Using RADIUS to Authenticate Users

This section provides a description of RADIUS and explains how to configure PortServer TS 8/16 to use RADIUS. Digi One RealPort and PortServer TS 2/4 do not support RADIUS.

For detailed information on your RADIUS server, see the RADIUS server documentation.

What is RADIUS?

RADIUS (remote authentication dial-in user service) is a method of maintaining a database of profiles of dial-in users. These profiles can include login and password information, as well as other user attributes.

RADIUS Components

RADIUS requires two components, an authentication host server and client protocols. The PortServer TS 8/16 implements the client protocol. A host must implement the authentication server application.

RADIUS Attributes (RFC 2138) Supported

The following attributes are supported in the Digi RADIUS client implementation.

Request	Accept	Challenge	#	Attribute
1	0	0	1	User-Name
0-1	0	0	2	User-Password
0-1	0	0	3	CHAP-Password
0-1	0	0	4	NAS-IP-Address
0-1	0	0	5	NAS-Port
0-1	0-1	0	6	Service-Type
0-1	0-1	0	7	Framed-Protocol
0-1	0-1	0	8	Framed-IP-Address
0-1	0-1	0	9	Framed-IP-Netmask
0	0-1	0	10	Framed-Routing
0	0+	0	11	Filter-Id
0	0-1	0	12	Framed-MTU
0+	0+	0	13	Framed Compression
0+	0+	0	14	Login-IP-Host
0	0-1	0	15	Login-Service
0	0-1	0	16	Login-TCP-Port
0	0-1	0-1	27	Session-Timeout
0	0-1	0-1	28	Idle-Timeout

See RADIUS Table Key for a definition of what each number means in the table above.

RADIUS Accounting Attributes (RFC 2139)

The following RADIUS accounting attributes are supported in the PortServer TS 8/16 RADIUS client implementation:

#	Attribute	#	Attribute
0-1	User-Name	0-1	Login-TCP-Port
0	User-Password	0-1	Session-Timeout
0	CHAP-Password	0-1	Idle-Timeout
0-1	NAS-IP-Address	1	Acct-Status-Type
0-1	NAS-Port	0-1	Acct-Delay-Time
0-1	Service-Type	0-1	Acct-Input-Octets
0-1	Framed-Protocol	0-1	Acct-Output-Octets
0-1	Framed-IP-Address	1	Acct-Session-Id
0-1	Framed-IP-Netmask	0-1	Acct-Authentic
0-1	Framed-Routing	0-1	Acct-Session-Time
0+	Filter-Id	0-1	Acct-Input-Packets
0-1	Framed-MTU	0-1	Acct-Output-Packets
0+	Framed-Compression	0-1	Acct-Terminate-Cause
0+	Login-IP-Host	0-1	Port-Limit
0-1	Login Service

RADIUS Table Key

The numbers in the the above tables have the following meaning:

#	Meaning
0	This attribute must not be present.
0+	Zero or more instances of this attribute may be present.
0-1	Zero or one instance of this attribute may be present.
1	Exactly one instance of this attribute must be present.

How RADIUS Works

Here is how authentication works when PortServer is configured for RADIUS:

A user logs into PortServer TS 8/16.
PortServer TS 8/16 collects login information and then checks to see if the user is in the local database of users.
If the user is in the local database, PortServer TS 8/16 handles authentication.
If the user is not in the local database, PortServer TS 8/16 submits an authentication request to the RADIUS server.
The RADIUS server does one of the following:

If the user is validated, it passes this information to other devices and the user is permitted access.
If the user is not validated, the RADIUS server returns an access reject message, which then denies access to the user.

Configuring RADIUS

To configure PortServer TS 8/16 to function as a RADIUS client, supply a set radius command that specifies the following:

run=on
The IP address of the primary RADIUS server (on the primary field). The primary server is the first server to which authentication requests are sent.
A password (on the secret field)

Note: To use a secondary RADIUS server, supply a second set radius command that specifies run=on, the IP address of the secondary server (on the secondary field) and another password for the secondary server (on the secret field).

RADIUS Configuration Example

set radius run=on primary=199.123.15.129 secret=J9