Default-Reject-Msg <string>
Unknown-User-Msg <string>
Lists-Mismatch-Msg <string>
Invalid-Lists-Msg <string>
Auth-Methods <meth1>; <meth2>; ...
Log-Max-Days <number>

radiusclass=

rsa_cached_passwords

(read-only)

Available Attribute:

cached-password

Available Check
Attributes:

All check list attributes
from dictionaries

Available Reply
Attributes:

All reply list attributes
from dictionaries

radiusclass=

client

radiusname=

MYRASCLIENT

Available Attributes:

Shared-Secret <string>
Acct-Shared-Secret <string>
IP-Address nnn.nnn.nnn.nnn
Product <string>
Inactivity-Timeout <seconds>

Summary of Contents for RSA RADIUS Server 6.1

Page 1: ...RSA RADIUS Server 6 1 Administrator s Guide Powered by Steel Belted Radius ...

Page 2: ...IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Portions of this software copyright 2001 2002 Networks Associates Technology Inc All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and th...

Page 3: ...library is free software you can redistribute it and or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation either version 2 of the License or at your option any later version This library is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTIC...

Page 4: ...his software nor any copies thereof may be provided to or otherwise made available to any third party No title to or ownership of the software or any intellectual property rights thereto is hereby transferred Any unauthorized use or reproduction of this software may be subject to civil and or criminal liability This software is subject to change without notice and should not be construed as a comm...

Page 5: ...ew 2 RADIUS Packets 4 RADIUS Configuration 5 Shared Secrets 6 RADIUS Ports 8 Authentication 8 Accounting 9 Accounting Sequence 10 Attributes 12 Dictionaries 12 Attribute Lists 13 Attribute Values 14 Default Values 15 Centralized Configuration Management 16 Replacing a Replica RADIUS Server 17 Designating a New Primary RADIUS Server 17 Recovering a Replica After a Failed Download 18 Changing the Na...

Page 6: ... on Linux 29 System Requirements 29 Installer Syntax 29 Installing the RSA RADIUS Server Software 31 Stopping and Starting the RADIUS Daemon 33 Uninstalling the RSA RADIUS Server Software 34 Chapter 3 Using RSA RADIUS Administrator Running RSA RADIUS Administrator 35 Navigating in RSA RADIUS Administrator 36 RSA RADIUS Administrator Menus 36 RSA RADIUS Administrator Toolbar 38 RSA RADIUS Administr...

Page 7: ...r 7 Administering RADIUS Servers Replication Panel 66 Adding a RADIUS Server Manually 66 Enabling a RADIUS Server 68 Deleting a RADIUS Server 68 Publishing Server Configuration Information 69 Notifying Replica RADIUS Servers 69 Designating a New Primary RADIUS Server 70 Recovering a Replica After a Failed Download 70 Changing the Name or IP Address of a Server 71 Regenerating a Node Secret 72 Rese...

Page 8: ...erface 82 LDAP Utilities 82 LDAP Requests 83 Downloading the LDAP Utilities 83 LDAP Version Compliance 84 Configuring the LDAP TCP Port 84 LDAP Virtual Schema 85 LDAP Command Examples 90 Searching for Records 90 Modifying Records 91 Adding Records 93 Deleting Records 94 Statistics Variables 95 Counter Statistics 95 Rate Statistics 97 Glossary Index ...

Page 9: ...ng services This manual assumes that you are familiar with general RADIUS and networking concepts and the specific environment in which you are installing RSA RADIUS Server What s In This Manual This manual contains the following chapters and appendix X Chapter 1 About RSA RADIUS Server presents an overview of RSA RADIUS Server and summarizes important concepts relating to the operation of RSA RAD...

Page 10: ... in this and other RSA RADIUS Server manuals Syntax Conventions This manual uses the following conventions to present file and command line syntax X radiusdir represents the directory into which RSA RADIUS Server has been installed By default this is C Program Files RSA Security RSA RADIUS for Windows systems and opt rsa radius on Linux and Solaris systems X Brackets enclose optional items in form...

Page 11: ...formation file for information about using RSA RADIUS Server with different remote access servers and firewalls To access this file 1 Start the RSA RADIUS Administrator application 2 Choose Web NAS Vendor Information You can access the same information by clicking the Web Info button on the Add RADIUS Client or Edit RADIUS Client window Requests for Comments RFCs The Internet Engineering Task Forc...

Page 12: ...the computer running the RSA Authentication Manager software Have the following information available when you call X Your RSA Security Customer License ID You can find this number on the license distribution medium or by running the Configuration Management application on Windows servers or by issuing an sdinfo command on Linux or Solaris servers X RSA Authentication Manager software version numb...

Page 13: ...trol who can access your network and what resources are available to them and requires little administration beyond your current management of LAN users RSA RADIUS Server then logs all access usage so you can track and document usage statistics RSA RADIUS Server Features X Centralized management of user access control and security X Support for a wide variety of 802 1X compliant access points and ...

