Configuring the Bundled SESM RADIUS Server



Similar documents
Configuring a Jetty Container for SESM Applications

Deploying an SESM/SSG Solution

CDAT Overview. Remote Managing and Monitoring of SESM Applications. Remote Managing CHAPTER

Using RADIUS Agent for Transparent User Identification

Configuring Timeout, Retransmission, and Key Values Per RADIUS Server

LICENSE4J LICENSE ACTIVATION AND VALIDATION PROXY SERVER USER GUIDE

Dove User Guide Copyright Virgil Trasca

Supported Platforms. Supported Standards, MIBs, and RFCs. Prerequisites. Related Features and Technologies. Related Documents. Improved Server Access

Configuring CSS Remote Access Methods

Microsoft IAS Configuration for RADIUS Authorization

Using LDAP Authentication in a PowerCenter Domain

Simple Installation of freeradius

Tracking Network Changes Using Change Audit

Veritas Cluster Server

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Management, Logging and Troubleshooting

Volume SYSLOG JUNCTION. User s Guide. User s Guide

7750 SR OS System Management Guide

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Oracle WebLogic Server

CHAPTER 1 - JAVA EE OVERVIEW FOR ADMINISTRATORS

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Configuring RADIUS Servers

Chapter 3 Authenticating Users

How to utilize Administration and Monitoring Console (AMC) in your TDI solution

Oracle EXAM - 1Z Oracle Weblogic Server 11g: System Administration I. Buy Full Product.

ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series

CA SiteMinder. Policy Server Administration Guide. r12.0 SP2

Oracle WebLogic Server 11g Administration

WebSphere Server Administration Course

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

IBM WebSphere Server Administration

Install an SSL Certificate onto SilverStream. Sender Recipient Attached FIles Pages Date. Development Internal/External None 5 6/16/08

RADIUS Server Load Balancing

Universal Event Monitor for SOA Reference Guide

Aradial Installation Guide

Configuring the Content Routing Software

Configuring RADIUS Authentication for Device Administration

Security Correlation Server Quick Installation Guide

User Service and Directory Agent: Configuration Best Practices and Troubleshooting

TIBCO Runtime Agent Domain Utility User s Guide Software Release November 2012

HP Device Manager 4.6

No.1 IT Online training institute from Hyderabad URL: sriramtechnologies.com

ELIXIR LOAD BALANCER 2

LICENSE4J FLOATING LICENSE SERVER USER GUIDE

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Syslog Monitoring Feature Pack

Ahsay Replication Server v5.5. Administrator s Guide. Ahsay TM Online Backup - Development Department

HP Service Virtualization

Cisco ASA. Administrators

How to Enable Remote JMX Access to Quartz Schedulers. M a y 1 2,

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

Your Question. Net Report Answer

HTTP 1.1 Web Server and Client

OTP Server Integration Module

Tivoli Access Manager Agent for Windows Installation Guide

DIGIPASS Authentication for Cisco ASA 5500 Series

QMX ios MDM Pre-Requisites and Installation Guide

Device Integration: Checkpoint Firewall-1

Creating a DUO MFA Service in AWS

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

For the protocol access paths listed in the following table, the Sentry firmware actively listens on server ports to provide security for the CDU.

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

CA Workload Automation Agent for UNIX, Linux, or Windows

Author A.Kishore/Sachin VNC Background

From Release 8.0, IPv6 can also be used to configure the LDAP server on the controller.

Security Correlation Server Quick Installation Guide

Determine the process of extracting monitoring information in Sun ONE Application Server

Connecting to the Firewall Services Module and Managing the Configuration

Oracle Exam 1z0-102 Oracle Weblogic Server 11g: System Administration I Version: 9.0 [ Total Questions: 111 ]

Importing data from Linux LDAP server to HA3969U

(n)code Solutions CA A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED P ROCEDURE F OR D OWNLOADING

UNICORE REGISTRY MANUAL

Configuring System Message Logging

This presentation explains how to integrate Microsoft Active Directory to enable LDAP authentication in the IBM InfoSphere Master Data Management

SSL CONFIGURATION GUIDE

Forward proxy server vs reverse proxy server

Adobe Connect LMS Integration for Blackboard Learn 9

Configuring Global Protect SSL VPN with a user-defined port

SOA Software API Gateway Appliance 7.1.x Administration Guide

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Creating Basic Custom Monitoring Dashboards Antonio Mangiacotti, Stefania Oliverio & Randy Allen

