RADIUS
RADIUS (Remote Authentication Dial-In User Service) is an authentication system consisting of one or more servers, and clients using the servers to authenticate users. You could, for example, equip the company modems with RADIUS clients, demanding that a user connecting to a modem first identifies himself to the RADIUS server. Servers and clients communicate via UDP.
Ingate Firewall uses RADIUS for three purposes; authentication for firewall administration, for SIP users, and VPN connections from road warriors. If RADIUS is used for user authentication from VPN connections, you must do additional configuration on the Authentication Server page.
RADIUS server
Enter the server(s) that the firewall should use. When more than one RADIUS server is entered, make sure that their databases contain the same data, since the firewall regards them all alike and uses the server which first replies to a request.
RADIUS server
Enter the DNS name or IP address for the RADIUS server used for authentication.
In IP address, the IP address of the server is shown. It is updated whenever Look up all IP addresses again is pressed, or the DNS name or IP address field is changed.
Port
The official port for RADIUS is UDP port 1812. However, several RADIUS servers use port 1645, so you may have to change the port number either on the RADIUS server or in the table.
Secret
A RADIUS authentication requires a 'shared secret', which must be the same on both sides. Since the secret is used as an encryption key, it is important that it is kept a secret. Since the secret is saved unencrypted in the firewall configuration, you should be careful with where you store the configuration.
Delete row
If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.
Add new rows
Enter the number of new rows you want to add to the table, and then click on Add new rows.
Identification
Below the table you find more options used when the firewall acts as a RADIUS client.
A RADIUS client may use either of two ways to identify itself for the RADIUS server: an IP address or a name (identifier). Select here which method to use. The address or name in use must be registered at the RADIUS servers specified in the top table, and must be unique in that RADIUS database.
Contact RADIUS servers from
Select the IP address from which the firewall should make connections to RADIUS servers. A convenient choice of address is one on the interface closest to the RADIUS server. Select from the IP addresses configured for the interfaces under Directly connected networks and Alias.
Use NAS-IP-Address
If you select Yes, the firewall's IP address (the address selected above) will be enclosed as identity. If you select No, you must enter a NAS-Identifier for the firewall.
NAS-Identifier
You can enter a special identifier into this field. All characters except space are allowed according to the firewall, but your RADIUS server may have some restrictions on the identifier.
You must use at least one of these ways, or the authentication will fail.
Save
Saves the RADIUS configuration to the preliminary configuration.
Undo
Reverts all of the above fields to their previous configuration.
Look up all IP addresses again
Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Configuration page.
Status for RADIUS servers
At the bottom of the page the status for the RADIUS servers is shown. Radiusmux is the part of Ingate Firewall that connects to the RADIUS servers.
If no authentication by RADIUS is configured, the radiusmux is not run. When you apply a configuration which involves contacting a RADIUS server, the radiusmux is started.
RADIUS server
The IP address for this RADIUS server.
Score
Radiusmux gives points (the scale is 1 to 40, inclusive) to the different servers according to their performance. The better server performance, the higher score. Radiusmux uses the score to select which server to query primarily.
Sent requests
The number of UDP packets sent to this server.
Received replies
The number of UDP packets received from this server.
Consecutive sends
The number of consecutive UDP packets sent without response from the server.
Recent average response time
A calculated average of response time for packets for which response has been received.
Free slots
The RADIUS server allocates a certain number of slots for each RADIUS client, and every pending request from the firewall occupies a slot. Here you see the current number of free slots.
Configuration of a RADIUS server
In this section it is assumed that you know how to configure your RADIUS server. Consult your RADIUS manual for details.
Add the firewall as a client in the RADIUS server. Make sure that the shared secret here is the same as in the firewall.
The firewall checks the permissions for a user by looking at its RADIUS attribute Service-Type. If the Service-Type has the value Administrative (6), the user is allowed to configure the firewall. If the value is Framed (2), the user is allowed to connect via VPN.
For the various privileges for users, there is an Ingate-specific RADIUS attribute defined thus:
To be able to authenticate SIP users, the RADIUS server must support Digest authentication. You find a description of this in draft-sterman-aaa-sip-02 (Internet draft). This is all that is required for it to work with Ingate Firewall.
More information about RADIUS can be found in RFC 2865.
Log on with RADIUS via RSA SecurID
If a RADIUS server using RSA SecurID is set up for this firewall, you must have a code box, or you will not be able to log on. The first time you try to log on with RADIUS, enter your user name and the number displayed in the code box window. The server will ask if you want the system to generate a new PIN for you.
Answering y will give you a PIN which you use for logging on. n will enable you to enter a PIN of your own.
Finally, you enter a PASSCODE to log on. You can find more information about the PASSCODE in your RSA SecurID manual.
Next time you log on, enter your user name and the PASSCODE.
In the code box window there is a number of horizontal bars, representing the time left until pass number change. If only one or zero bars is left at logon, wait for the number change, or the server may refuse to authenticate you because the number changed before server check.