|
1. How are realms defined? |
|
2. How is simultaneous session control enabled? |
|
3. How are session time limits imposed? |
|
4. How can a user be restricted to one NAS? |
|
5. How can a user be assigned to a VLAN? |
|
6. Which vendors should be selected when configuring
an Access Device? |
|
7. How can the RADIUS Server be configured to work with
Microsoft’s Active Directory Service? |
|
8. Can a revocation list be configured to reject
selected user certificates when using EAP-TLS for authentication? |
|
9. What name should be in the client certificate
for EAP-TLS? |
|
10. How do I install a new RADIUS Server license? |
| |
|
1. How are realms defined?
The realm is a concept used in the RAD-Series RADIUS Server
to facilitate the authentication and authorization of users
from different institutions, or by different means, on one
RAD-Series RADIUS Server, and to route RADIUS requests to
different servers based on the user's realm.
To add a realm to a RAD-Series RADIUS Server, do the following:
-
Add a realm entry in the authfile configuration file;
-
If the new realm uses RADIUS authentication, meaning all
requests for that realm are sent to another RAD-Series
RADIUS Server, set up a clients file entry listing the
RAD-Series RADIUS Server it communicates with. The same
needs to be done on the other server describing this server;
-
When performing realm-based authentication, the realm
must be defined in the las.conf configuration file.
|
| |
|
2. How is simultaneous session control enabled?
Configure the RAD-Series RADIUS Server to handle realm(s).
Even if realms are not being used, there must still be a
NULL realm defined in the authfile. Also, the LAS must be
configured to handle any local realms (or the NULL realm).
The default number of simultaneous sessions allowed is one.
If any users are to be allowed more than one simultaneous
session then configure Simultaneous-Use = 2 as a
configuration (check-item) attribute for the individual
user or in the DEFAULT entry in the users file to apply
it to every user. Do not forget to separate this check-item
from any others with a comma. |
| |
|
3. How are session time limits imposed?
Add the Session-Timeout attribute as a reply item to the
user profiles. The only requirement is that the NAS
supports this attribute. |
| |
|
4. How can a user be restricted to one NAS?
To restrict some users so that they are allowed to dial in
to one NAS only, place the RADIUS attribute NAS-IP-Address
(or NAS-Identifier) as a check-item in their user profile
indicating the NAS they are allowed to use. |
| |
|
5. How can a user be assigned to a VLAN?
The RAD-Series RADIUS Server can be configured to assign
a user to a VLAN by adding the following three Reply-Items
to the user’s profile:
Tunnel-Type=VLAN
Tunnel-Medium-Type=IEEE-802
Tunnel-Private-Group-Id=<vlan-number>
where <vlan-number> is the number of the
user’s VLAN. |
| |
|
6. Which vendors should be selected when
configuring an Access Device?
When adding an Access Device to RAD-Series RADIUS Server
configuration, more than one vendor can be selected.
The vendors selected determine which vendor’s Vendor
Specific Attributes (VSAs) can be sent to the Access Device
in an Access-Accept.
It is undesirable to send VSAs not supported by the Access
Device, since it may result in the session being rejected.
In addition to selecting the manufacturer, there are two
other vendors that are frequently needed:
-
Cisco is needed as a vendor if EAP-LEAP authentication
is being used.
-
Microsoft, if using an EAP method that supports dynamic
WEP keys.
For version 7.1 and beyond these keys are sent reguardless
of the vendors specified. |
| |
|
7. How can the RADIUS Server be configured to work
with Microsoft’s Active Directory Service?
The RAD-Series RADIUS Server can be configured to work
with Microsoft’s Active Directory Server (ADS) using
its standard LDAP interface. The standard LDAP
information can be supplied for
-
Directory Name
-
Host
-
Port
-
Administrator
-
Password
-
Searchbase
Additionally, ADS requires
-
Filter must be set to sAMAccountName
-
Authentication Type must be set to Auto
Configured in this way, the server will first search ADS
for the user using the attribute sAMAccountName.
Then the server will authenticate the user by using the
distinguished name, returned by the search, to bind to
the directory. |
| |
|
8. Can a revocation list be configured
to reject selected user certificates when using EAP-TLS
for authentication?
EAP-TLS authenticates users using digital certificates.
If a station with a valid user certificate is lost
or stolen then the network is compromised unless there
is a means of revoking the certificate at the server.
This can be easily done in the RAD-Series RADIUS Server
by configuring the user with Authentication-Type=Deny in
the default users file. For example, to revoke the
certificate for fred@company.com the users file entry
would be:
fred@company.com Authentication-Type=Deny |
| |
|
9. What name should be in the client
certificate for EAP-TLS?
When authenticating using EAP-TLS, the common name (cn)
in the certificate must match the User-Name configured
in the supplicant software.
Starting with version 6.1.5, you can configure other items in
the certificate that can be used to match the User-Name. |
| |
|
10. How do I install a new RADIUS Server
license?
The RAD-Series RADIUS Server licenses are in a text file,
aaa.config.license, which gets copied to the server’s
configuration directory. By default this directory is
-
/etc/opt/aaa on Unix systems
The license is keyed to a specific version of the server
and includes a list of enabled features. A new
license should be installed when the server is upgraded
or when new features are licensed and need to be enabled.
Before installing a new license
-
Make a backup copy of the old license
-
Look at the license file to insure that the version string
matches the version of the server being licensed
|
|
| |