[1]Oracle Communications Billing and Revenue Management Web Services Manager Release 7.5 E

User's Guide - Beta 1 Draft

LDAP and Active Directory Guide

Business Interaction Server. Configuration Guide Rev A

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Configuring Sponsor Authentication

Configuring GTA Firewalls for Remote Access

ONLINE BACKUP MANAGER TROUBLESHOOTING MISSING BACKUP JOBS

vcenter Hyperic Configuration Guide

CLC License Server Administrator Manual

Configuring Logging. Information About Logging CHAPTER

Enabling Single Signon with IBM Cognos ReportNet and SAP Enterprise Portal

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Interlink Networks Secure.XS and Cisco Wireless Deployment Guide

Configuring BEA WebLogic Server for Web Authentication with SAS 9.2 Web Applications

Transcription:

APPENDIX D This appendix describes the configuration options for the bundled SESM RADIUS server. Topics are: Bundled SESM RADIUS Server Installed Location, page D-1 Profile File Requirements, page D-1 Defining New Attributes to the Bundled SESM RADIUS Server, page D-2 Starting the Bundled SESM RADIUS Server, page D-2 MBeans for the Bundled SESM RADIUS Server, page D-2 Bundled SESM RADIUS Server Installed Location The bundled SESM RADIUS server is installed by default in both RADIUS and LDAP mode installations. None of the SESM installation parameters affects the default configuration of the bundled SESM RADIUS server. The installed location of configuration files and startup scripts that support the bundled SESM RADIUS server is the tools directory under your SESM installation directory: tools bin startaaa config aaa.xml erp.xml aaa.properties The aaa.xml and erp.xml files are MBean configuration files for the bundled SESM RADIUS server. The aaa.properties file is a sample profile file. Profile File Requirements The bundled SESM RADIUS server requires a profile file in MERIT format. The default configuration points to the aaa.properties file, a sample MERIT file installed with RDP. You can change this to point to a different file by changing the aaafilename attribute in the AAA MBean. For example, you could point to the demo.txt file in the NWSP directory. D-1

The bundled SESM RADIUS server loads the contents of the profile file during startup. You must restart the RADIUS server if: You change the aaafilename attribute to point to a different file. You make any changes to the profiles in the referenced file. Defining New Attributes to the Bundled SESM RADIUS Server All SESM applications, including the bundled SESM RADIUS server, internally predefine the standard RADIUS attributes and the Cisco vendor-specific attributes (VSAs) listed in Table C-2 and Table C-3 on page C-4. To define additional attributes, such as Cisco VSAs not included in the above-referenced tables or other vendor VSAs: Define the new attribute in the RADIUSDictionary MBean. New attributes defined in this MBean can be used in your profiles. Define the new attribute in the profile itself, as described in Dynamically Defining Attributes in Profiles for Testing and Development section on page C-5. Starting the Bundled SESM RADIUS Server The bundled SESM RADIUS server is ready to run immediately after installation. To start it, execute the startup script with a port number, as follows: On Solaris and Linux: installdir/tools/bin/startaaa.sh portnumber On Windows: installdir\tools\bin\startaaa.cmd portnumber You can edit the start script, inserting a default port number. In that case, you do not need to specify portnumber on the command line. MBeans for the Bundled SESM RADIUS Server The bundled SESM RADIUS server uses the following MBeans: Logger MBean, page D-3 ManagementConsole MBean, page D-3 RADIUSDictionary MBean, page D-3 AAA MBean, page D-4 To change attributes in these MBeans, you can either: Edit the MBean configuration files: tools config aaa.xml erp.xml D-2

