8.8. Radius Relay
Overview
The NetDefendOS feature
RADIUS Relay
is designed for telecom scenarios, such as
Mobile Data
Offloading
(MDO), where
User Equipment
(UE), such as a smartphone, switches from an operator's
wireless network to communicating using WiFi via an
Access Point
(AP). The AP connects the UE
to resources, such as the public Internet, via a NetDefend Firewall with the firewall controlling
this access.
To gain access to the resources behind the NetDefend Firewall, the UE must authenticate itself
via the AP using a RADIUS server. A RADIUS authentication request is sent to NetDefendOS by
the AP which relays it to a RADIUS server. The server's reply is relayed back to the AP and
authenticated users are entered into the NetDefendOS user list so that they can then be granted
access to resources based on NetDefendOS security policies.
Event Sequence During RADIUS Relay Authentication
The following sequence of events occurs with radius relay:
•
The UE requests network access from an AP.
•
The AP sends a RADIUS
Access-Request
to NetDefendOS. Providing the NetDefendOS radius
relay feature has been set up, this request is forwarded to the configured RADIUS server.
•
The RADIUS server either authenticates or does not authenticate the UE by sending a RADIUS
Access-Accept
or
Access-Reject
message back to NetDefendOS. The content of these messages
is examined by NetDefendOS as they are relayed back to the AP.
•
If it is authenticated by the RADIUS server, the UE issues a DHCP request and a DHCP IP lease
from the configured NetDefendOS DHCP server is sent back to the UE.
The DHCP server must be configured so that leases are only be distríbuted to authenticated
clients (the
LeasesRequireAuth
option is enabled).
•
Successful authentication also means that NetDefendOS includes the UE's username in its list
of logged in users (visible with the CLI
userauth
command and through the Web Interface)
and this allows the UE access to resources determined by predefined NetDefendOS security
policies.
Using Group Membership
NetDefendOS security policies can be based on group membership where the UE's membership
in a group determines if access is allowed. If this is the case, the RADIUS server must be specially
configured to send back the group name of the user during authentication. In addition, RADIUS
servers communicating with NetDefendOS must have the
Vendor ID
set correctly. Doing this is
described further at the end of this section.
It is also important that that IP rule or IP policy that allows access by the UE must use an IP
address object for its
Source Network
which has its
Authentication
property (the
UserAuthGroups
property in the CLI) set to the same group name sent back by the RADIUS server. Doing this is
described further in
Section 8.5, “Policies Requiring Authentication”
.
If validation with group membership is not required then the
No Defined Credentials
property of
the IP address object used for the
Source Network
should be enabled.
A symptom that the group name has not been specified for the
Source Network
address object is
Chapter 8: User Authentication
652
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...