Confi gure > radius client 4.73 – Westermo MR Series User Manual
Page 223
223
6622-3201
Web Interface and Command Line Reference Guide
www.westermo.com
Confi gure > RADIUS client
4.73
The RADIUS client may be used for authentication purposes at the start of remote command ses-
sions, SSH sessions, FTP sessions and Web sessions. Depending on how the RADIUS client is config-
ured, the unit may authenticate with one of two RADIUS servers, or may locally authenticate a user
using the existing user tables configured on the unit.
When the unit has obtained the remote user username and password, the RADIUS client is used to
pass this information (from the Username and Password attributes) to the specified RADIUS server
for authorisation. The server should reply with either an ACCEPT or REJECT message.
The RADIUS client may be configured with up to two NAS’s (Network Access Servers). It may also
have local authentication turned ON or OFF depending on system requirements.
When a user is authenticated, the configured RADIUS servers are contacted first. If a valid ACCEPT
or REJECT message is received from the server, the user is allowed or denied access respectively. If
no response is received from the first server, the second server is tried (if configured). If that server
fails to respond, local authentication takes place unless this functionality is disabled. If both servers
are unreachable, and local authorisation is disabled, all authentication attempts fail.
If a RADIUS server replies with a REPLY-MESSAGE attribute (18), this message will be displayed to
the user after the login attempt and after any configured “post-banner”. The unit will then display a
“Continue Y/N?” prompt to the user. If the user selects “N”, the remote session will be terminated.
This applies to remote command sessions and SSH sessions only.
If the login attempt is successful and the server sends an IDLE-TIMEOUT attribute (28), the idle
time specified will be assigned to the remote session. If no IDLE-TIMEOUT attribute is sent, the
unit will apply the default idle timeout values to the session.
When the session starts and ends, the unit will send RADIUS accounting START/STOP messages to
the configured server. Again, if no response is received from the primary accounting server, the sec-
ondary server will be tried. No further action is taken if the second accounting server is unreach-
able.
As a consequence of the fact that the unit has separate configurations for authorisation and
accounting servers, it is possible to configure the unit to perform authorisation functions only, or
accounting only, or both. An example of how this might be used could be to perform local authori-
sations, but send accounting start/stop records to an accounting server.
Using the Web Page(s)
The Configure > RADIUS client > Client n page allows you to set the parameters for RADIUS
client operation:
Primary authorisation NAS ID:
This is an identifier which is passed to the primary authorisation NAS and is used to identify
the RADIUS client. The appropriate value will be supplied by the Primary authorisation NAS
administrator.
Primary authorisation server IP address:
This is the IP address of the primary authorisation NAS.
Primary authorisation server password:
This password is supplied by the Primary authorisation NAS administrator and is used in
conjunc tion with the Primary authorisation NAS ID to authenticate RADIUS packets.
Confirm primary authorisation server password:
This parameter is used to confirm the password value entered above.
Secondary authorisation NAS ID:
This is an identifier which is passed to the Secondary authorisation NAS and is used to identify
the RADIUS client. The appropriate value will be supplied by the Secondary authorisation NAS
administrator.
Secondary authorisation server IP address:
This is the IP address of the Secondary authorisation NAS server.