Make changes using the Agent View running on the server management port. The port numbers are: server port specified at run time on the command line or in the startup script management port server port + 100 The installation process does not add a link on the CDAT main window to this Agent View. You can add this link manually as described in Adding a New Application to the CDAT Main Window section on page 6-4. Before creating the link, edit the startaaa script, inserting a port number that you want to consistently use to start the bundled SESM RADIUS server. Then configure the link on the CDAT window to go to the configured RDP port + 100. Logger MBean The Logger MBean configures both logging and debugging tools. The logging tool logs CDAT application activity. The debugging mechanism produces messages useful for debugging. This is the same logging and debugging mechanism used by the SESM portal applications. See the Logger MBean section on page 5-2, for more information. ManagementConsole MBean The ManagementConsole MBean configures the server management console port, including valid user names and passwords for accessing the console. See the Configuring the ManagementConsole MBean section on page 3-5 for more information. RADIUSDictionary MBean All SESM applications, including this RADIUS server, internally predefine the standard RADIUS attributes and the Cisco SSG vendor-specific attributes (VSAs). You can define additional attributes, such as additional Cisco VSAs or VSAs from other vendors, in the RADIUSDictionary MBean. When you define attributes in this MBean, you can use the defined attribute names in RADIUS profiles. You can also define dynamic attributes directly in the profile, as described in the Dynamically Defining Attributes in Profiles for Testing and Development section on page C-5. For a list of the standard RADIUS attributes that are predefined in SESM, see Table C-2 on page C-4. For a list of the Cisco SSG VSAs that are predefined in SESM, see Table C-3 on page C-4. Table D-1 describes the attributes in the RADIUSDictionary MBean. D-3

Table D-1 Bundled SESM RADIUS Server RADIUSDictionary MBean Attribute Name dynamicattributes Explanation An array of new attribute definitions. To define a new attribute, add a new item to this array. The format for an item is: name(radiusattributeid, vendorid, vendorsubattribute, datatype) Where: name Is the new attribute name. radiusattributeid Use attribute value 26, the vendor-specific attribute. vendorid A RADIUS vendor ID. vendorsubattribute A unique number that distinguishes this attribute from other VSAs for the same vendor. datatype One of the following values: BINARY, STRING, INTEGER, or IPADDRESS. When datatype is BINARY, the value assigned to the attribute must be expressed as a hexadecimal string. For example: demovsa(26, 1, 1, BINARY) Other valid syntax formats are represented below: name([[type=]26],[vendorid=]vendorid,[vendortype=]vendortype,[datatype=]datatype) For example: demovsa(type=26, vendorid=1, vendortype=1,datatype=integer) AAA MBean The AAA MBean configures the AAA listener, including its thread pool and socket (port).table D-2 describes the configurable attributes in the AAA MBean. Table D-2 Bundled SESM RADIUS Server AAA MBean Attribute Name Explanation handler Defines the type of listener being configured. The value must be AAA to configure an bundled SESM RADIUS server. dump true Displays all RADIUS messages on the console (stderr) false Does not display messages Default: true aaafilename Specifies the profile file name and path.you can change this reference to point to any file in the Merit file format. For example, you could use the NWSP demo.txt file. The following attributes are in the AAA MBean, RADIUSListener=AAA,component=Threadpool minthreads Sets the minimum number of threads that this listener will maintain during periods of low load. This listener will always have system resources allocated for this number of threads. Default: 5 D-4

Table D-2 Bundled SESM RADIUS Server AAA MBean (continued) Attribute Name maxthreads Explanation Sets the maximum number of threads that this listener can allocate resources for, even during peak loads. This listener can have up to this number of threads. Default: 255 The following attributes are in the AAA MBean, RADIUSListener=AAA,component=RADIUSServerSocket secret The shared secret that must be used in RADIUS protocol messages sent to the bundled SESM RADIUS server. This attribute sets a global shared secret for all clients. To specify different shared secrets for each client, use the allowedclients attribute. localport The port the RADIUS server listens on. It uses the same port for RADIUS Accounting-Requests and Access-Requests. The installed configuration file defines this attribute as a Java system property, which is assigned a value at run time: application.portno allowedclients Configures a list of clients from which the server can accept requests. Also configures shared secrets. Turn this feature on and off as follows: Allow any client to access the RADIUS server Comment out the allowedclients attribute in the XML file, or remove all clients from the allowedclients list. Restrict client access Uncomment the allowedclients attribute in the XML file. If you do not see the allowedclients attribute in the Agent View, check the configuration file (the XML file). The allowedclients attribute might be commented out. If so, remove the comment characters, save the XML file, and then restart the RADIUS server. You can add more clients by adding more elements to the allowedclients attribute. An element in allowedclients attribute has the following format: {hostname IPAddress}[:localSecret] Where: hostname or IPAddress identify a client (an SSG, for example) that has access to the server. localsecret identifies the secret that this client uses for RADIUS communication. D-5

D-6