Page 14: ...etwork X Authorization is the process of controlling the network resources that the user can access on the protected network such as privileges and time limits X Accounting is the process of generating log files that record statistics describing each connection session used for billing system diagnosis and usage planning Figure 1 illustrates a simple RSA RADIUS authentication and authorization seq...

Page 15: ...The RSA RADIUS server sends a request for the user s credentials through the TTLS tunnel 4 The access client sends a user ID and passcode tokencode and personal identification number to the RSA RADIUS server 5 The RSA RADIUS server forwards the user s user ID and passcode to the RSA Authentication Manager which verifies that the user ID exists and that the passcode is correct for that user at that...

Page 16: ...E If the user requesting the network connection is in New Pin mode or New Token mode not shown the RSA Authentication Manager sends a message asking for more information which the RSA RADIUS server forwards to the user When the user responds with values the RSA RADIUS server can accept the authentication sequence continues 8 Depending on what information the RAS receives from the RSA RADIUS server...

Page 17: ... networks you might have to coordinate RADIUS configuration details with the administrators of other networks RADIUS Server Configuration You must configure how a RADIUS server responds to each of its clients To configure the RSA RADIUS Server run the RSA RADIUS Administrator described in Running RSA RADIUS Administrator on page 35 open the RADIUS Clients panel described in RADIUS Clients Panel on...

Page 18: ...that serves as a password between hosts RSA RADIUS Server uses three types of shared secrets X RADIUS secret Used to authenticate communication between a RADIUS server and a RADIUS client X Replication secret Used to authenticate communication between a primary RADIUS server and a replica RADIUS server X Node secret Used to authenticate communication between a RADIUS server and an RSA Authenticati...

Page 19: ... server uses to communicate with each of the clients on this list During an authentication transaction password information must be transmitted securely between the RADIUS client RAS or AP and the RSA RADIUS Server RSA RADIUS Server uses the authentication shared secret to encrypt and decrypt password information No encryption is involved in transmitting accounting data between a RADIUS client and...

Page 20: ...change RADIUS packets must use compatible UDP port numbers If you are configuring a RAS to exchange authentication packets with a RADIUS server you must find out which port the server uses to receive authentication packets from its clients 1812 for example You must then configure the RAS to send authentication packets on the same port 1812 The same is true for RADIUS accounting RSA RADIUS Server c...

Page 21: ...r the authorization failure If initial authentication conditions are met but additional input is needed from the user the RADIUS server returns an Access Challenge to the RAS Enable the RAS to prompt the user for more authentication data Complete the current Access Request so the RAS can issue a new one Table 1 RADIUS Authentication Messages and Attributes Continued Message Conditions Purpose of M...

Page 22: ...ion start time After a connection is terminated the RAS sends a Stop message to the server Record statistics regarding the connection One message contains the final value of every statistic that this RAS is capable of recording about this type of connection At intervals of approximately every six minutes the RAS sends an Interim Acct message to the server Record a snapshot of statistics regarding ...

Page 23: ...nables RSA RADIUS Server to pass user identity information to accounting processes without exposing user identities to a RAS or AP that should not see them When tunneled accounting is enabled RADIUS attributes are encrypted and encapsulated in a Class attribute If the information for a Class attribute exceeds the attribute payload size 253 octets RSA RADIUS Server returns more than one Class attri...

Page 24: ...to parse authentication and accounting requests and generate responses The main RSA RADIUS Server dictionary file radius dct lists attributes defined by the RADIUS standard The radius dct file resides in the same directory as the RSA RADIUS Server service usually C Program Files RSA Security RSA RADIUS Service on Windows computers and opt rsa radius on Solaris and Linux computers Vendor Specific A...

Page 25: ...es and values For information on modifying vendor dictionary files refer to the RSA RADIUS Server 6 1 Reference Guide Attribute Lists You can use profiles to control authentication at finer levels of detail than simple user ID and password checking allow Checklists and return lists provide powerful tools for the authentication and authorization of users Checklist Attributes A checklist is a list o...

Page 26: ...cific attributes During authentication RSA RADIUS Server filters the return list based on the dictionary for the specific RADIUS client that sent the authentication request The server omits any return list attribute that is not valid for this device Attribute Values The value of each RADIUS attribute has a well defined data type numeric string IP or IPX address time or hexadecimal For example Call...

Page 27: ...an force an attribute from the RADIUS request to be echoed in the RADIUS response For example you might add Callback Number to the return list and click the echo checkbox RSA RADIUS Server takes the value of the Callback Number it receives in the RADIUS request and echoes it back to the client in the RADIUS response if it receives no Callback Number it echoes nothing You enter Callback Number one ...

Page 28: ...rovide configuration for the user such as time of day and concurrent login limit information Centralized Configuration Management The RSA RADIUS Server supports the replication of RADIUS configuration data from a Primary RADIUS Server to a maximum of 10 Replica RADIUS Servers within a realm on a customer network Replica servers help balance the load of authentication requests coming in from RADIUS...

