162
6620-3201
4.66 Confi gure
>
RADIUS client
The RADIUS client may be used for authentication purposes at the start of remote command
sessions, SSH sessions, FTP and WEB sessions. Depending on how the RADIUS client is
con
fi
gured, the unit may authenticate with one of two RADIUS servers, or may locally authenticate a
user using the existing user tables con
fi
gured on the unit.
When the unit has obtained the remote user username and password, the RADIUS client is used to
pass this information (from the Username and Password attributes) to the speci
fi
ed RADIUS server
for authorisation. The server should reply with either an ACCEPT or REJECT message.
The RADIUS client may be con
fi
gured with up to two NAS’s (Network Access Servers). It may also
have local authentication turned ON or OFF depending on system requirements.
When a user is authenticated, the con
fi
gured RADIUS servers are contacted
fi
rst. If a valid ACCEPT
or REJECT message is received from the server, the user is allowed or denied access respectively.
If no response is received from the
fi
rst server, the second server is tried (if con
fi
gured). If that server
fails to respond, local authentication takes place unless this functionality is disabled. If both servers
are unreachable, and local authorisation is disabled, all authentication attempts fail.
If a RADIUS server replies with a REPLY-MESSAGE attribute (18), this message will be displayed
to the user after the login attempt and after any con
fi
gured “post-banner”. The unit will then display a
“Continue Y/N?” prompt to the user. If the user selects “N”, the remote session will be terminated. This
applies to remote command sessions and SSH sessions only.
If the login attempt is successful and the server sends an IDLE-TIMEOUT attribute (28), the idle time
speci
fi
ed will be assigned to the remote session. If no IDLE-TIMEOUT attribute is sent, the unit will
apply the default idle timeout values to the session.
When the session starts and ends, the unit will send RADIUS accounting START/STOP messages
to the con
fi
gured server. Again, if no response is received from the primary accounting server,
the secondary server will be tried. No further action is taken if the second accounting server is
unreachable.
As a consequence of the fact that the unit has separate con
fi
gurations for authorisation and
accounting servers, it is possible to con
fi
gure the unit to perform authorisation functions only,
or accounting only, or both. An example of how this might be used could be to perform local
authorisations, but send accounting start/stop records to an accounting server.
Using the Web Page(s)
The
Confi gure
>
RADIUS client
>
Client n
page allows you to set the parameters for RADIUS client
operation:
Primary authorisation NAS ID:
This is an identi
fi
er which is passed to the primary authorisation NAS and is used to identify the
RADIUS client. The appropriate value will be supplied by the Primary authorisation NAS administrator.
Primary authorisation server IP address:
This is the IP address of the primary authorisation NAS.
Primary authorisation server password:
This password is supplied by the Primary authorisation NAS administrator and is used in conjunction
with the Primary authorisation NAS ID to authenticate RADIUS packets.
Confi rm primary authorisation server password:
This parameter is used to con
fi
rm the password value entered above.
Secondary authorisation NAS ID:
This is an identi
fi
er which is passed to the Secondary authorisation NAS and is used to identify
the RADIUS client. The appropriate value will be supplied by the Secondary authorisation NAS
administrator.
