|
|
RADIUS Server Features & Specifications
RADIUS Authentication
Methods |
Choose
Your Preferred RADIUS Authentication Protocol Method |
| PAP,
CHAP and MS-CHAP |
Password
Authentication Protocol, Challenge Handshake Authentication
Protocol, and Microsoft’s version of CHAP. |
| WPA-Compliant
Wireless LAN authentication support for: |
EAP-MD5,
LEAP, TLS, TTLS, PEAP-GTC, & PEAP-MSCHAPv2. EAP-SIM and EAP-AKA optional. |
EAP-SIM
(optional module) |
Full support for EAP-SIM RFC 4186 including Pseudonyms and Fast Re-authentication. Support for local Authentication Center (AuC) functionality using user secrets (Ki) from any data store and administrator definable A3/A8 algorithms. 3GPP Milenage A3/A8 algorithm reference implementation. |
Data
Sources |
Store
user data and profiles in many places/ways |
| Flat
File (users file/realm file) |
Uses
flat files stored internally with RADIUS server. Supports all
authorization features without requiring an external database
or directory. Ideal for small to medium applications. |
| UNIX
User (Password File) |
Uses
standard existing password files for UNIX systems. |
| UNIX
via Password File: |
Uses
extended data sources for UNIX systems: NIS, shadow password,
HP security, etc. Inherited automatically through support
for UNIX passwords. |
| RADIUS
Proxy Authentication & Accounting |
Forwards
RADIUS authentication & accounting requests to remote server.
Needed for any roaming relationship or large multi-server
application. |
| RSA ACE Server |
Support for RSA SecurID token cards |
| LDAP |
Accesses
user profiles in LDAP directories. Standard access, reaches
many different LDAP implementations including Microsoft
Active Directory. Includes Interlink schema extensions
to support simple authentication policies. Includes load balancing and fail-over capabilities. |
| Active
Directory |
Allows
authentication against Microsoft Active Director Server via LDAP. |
RADIUS Authorization
Features |
RADIUS Authorization Policy
Decisions & Criteria |
| Simple
RADIUS Policy |
Allows
or denies network access based on specific RADIUS attribute values.
Sets basic session configuration parameters based on Reply
items stored in the user profile. |
Advanced
Policy Engine
(optional module)
|
This
powerful configuration engine allows you to develop and
enforce custom policies using simple text files with Boolean
expressions. Decisions can be based on nearly any attribute
value pairs and conditional operations. |
| EXAMPLE: |
Authorize across any set of independent parameters:
System parameters: time/day/date
Edge device parameters: port #, IP address….
User-specific information: user, group, role
Allows conditional replies for:
Differentiated connection services
Additional security measures
|
RADIUS Authorization
Reply Items |
Here
are some of the outputs possible from the RADIUS server, which
can direct a NAS to take specific action or set specific
service levels. |
| Idle
Time-Out |
Controls
length of idle-time for user sessions. Disconnects inactive
(idle) sessions left typing up network resources. |
| Session
Time-Out Limits |
Limits
length of user sessions. |
| IP
Address Assignment |
Assigns
IP Address from either static addresses or addresses relayed
from DHCP. |
| Attribute
Pruning (filters response AVPs) |
Can
choose not to pass some data elements to NAS after user
has been approved. Example: Server only sends AV pairs
appropriate to what the particular NAS supports. |
| Attribute
Mapping |
For
legacy NAS devices: provides backwards compatibility for
early NASs that did not implement vendor specific attributes
compliant with the RADIUS RFCs. |
| QoS |
Sets
throughput or bandwidth by user. |
| IP
Filter |
Uses
named filters to limit which protocols are allowed, and/or
where user can go. |
| Compulsory
Tunnels |
Forces
VPN tunnels. |
| Wireless
VLANs |
VLANs
are used to build “boundaries” to protect
sensitive data while enabling access to role-based network
resources. Authenticate and assign users to the correct
VLAN based on organization unit, application, role, or
any other logical grouping. |
Extensibility
Features |
Tools
to create extensions to the RADIUS server. |
| VSA
Definitions and RADIUS Dictionary Extensibility |
Dictionary
contains VSAs for most major networking equipment vendors.
In text file format, it can easily be extended to add
vendors and their VSAs to support new vendor-proprietary
features without a software upgrade. |
| Programmable
Finite State Machine |
Makes
it possible to redefine the authorization and accounting
processes by modifying the finite state machine tables,
without recoding or recompiling the engine. |
RADIUS Software
Developer’s Toolkit
(optional module)
|
Allows
the creation of custom plug-in modules to interface with
third party databases, execute custom authentication protocols
and algorithms, custom logging, request/response processing,
and customization of the user interface. |
Advanced
Policy Engine
(optional module)
|
Ddevelop and enforce custom policies using simple
text files with Boolean expressions. Decisions can be
based on nearly any attribute value pairs and conditional
operations. |
RADIUS RFC
Compliance |
Compliant
with the following RADIUS protocol standards & extensions: |
| Compliant
RADIUS Protocol RFCs |
RFC
2284, 2548, 2619, 2621, 2716, 2759, 2809, 2865, 2866, 2867,
2868, 2869, 3579, 3580, 3748, 4186 |
RADIUS Accounting |
RADIUS Accounting Capabilities |
| Proxy
Accounting |
Allows
accounting records to be forwarded from one RADIUS server
to another. Important in roaming or multi-server applications. |
| Browser
View of Accounting Logs (by date, port, user) |
View
log data from the Server Manager. |
| Predefined
& Customizable Logging Formats |
Generates
accounting call detail records (CDRs) in Livingston and
MERIT formats. |
| Accounting
On/Off Packet Support |
Signals
NAS start-up or shut-down management. |
| Management |
RADIUS Sever Management Capabilities |
| Web-based
Server Administration |
Simplifies
the set up and maintenance of multiple RADIUS servers from any
Web browser. User profiles and server operation, including
status and key statistics, can be configured and monitored
remotely. |
| Remote
Monitoring |
Supports
remote monitoring of server status and key statistics.
Remotely view access activity and detect authentication
problems. |
| Configuration
file generation |
Configuration
files can be generated via the graphical user interface,
command line interface, or scripts. |
| Session
& Event Logging |
Logs
all events to provide extensive audit trails for troubleshooting
or security. Supports Merit and Livingston standard for
detailed session logging. |
| Simultaneous
Access Control (Concurrency Management) |
Allows
configuring user or realm for simultaneous sessions. |
| SNMP
Support |
Supports
standard RADIUS server MIBs for authentication and accounting. |
| DHCP
Relay Support |
Scales
beyond one RADIUS server with same IP pool. Allocates
IP addresses for pools managed by DHCP server. |
| Operational
Features |
RADIUS Server Performance
and Reliability |
| High
Speed Processing Performance |
Performance
measured in thousands of authentications per second depending
on hardware configuration. See RADIUS Server Performance Specifications |
| Load
Balance and Failover across LDAP |
Supports
backup LDAP directories with RADIUS server handling failover. |
| Server
Platforms |
RAD-Series RADIUS Server Software Runs
on: |
| Solaris |
Solaris
8, 9, and 10 on Sun SPARC hardware. |
| Red
Hat LINUX
Red Hat Enterprise Linux
|
7.2,
7.3, and 8.0 on Intel hardware.
ES Release 3.0, 4.0 and 5.0 on Intel hardware.
|
|
|
|