Page 29: ...eplica RADIUS Server To replace a failed Replica RADIUS Server a network administrator shuts down the failed server installs the RSA RADIUS Server software on a replacement server and enables the Replica RADIUS Server The Replica RADIUS Server then downloads and installs its configuration package from the Primary RADIUS Server Designating a New Primary RADIUS Server You can change which server wit...

Page 30: ... secret For information on how to recover a Replica after a failed download refer to Recovering a Replica After a Failed Download on page 70 Changing the Name or IP Address of a Server To change the DNS name or IP address of a Primary or Replica RADIUS Server you run the rsainstalltool Windows or the rsaconfiguretool Solaris Linux utility For more information refer to Changing the Name or IP Addre...

Page 31: ...te with RSA Authentication Manager If you install the RSA RADIUS Server software on the host running RSA Authentication Manager local installation the installer obtains the path to these files automatically If you install the RSA RADIUS Server software on a different host remote installation the installer asks you for the path to these files Data Migration Registration When you install a Primary R...

Page 32: ...on Windows This section describes how to install the RSA RADIUS Server software on a Windows server System Requirements Table 3 lists the hardware and software requirements of the RSA RADIUS Server software Table 3 Windows Server System Requirements Operating system Windows 2000 with Service Pack 4 Windows Server 2003 STD edition with Service Pack 1 Networking TCP IP must be configured on the Wind...

Page 33: ...When the License Agreement window opens click the I accept the terms in the license agreement radio button Click Next to continue 7 When the Setup Type window opens click the Complete radio button if you want to install the RSA RADIUS Server files in the C Program Files RSA Security RSA RADIUS directory If you want to install RSA RADIUS Server software in a directory other than the default C Progr...

Page 34: ... computer to run the RADIUS service at the end of the installation sequence Click Next to continue 11 When the Ready to Install the Program window opens click Install to begin the installation of the RSA RADIUS Server software 12 When installation is completed the InstallShield Wizard Completed window opens Click Finish After you finish installing the RSA RADIUS Server software run the RSA Authent...

Page 35: ...ary_ips ips primary_secret secret overwrite migrate silent start_sbr usage help h Table 5 explains the function of each command option Table 4 Solaris Server System Requirements Hardware Sun UltraSPARC workstation Operating system Solaris 9 Memory At least 256 megabytes of working memory Disk space Installing the RSA RADIUS Server software requires at least 234 megabytes of space on the hard disk ...

Page 36: ...Default value is opt port Specifies the TCP port used for administration of the RSA RADIUS Server Default value is 1813 primary Specifies the name of the Primary RADIUS Server Use only when installing a Replica RADIUS Server Do not use the primary option if you are specifying the reppkg option primary_ips Specifies the IPv4 address or addresses of the Primary RADIUS Server If your Primary RADIUS S...

Page 37: ...r an explanation of the install_rsa sh command options reppkg Specifies the path to the replica ccmpkg configuration file Use only when installing a Replica RADIUS Server Do not use the reppkg option if you are specifying the primary primary_ips and primary_secret options Default value is opt silent Specifies that if all required information is supplied through command options the installer does n...

Page 38: ...nistration port 1813 8 Specify whether you are installing a Primary or Replica RADIUS Server Enter RADIUS identity REPLICA or PRIMARY PRIMARY 9 If you are installing a Replica RADIUS Server specify whether a configuration package generated by the Primary RADIUS Server is available Is replica ccmpkg file present y n n If you enter y you are prompted to specify the path to the replica ccmpkg file En...

Page 39: ...g log for details Configuration of RSA Radius failed The installation has failed would you like it cleaned up y n y y Cleaning up installation Removing etc rc2 d S90radius script Removing etc rc2 d K90radius script Stopping and Starting the RADIUS Daemon After the RADIUS daemon is installed on the server it stops and starts automatically each time you shut down or restart the server You can stop t...

Page 40: ...oblem in the tprsMigReg log file which is stored in the RSA RADIUS Server directory opt rsa radius by default Log for RSA to SBR Install Utility Install Date 07 15 2005 Install Time 12 52 55 INFO SBR Radius services directory is opt rsa radius INFO Host Name phobos DNS Name phobos mars com Replacing Host Name INFO SBR Radius server name is phobos mars com INFO SBR Radius server IP Address is 192 1...

Page 41: ...ret overwrite migrate silent start_sbr usage help h Table 7 explains the function of each command option Table 6 Linux Server System Requirements Hardware X86 workstation Operating system RedHat Enterprise 3 0 Memory At least 256 megabytes of working memory 512 megabytes for servers with more than 10 000 RADIUS users Disk space Installing the RSA RADIUS Server software requires at least 234 megaby...

Page 42: ...s Default value is opt port Specifies the TCP port used for administration of the RSA RADIUS Server Default value is 1813 primary Specifies the name of the Primary RADIUS Server Use only when installing a Replica RADIUS Server Do not use the primary option if you are specifying the reppkg option primary_ips Specifies the IPv4 address or addresses of the Primary RADIUS Server If your Primary RADIUS...

