beautypg.com

Configuring a radius server – Amer Networks E5Web GUI User Manual

Page 526

background image

RADIUS Security

To provide security, a common shared secret is configured on both the RADIUS client and the
server. This secret enables encryption of the messages sent from the RADIUS client to the server
and is commonly configured as a relatively long text string. The string can contain up to 100
characters and is case sensitive.

RADIUS uses PPP to transfer username/password requests between client and RADIUS server, as
well as using PPP authentication schemes such as PAP and CHAP. RADIUS messages are sent as
UDP messages via UDP port 1812.

The Primary Retry Interval

The Primary Retry Interval property for an Authentication Interval object, specifies the behavior
after the primary RADIUS server is unresponsive and a secondary server is used instead. If the
Primary Retry Interval is set to zero, the selected secondary server will continue to be used even
through the primary server may become available later.

If set, the Primary Retry Interval property specifies the number of seconds to wait before cOS Core
tries to reach the primary server again. These retries will continue indefinitely. If the primary
server becomes available, cOS Core will immediately switch back to it from the secondary.

Setting the Source IP

By default, the Source IP property will be set to Automatic and the IP address of the security
gateway's sending interface will be used as the source address for traffic sent to the RADIUS
server. If this property is set to Manual, a specific source IP address can be used for traffic sent to
the server.

If the source IP address is specified, the administrator must also manually configure cOS Core to
ARP publish the IP address on the sending interface. Doing this is described in Section 3.5.3, “ARP
Publish”.

Support for Groups

RADIUS authentication supports the specification of groups for a user. This means that a user can
also be specified as being in the administrators or auditors group.

Note: Set the RADIUS Vendor ID for group membership

If the RADIUS server is required to send the group membership, it is necessary to use the
Clavister-User-Group vendor specific attribute when configuring the server. The
Clavister Vendor ID is 5089 and the Clavister-User-Group is defined as vendor-type 1
with a string value type.

Example 8.2. Configuring a RADIUS Server

The following steps illustrate how a RADIUS server is configured. Assume that the cOS Core
object will have the name rs_users and the IPv4 address radius_ip which is already defined in the
address book.

The connecting port will be 1812 (the default) and a shared secret of mysecretcode will be used

Chapter 8: User Authentication

526

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: