Radius relay – Amer Networks E5Web GUI User Manual

8.8. Radius Relay

Overview

The cOS Core feature RADIUS Relay is designed for telecom scenarios, such as Mobile Data
Offloading (MDO), where User Equipment (UE), such as a smartphone, switches from an operator's
wireless network to communicating using WiFi via an Access Point (AP). The AP connects the UE
to resources, such as the public Internet, via a Clavister Security Gateway with the security
gateway controlling this access.

To gain access to the resources behind the Clavister Security Gateway, the UE must authenticate
itself via the AP using a RADIUS server. An RADIUS authentication request is sent to cOS Core by
the AP which relays it to a RADIUS server. The server's reply is relayed back to the AP and
authenticated users are entered into the cOS Core user list so that they can then be granted
access to resources based on cOS Core security policies.

Event Sequence During RADIUS Relay Authentication

The following sequence of events occurs with radius relay:

•

The UE requests network access from an AP.

•

The AP sends a RADIUS Access-Request to cOS Core. Providing the cOS Core radius relay
feature has been set up, this request is forwarded to the configured RADIUS server.

•

The RADIUS server either authenticates or does not authenticate the UE by sending a RADIUS
Access-Accept or Access-Reject message back to cOS Core. The content of these messages is
examined by cOS Core as they are relayed back to the AP.

•

If it is authenticated by the RADIUS server, the UE issues a DHCP request and a DHCP IP lease
from the configured cOS Core DHCP server is sent back to the UE.

The DHCP server must be configured so that leases are only be distríbuted to authenticated
clients (the LeasesRequireAuth option is enabled).

•

Successful authentication also means that cOS Core includes the UE's username in its list of
logged in users (visible with the CLI userauth command and through the Web Interface) and
this allows the UE access to resources determined by predefined cOS Core security policies.

cOS Core security policies may be based on group membership, in which case the RADIUS
server must be specially configured to send back the group name of the user during
authentication. RADIUS servers communicating with cOS Core must have the Vendor ID set
correctly and this is described further at the end of this section.

The IP rule or IP policy that allows access by the UE to protected networks must use an IP
address object as the source network property which has been configured with the
Authentication property (UserAuthGroups property in the CLI) set to the same group name
sent back by the RADIUS server. This is described further in Section 8.5, “Policies Requiring
Authentication”.

Important: Enable the DHCP server LeasesRequireAuth option

If RADIUS relay is being used in a cOS Core configuration, all DHCP servers must be
configured to only distribute leases to configured clients. This is done by enabling the
LeasesRequireAuth property in the CLI and in the Web Interface or InControl, enabling
the option Distribute leases only to RADIUS relay authenticated clients.

Chapter 8: User Authentication

558