Page 43: ... 29 for an explanation of the install_rsa sh command options reppkg Specifies the path to the replica ccmpkg configuration file Use only when installing a Replica RADIUS Server Do not use the reppkg option if you are specifying the primary primary_ips and primary_secret options Default value is opt silent Specifies that if all required information is supplied through command options the installer ...

Page 44: ...RADIUS Server The default port number is 1813 Enter RSA administration port 1813 8 Specify whether you are installing a Primary or Replica RADIUS Server Enter RADIUS identity REPLICA or PRIMARY PRIMARY 9 If you are installing a Replica RADIUS Server specify whether a configuration package generated by the Primary RADIUS Server is available Is replica ccmpkg file present y n n If you enter y you ar...

Page 45: ...llation failed Please see opt rsa radius tprsMigReg log for details Configuration of RSA Radius failed The installation has failed would you like it cleaned up y n y y Cleaning up installation Removing etc init d sbrd script Stopping and Starting the RADIUS Daemon After the RADIUS daemon is installed on the server it stops and starts automatically each time you shut down or restart the server You ...

Page 46: ...tall_rsa sh 5 Type y when you are asked to confirm that you want to uninstall the RSA RADIUS Server software Confirm deletion of RSA RADIUS Server y n y The uninstall script displays a confirmation message RSA RADIUS Server removed when it finishes running NOTE If you delete the RSA RADIUS Server directory before you execute the uninstall_rsa sh command the uninstall script cannot find the files i...

Page 47: ...nistrator NOTE The RSA RADIUS Administrator will not start unless the Administrator user in the RSA Authentication Manager application has been configured with a token or password For information on how to configure the Administrator user with a token or password refer to the RSA Authentication Manager 6 1 Administrator s Guide To run the RSA RADIUS Administrator 1 Choose Start All Programs RSA Se...

Page 48: ...ADIUS Administrator window has four menus File Panel Web and Help File Menu Table 8 describes the functions of each entry in the File menu in the RSA RADIUS Administrator Menu Bar Toolbar Navigation Frame Content Frame Table 8 File Menu Options Menu Entry Function License Opens the Add a License for Server window which lets you add a license string for your RSA RADIUS Server software For more info...

Page 49: ...r application Table 9 Panel Menu Options Menu Entry Function RADIUS Clients Displays the RADIUS Clients panel in the RSA RADIUS Administrator window For more information see Chapter 4 Administering RADIUS Clients on page 45 Profiles Displays the Profiles panel in the RSA RADIUS Administrator window For more information see Chapter 5 Administering Profiles on page 51 Replication Displays the Replic...

Page 50: ...nt context Table 10 Web Menu Options Menu Entry Function More about RSA RADIUS Server Opens the Funk Software webpage NAS Vendor Information Opens the Funk RADIUS AAA Compatibility Guide webpage which lets you review information about remote access devices and wireless LAN devices made by third party vendors Table 11 Help Menu Options Menu Entry Function Contents Opens the online help for the RSA ...

Page 51: ... RADIUS Server database Active only when an object is selected in the active panel Cut Deletes an existing object from the RSA RADIUS Server database and copies its information to the Clipboard Active only when an object is selected in the active panel Copy Copies settings for the selected object from the RSA RADIUS Server database to the Clipboard Active only when an object is selected in the act...

Page 52: ...entry to the RSA RADIUS Server database open the appropriate panel and double click the item you want to change or choose the item and click the Edit button on the RSA RADIUS Administrator toolbar The RSA RADIUS Administrator displays the settings for the item you selected in an Edit window A sample Edit window appears in Figure 7 The Save button is disabled until the contents of a field in the Ed...

Page 53: ...m of each type such as one RADIUS client or one user If you copy an item to the Clipboard and then copy another item of the same type the information for the second item overwrites the information for the first item Clipboard contents are preserved until you exit the RSA RADIUS Administrator When you paste an item the RSA RADIUS Administrator displays a window similar to the Add window with the pa...

Page 54: ...r tables are sorted by name You can sort items in any order by clicking a column header Previously sorted tables retain their order when the table is sorted on another column If you want to sort a table by more than one column click the less significant column and then click the more significant column Using Context Menus You can right click an object in RSA RADIUS Administrator windows to display...

Page 55: ...SA RADIUS Administrator window press F1 or choose Help Contents To view the PDF version of the RSA RADIUS Server manuals choose Help Manuals and choose the manual you want to open Displaying Version Information To identify the current version of the RSA RADIUS Administrator choose Help About to open the About RSA RADIUS Server window Figure 9 Figure 9 About RSA RADIUS Server Window Adding a Licens...

Page 56: ... and click OK When the server displays a confirmation message click OK Figure 10 Add a License for Server Window 4 Restart your RSA RADIUS Server Exiting the RSA RADIUS Administrator To close the RSA RADIUS Administrator choose File Exit Closing the RSA RADIUS Administrator has no impact on the RSA RADIUS Server service or daemon ...

Page 57: ...ation that interfaces with the RSA RADIUS Server when it needs to authenticate a user or to record accounting information about a network connection This chapter describes how to set up RADIUS clients RADIUS Clients Panel The RADIUS Clients panel Figure 11 lets you identify the devices that you want to define as clients of the RSA RADIUS Server Figure 11 RADIUS Clients Panel ...

Page 58: ...ADIUS client entry you should use the device s hostname to avoid confusion You can create a special RADIUS client entry called ANY by clicking the Any RADIUS Client checkbox Figure 13 The ANY RADIUS client enables RSA RADIUS Server to accept requests from any RAS as long as the shared secret is correct Figure 13 Creating an ANY RADIUS Client Note that the IP Address field for an ANY RADIUS client ...

Page 59: ...US client 6 Use the Make model list to choose the make and model of your RADIUS client device The Make model selection tells RSA RADIUS Server which dictionary of RADIUS attributes to use when communicating with this client If you are not sure which make and model you are using or if your device is not in the list choose Standard Radius NOTE For information about the various brands of RAS device s...

Page 60: ... for the client RSA RADIUS Server adjusts the counts of concurrent user connections appropriately NOTE If the value you enter in the seconds field is too low valid user or tunnel connections can be lost For example during low usage periods a RAS device might not send any RADIUS packets to the RSA RADIUS Server even though the device is still functioning Verifying a Shared Secret To verify a shared...

Page 61: ...trator s Guide Administering RADIUS Clients 49 2 Select the RADIUS client entry you want to delete 3 Click the Delete button on the RSA RADIUS Administrator toolbar 4 When you are prompted to confirm the deletion request click Yes ...

Page 62: ...50 Administering RADIUS Clients September 2005 ...

Page 63: ...you require Profiles provide a powerful means of managing and configuring accounts To change attributes settings across many users immediately edit the profile that you have assigned to these users Adding a Checklist or Return List Attribute for a Profile A checklist attribute is an item of information that must accompany a RADIUS Access Request for a connection before the connection can be authen...

Page 64: ...is single valued then the user specific attribute replaces the attribute of the same name that was provided by the profile Z If the attribute is orderable then the user specific attribute replaces the attribute of the same name that was provided by the profile Default Profile After RSA Authentication Manager authenticates a user it can return the profile name associated with that user to RSA RADIU...

Page 65: ...tes You can then associate these profiles with users in the RSA Authentication Manager to simplify user administration Figure 15 Profiles Panel Adding a Profile To add a profile 1 Open the Profiles panel 2 Click the Add button on the RSA RADIUS Administrator toolbar The Add Profile window Figure 16 opens Figure 16 Add Profile Window 3 Enter a name for the new profile in the Name field ...

Page 66: ...t you enter a value string or IP address Other attributes require that you choose from a predefined list of values If the Multivalued indicator is dimmed an attribute can have only one value If the Multivalued attribute is not dimmed you can add multiple values for the attribute Checklist attributes only To set this value to the default value for the attribute which is useful in situations where t...

Page 67: ...ofile window 6 Click OK to save the profile Removing a Profile To remove a profile 1 Open the Profiles panel 2 Select the entry for the profile you want to remove 3 Click the Delete button on the RSA RADIUS Administrator toolbar or right click the profile entry and choose Delete from the context menu 4 When you are prompted to confirm the deletion click Yes ...

Page 68: ...56 Administering Profiles September 2005 ...

Page 69: ...ow long RSA RADIUS Server has been running Displaying Server Authentication Statistics Authentication statistics Figure 18 summarize the number of authentication acceptances and rejections with summary totals for each type of rejection or retry To display authentication statistics for the RSA RADIUS server 1 Open the Statistics panel 2 Select the server for which you want to display statistics in ...

Page 70: ... Statistics Authentication Statistic Meaning Transactions Accepts The current average and peak number of RADIUS transactions that resulted in an Access Accept response since the last time authentication statistics were reset Rejects The current average and peak number of RADIUS transactions that resulted in an Access Reject response since the last time authentication statistics were reset These ar...

Page 71: ...ent is sending incorrectly formed packets to RSA RADIUS Server Either the RADIUS client is misconfigured or the RADIUS client does not conform to the RADIUS standard Failed Authentication The number of failed authentication requests where the failure is due to invalid user ID or password If all transactions are failing authentication the shared secret configured on the RSA RADIUS Server does not m...

Page 72: ... transactions The transaction start and stop numbers rarely match as many transactions can be in progress at any given time To display accounting statistics for the RSA RADIUS server 1 Open the Statistics panel 2 Select the server for which you want to display statistics in the Server list 3 Click the System tab 4 Click the View list and choose Accounting Figure 19 Statistics Panel System Accounti...

Page 73: ... down gracefully since the last time authentication statistics were reset Total The sum of the start stop on and off totals since the last time authentication statistics were reset Failure Details Dropped Packet The number of RADIUS accounting packets dropped by RSA RADIUS Server because the server was flooded with more packets than it could handle Invalid Request The number of invalid RADIUS requ...

Page 74: ... the System tab 4 Click the View list and choose the type of statistics you want to display Z Accounting Request Diagnostics Displays the number of duplicate messages messages with invalid secrets malformed messages messages with incorrect types ignored messages and dropped requests for each RADIUS client Z Accounting Request Types Displays the number of accounting start messages accounting stop m...

Page 75: ... 5 Optionally sort the messages by clicking a column header NOTE The RADIUS client statistics are not displayed dynamically To see the most recent statistics for a RADIUS client click the Refresh button in the toolbar Figure 20 Statistics Panel RADIUS Client Statistics ...

Page 76: ...64 Displaying Statistics September 2005 ...

Page 77: ...rk administrator modifies the configuration on the Primary RADIUS Server and the Primary RADIUS Server propagates the new configuration to its Replica RADIUS Servers This chapter describes how to manage your Primary and Replica RADIUS servers NOTE Settings in RSA RADIUS Server configuration ini files are not copied as part of the replication process If you change a setting in an RSA RADIUS Server ...

Page 78: ...omatically after you install the RSA RADIUS Server software and configuration package file replica ccmpkg and restart the server Thereafter each Replica RADIUS Server automatically connects to its Primary RADIUS Server once an hour to check whether an updated configuration package is available In some circumstances however you may want to add a Replica RADIUS Server to the server list so that it s...

Page 79: ... RADIUS server in the Secret field For privacy asterisks are echoed as you type You can click the Unmask checkbox to display the characters in the shared secret 5 Enter one or more IP addresses for your server a Click the Add button b When the Add IP Address window Figure 23 opens enter an IP address you want to associate with the server in the Address field and click Add Figure 23 Add IP Address ...

Page 80: ...ick the RADIUS server entry The Edit Server window Figure 24 opens Figure 24 Edit Server Window 3 Click the Enabled checkbox 4 Click the Save button Deleting a RADIUS Server To delete a RADIUS server 1 Open the Replication panel 2 Select the RADIUS server entry you want to delete 3 Click the Delete button on the RSA RADIUS Administrator toolbar 4 When you are prompted to confirm the deletion reque...

Page 81: ...US Servers A network administrator can manually notify a Replica RADIUS Server to download and install the current configuration package from the Primary RADIUS Server Manual notification is useful when network issues prevent the automatic download and installation of a configuration package when it is first published and the configuration on the Replica no longer matches the configuration on the ...

Page 82: ...r 6 Publish a new configuration package administratively to configure all Replica RADIUS Servers to use the new Primary RADIUS Server After you designate a new Primary RADIUS Server for a realm you can configure the old Primary RADIUS Server as a Replica RADIUS Server by downloading a configuration package published by the new Primary RADIUS Server NOTE If your old Primary RADIUS Server used alias...

Page 83: ...ity REPLICA primary name address secret where name specifies the DNS name of the Primary RADIUS Server address specifies the IP address of the Primary RADIUS Server and secret specifies the shared secret used to authenticate configuration downloads 5 Restart the updated Replica RADIUS Server so that it can load its new configuration After the Replica RADIUS Server is restarted it will be re synchr...

Page 84: ...ange the name or IP address of a Primary or Replica RADIUS Server use RSA Authentication Manager to change the Agent Host record in the Authentication Manager database 7 Publish the modified configuration to propagate the name change to the Replica RADIUS Servers Regenerating a Node Secret You can regenerate the node secret used to authenticate communication between the RSA Authentication Manager ...

Page 85: ...ervice Resetting the RADIUS Database If the RSA RADIUS Server fails the RADIUS database may remain running If this happens the RSA RADIUS Server may refuse to run To resolve this problem execute the following command to stop the mkded btrieve daemon etc init d sbrd stop force After the mkded btrieve daemon is stopped you can start the RADIUS service and the database by executing the following comm...

Page 86: ...74 Administering RADIUS Servers September 2005 ...

Page 87: ... events such as server startup or shutdown or user authentication or rejection as a series of messages in an ASCII text file Each line of the system log file identifies the date and time of the RADIUS event followed by event details You can open the current RADIUS system log file while RSA RADIUS Server is running Table 15 Logging and Reporting Files File Name Function radius ini Controls the type...

Page 88: ... recorded in the log Controlling Log File Size Optionally you can specify a maximum size for a RADIUS system log file by entering a non zero value for the LogfileMaxMBytes setting in the Configuration section of the radius ini file X If a maximum file size is set the name of the RADIUS system log file identifies the date and time it was opened YYYYMMDD_HHMM log When the current RADIUS system log f...

Page 89: ...yy is the four digit year mm is the month and dd is the day on which the log file was created The current log file can be opened while RSA RADIUS Server is running Accounting Log File Format The first six fields in every accounting log entry are provided by RSA RADIUS Server for your convenience in reading and sorting the file X Date the date when the event occurred X Time the time when the event ...

Page 90: ...t Acc Err Message Nautica Acct SessionId Nautica Acct Direction Nautica Acct CauseProtocol Nautica Acct CauseSource Telebit Accounting Info Last Number Dialed Out Last Number Dialed In DNIS Last Callers Number ANI Channel Event Id Event Date Time Call Start Date Time Call End Date Time Default DTE Data Rate Initial Rx Link Data Rate Final Rx Link Data Rate Initial Tx Link Data Rate Final Tx Link D...

Page 91: ...ding of the user service 1 Start 2 Stop 3 Interim Acct 7 Accounting On 8 Accounting Off Acct Delay Time Indicates how many seconds the client has been trying to send this record which can be subtracted from the time of arrival on the server to find the approximate time of the event generating this request Acct Input Octets Number of octets bytes received by the port over the connection present onl...

Page 92: ...r 3 Lost Service 4 Idle Timeout 5 Session Timeout 6 Admin Reset 7 Admin Reboot 8 Port Error 9 NAS Error 10 NAS Request 11 NAS Reboot 12 Port Unneeded 13 Port Preempted 14 Port Suspended 15 Service Unavailable 16 Callback 17 User Error 18 Host Request Acct Multi Session Id Unique accounting identifier to make it easy to link together multiple related sessions in a log file Acct Link Count The count...

Page 93: ...on page 43 This appendix provides X The file used to enable and configure the LDAP configuration interface LCI X An overview of the LCI and LDAP utilities X A description of the LDAP virtual schema X Information about how to use LDAP utilities to configure the RSA RADIUS Server database X Sample LDIF files that control the execution of LDAP utilities X Information about how to view rate statistics...

Page 94: ...ase X ldapsearch The ldapsearch utility locates and retrieves LDAP directory entries The ldapsearch utility opens a connection to an LDAP interface using the specified distinguished name and password binds and locates entries based on the specified search filter A search can return a single entry an entry s immediate subentries or an entire tree or subtree Search results are returned in LDIF forma...

Page 95: ...rypted run the LDAP utilities on the same computer as RSA RADIUS Server Downloading the LDAP Utilities To use the LCI you need the freeware ldapsearch ldapmodify and ldapdelete utilities You can download the free LDAP utilities as follows 1 Use a browser to navigate to http www sun com download products xml id 3ec28dbd 2 When the Sun ONE Directory SDK software development kit download page appears...

Page 96: ...ption to direct the utilities to use version 2 features For example ldapmodify c V 2 p 354 D cn admin o radius w radius f filename Configuring the LDAP TCP Port To avoid conflicts with LDAP services that may already be installed the default TCP port number for communication between RSA RADIUS Server and the LDAP client is 667 If you are certain that there will not be any conflicts you can change t...

Page 97: ...ure 26 LDAP Schema Slide 1 of 4 1 n 1 n Available Attributes Login Limit number Profile string Available Child Objects radiuslist reply radiuslist check radiusclass profile radiusname MYPROFILE 1 n radiusclass securid user radiusname MYPROFILE radiusclass server Available Attributes Server Password string Server Password Enabled 0 1 Default Reject Msg string Unknown User Msg string Lists Mismatch ...

Page 98: ...adiusstatus sessions_by_user radiusstatus sessions framed ip address aaa bbb ccc ddd radiusstatus sessions_by_ipaddress Available Attributes client string acct session id number nas ip address string nas port string nas port type string acct multi session id number framed ip address string session start time time fullname string username string called station id string calling station id string el...

Page 99: ...p time seconds ip address aaa bbb ccc ddd version major minor rev authentication threads number accounting threads number total threads number max acct threads number max auth threads number max total threads number high acct threads number high auth threads number high total threads number high acct threads since reset number high auth threads since reset number high total threads since reset num...

Page 100: ...e lowercase rules for object names are the same as in the RSA RADIUS Administrator application almost all object names are stored in the database in uppercase format X Attributes The LDAP virtual schema diagram does not explicitly list all the dictionary attributes that are available in the latest version of RSA RADIUS Server The rules for entering dictionary attributes are that the attribute name...

Page 101: ...s can include attributes whose contents are the value of received attribute This feature is referred to as echoing the attribute To signal that a return list attribute must be treated as an echo attribute specify the attribute value as the string echo X Unspecified or 0 0 0 0 RAS IP address When you display acct_stats_by_nasipaddr information any RAS entries with an unspecified IP address or an IP...

Page 102: ...lient o radius radiusname Table 17 Searching for Records Using the ldapsearch Command ldapsearch Option Meaning V 2 LDAP Version 2 is used to communicate with the server NOTE This option is not required but specifying it improves the performance of the transaction p 354 TCP port 354 is used to communicate with the LDAP interface of the server NOTE This option is not required but specifying it impr...

Page 103: ...ify Command ldapmodify Option Meaning c The command is to run in continuous mode do not stop on errors V2 The version 2 dialect of LDAP is to be used to communicate with the server NOTE This option is not required but specifying it improves the performance of the transaction h hostname The name of the host to which this command applies If none is given the command is applied to the local database ...

Page 104: ...hed name of entry changetype keyword subkeyword attribute attribute value changetype keyword subkeyword attribute attribute value changetype keyword subkeyword attribute attribute value where keyword can be add modify or delete subkeyword can be respectively add replace or delete attribute can be any LDAP attribute in the entry value is the value to assign to the attribute Repeated changetype keyw...

Page 105: ...ype delete delete acct shared secret If the subkeyword is add or replace an attribute value entry must appear immediately following the subkeyword attribute entry If the subkeyword is delete the attribute value entry does not apply and should be omitted Adding Records You can populate an LDAP database by creating an LDIF file that imports entries from one LDAP database into another You can search ...

Page 106: ...his causes the command to fail You can use ldapdelete to remove records from the LDAP database without supplying a file For example to delete the profile record identified as PROFILE1 you would enter the following ldapdelete V2 h hostname p 667 D cn admin o radius w password radiusname PROFILE1 radiusclass profile o radius You can delete records with the ldapmodify command if the entries in the te...

Page 107: ...tor the performance of your RSA RADIUS Server Counter Statistics The statistics counters can be accessed through the LCI by executing the following one line command ldapsearch V 2 h 127 0 0 1 p 667 D cn admin o radius w radius s sub T b radiusstatus statistics o radius stattype typeofstatus The following sections illustrate the variables displayed for each setting of the stattype parameter stattyp...

Page 108: ... silent discard 0 total transactions 8 invalid request 0 failed authentication 0 failed on check list 0 insufficient resources 0 transactions retried 0 total retry packets 0 stattype accounting dn stattype accounting radiusstatus statistics o radius objectclass top objectclass radiusstatus radiusstatus statistics stattype accounting start 0 stop 0 on 0 off 0 total transactions 0 invalid request 0 ...

Page 109: ...ate measured since startup or the most recent statistics reset command X Peak rate statistics identify the highest rate observed since startup or the most recent statistics reset command To read rate statistics from the LCI you must set stattype rate This results in output such as the following rate statistics seconds per interval 1 auth request current rate 0 auth request average rate 0 auth requ...

Page 110: ...98 Using the LDAP Configuration Interface September 2005 ...

Page 111: ...P Access Point A device that serves as a communication hub to connect 802 1X wireless clients to a wired network attribute RADIUS attributes carry the specific authentication authorization and accounting authentication The process of verifying the identity of a person or file system and whether the person is allowed on a protected network authentication server A back end database server that verif...

Page 112: ...s verified when presented to an authenticator such as a password or a digital certificate CRL Certificate Revocation List A data structure that identifies the digital certificates that have been invalidated by the certificates issuing CA prior to their expiration date dictionary Text file that stores the lists of RADIUS attributes used to parse authentication accounting requests and generate respo...

Page 113: ...g that the user enter two consecutive tokencodes ensures that the user has possession of the token node secret Symmetric key used to encrypt communication between RSA RADIUS Server and RSA Authentication Manager PAP Password Authentication Protocol passcode A one time authentication string consisting of a user s PIN followed by the user s tokencode PEAP Protected Extensible Authentication Protocol...

Page 114: ...LAN assignment or IP address assignment that the RAS needs to connect the user RSA Authentication Manager A host running RSA Security proprietary RSA SecurID software which identifies and authenticates users by validating their RSA SecurID passcodes SecurID Security token system that allows remote access users to generate a pseudo random value they can forward as part of an authentication sequence...

Page 115: ...ayer Security TTLS Tunneled Transport Layer Security UTC Universal Time Coordinated Also known as Greenwich Mean Time GMT or Zulu time RSA SecurID tokens are synchronized to UTC to provide a standard time basis for tokencode calculation VSA Vendor Specific Attribute VSAs allow vendors to support proprietary RADIUS attributes that are not defined in RFCs 2865 and 2866 WLAN Wireless Local Area Netwo...

Page 116: ...104 Glossary September 2005 ...

Page 117: ...checklist attributes 13 D Dropped Packet 59 61 E EAP 15 see RSA Security EAP EAP 32 see Protected One Time Password POTP 1 echo property 15 F Failed Authentication 59 Failed on Checklist 59 Framed Compression 15 G Generic Token Card 1 H host agent 8 I Insufficient Resources 59 Invalid Request 59 L log files 10 LogAccept 76 LogLevel 76 LogReject 76 M make of RAS 5 Make model field 12 model of RAS 5...

Page 118: ...erver see RAS Replication panel 66 return list attributes 14 RSA Authentication Manager 2 3 4 21 22 35 53 RSA Security EAP 1 2 rsaconfiguretool 18 70 71 72 rsainstalltool 18 28 30 70 71 72 S shared secret 5 7 Silent Discards 59 Statistics panel 57 system assigned values 15 T tokencode 3 Total Retry Packets 59 TraceLevel 76 Transactions Retried 59 TTLS PAP 2 tunnel 2 Tunneled Transport Layer Securi...

RSA Security RSA RADIUS Server 6.1, Administrator'S Manual, Page: 97 / 118

Search results

Summary of Contents for RSA RADIUS Server 6.1

Reviews: