EasyServer II RADIUS authentication accounting dialin remote access



Similar documents
Authenticating a Lucent Portmaster 3 with Microsoft IAS and Active Directory

Teldat Router. RADIUS Protocol

Configuring RADIUS Authentication for Device Administration

Network Security and AAA

Supported Platforms. Supported Standards, MIBs, and RFCs. Prerequisites. Related Features and Technologies. Related Documents. Improved Server Access

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Using RADIUS Agent for Transparent User Identification

Prestige 310. Cable/xDSL Modem Sharing Router. User's Guide Supplement

RADIUS Authentication and Accounting

OCS Training Workshop LAB14. Setup

Configuring the Cisco Secure PIX Firewall with a Single Intern

Nokia for Business. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

SITRANS RD500 Configuring the RD500 with PSTN or GSM modems and Windows-based servers and clients for communication Objective:

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Chapter 29 User Authentication

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

IP Filtering for Patton RAS Products

Configuring a BEC 7800TN Wireless ADSL Modem

Issue 2EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Configuring Access Service Security

Prestige 314 Read Me First

Command Line Reference. for the FriendlyNET Dual 56K

Configuring RADIUS Dial Up with Livingston Server Authentication

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Executive Summary and Purpose

Prestige 324. Prestige 324. Intelligent Broadband Sharing Gateway. Version 3.60 January 2003 Quick Start Guide

Vantage RADIUS 50. Quick Start Guide Version 1.0 3/2005

Configuring Timeout, Retransmission, and Key Values Per RADIUS Server

Lab Configure Basic AP Security through IOS CLI

Management, Logging and Troubleshooting

Table of Contents. Cisco Configuring the PPPoE Client on a Cisco Secure PIX Firewall

F-SECURE MESSAGING SECURITY GATEWAY

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Chapter 1 Configuring Internet Connectivity

Security Provider Integration RADIUS Server

Firewall Authentication Proxy for FTP and Telnet Sessions

Cisco CNR and DHCP FAQs for Cable Environment

Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

Smart Telephone System

Exam Topics in This Chapter

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

Configuring GTA Firewalls for Remote Access

Prestige 324 Quick Start Guide. Prestige 324. Intelligent Broadband Sharing Gateway. Version V3.61(JF.0) May 2004 Quick Start Guide

While every effort was made to verify the following information, no warranty of accuracy or usability is expressed or implied.

1 Getting Started. Before you can connect to a network

bintec Workshop WAN Partner Configuration Copyright November 8, 2005 Funkwerk Enterprise Communications GmbH Version 0.9

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Technical Note #31. GE PMCS App Note 31 Page 1 of 5. RAS - Host and View Node. RAS - Host Configuration with No Network Adapter Installed:

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Rebasoft Auditor Quick Start Guide

Digi Port Authority- Remote. Setup Guide _A

Virtual Private Network and Remote Access Setup

7.1. Remote Access Connection

Simple Scan to Setup Guide

Internet Access Setup

BRI to PRI Connection Using Data Over Voice

Nokia E61i Configuring connection settings

Chapter 1 Configuring Basic Connectivity

TP-LINK TD-W8901G. Wireless Modem Router. Advanced Troubleshooting Guide

How to configure MAC authentication on a ProCurve switch

SAS3 INSTALLATION MANUAL SNONO SYSTEMS 2015

Your Question. Net Report Answer

How to Configure Web Authentication on a ProCurve Switch

Figure 1 - T1/E1 Internet Access

Strong Authentication for Juniper Networks SSL VPN

Innominate mguard Version 6

Connecting and Setting Up Your Laptop Computer

A More Secure and Cost-Effective Replacement for Modems

RF550VPN and RF560VPN

BCM Rls 6.0. Remote Access. Task Based Guide

Security Configuration Guide P/N Rev A05

Configuring CSS Remote Access Methods

Two-Factor Authentication

Configuring TACACS+, RADIUS, and Kerberos on Cisco Catalyst Switches

Remote Access via VPN Configuration (May 2011)

Full Install Setup Guide Actiontec F2250 Gateway

3.1 RS-232/422/485 Pinout:PORT1-4(RJ-45) RJ-45 RS-232 RS-422 RS-485 PIN1 TXD PIN2 RXD PIN3 GND PIN4 PIN5 T PIN6 T PIN7 R+ PIN8 R-

Voice Over Internet Protocol (VoIP) Configuration

Prestige 2302R Series

Instructions for Adding a MacOS 10.4.x Server to ASURITE for File Sharing. Installation Section

Remote Annex. Quick Start for Windows. Read before installing and using Remote Annex Software Release 4.2

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

Configuring PPP And SIP

Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Interlink Networks RAD-Series AAA Server and RSA Security Two-Factor Authentication

Feature Brief. FortiGate TM Multi-Threat Security System v3.00 MR5 Rev. 1.1 July 20, 2007

Configuring and Monitoring FTP Servers

Issue 1 EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Internet Access to a DVR365

WLAN660 Wireless IP Phone Administrator s Guide

DSL-2600U. User Manual V 1.0

Enabling Remote Access to the ACE

Configuring connection settings

Wireless G Broadband quick install

Matrix Technical Support Mailer 167 NAVAN CNX200 PPTP VPN with Windows Client

Transcription:

Configuring an EasyServer II for use with a RADIUS server Keywords: EasyServer II RADIUS authentication accounting dialin remote access Introduction The purpose of this application note is to outline the configuration options that are available when using a RADIUS server for user authentication with an EasyServer II. A number of different configurations are discussed including simple terminal user login authentication and PPP dialin client authentication. The examples in this application note are developed using an EasyServer II with the RADIUS option enabled and the Merit RADIUS server software running on a SlackWare Linux system. The Merit RADIUS software is available from the Internet at merit.edu. The version of Merit RADIUS software used in developing these examples is 2.4.23C. Although these examples have been developed using the Merit RADIUS software, the principles of operation will be the same regardless of which RADIUS server is used. Some of the configuration details will differ amongst RADIUS server implementations. The Merit RADIUS server software is by no means the only RADIUS server software available, nor is it the only RADIUS server software that has been tested with the EasyServer II. Other versions of RADIUS server software tested include the Funk Software Steel Belted RADIUS software for Windows NT and the Livingston RADIUS server. Requirements There are only two requirements for installing and configuring RADIUS. Firstly, an EasyServer II with the RADIUS feature enabled and secondly a system on which the RADIUS server software is to be installed. The RADIUS feature is not enabled by default on the EasyServer II and a RADIUS key must be purchased from Stallion Technologies. Note that the RADIUS feature is only available in those units with Rev 6.0.0 or later firmware. The revision of EasyServer II firmware can be checked using the IDENTIFICATION command. Figure 1 identification ESII-8 Communications Server V6.0.0 251535-01 revision 0 Configuration RADIUS Server Configuration There are three steps to configuring the Merit RADIUS software after it is installed. This Application Note does not go into the details of installing the Merit RADIUS software. This information is available in the documentation that comes with the software. The three steps are: creating the authfile file which determines the particular authentication mechanism to be used, e.g. Unix password style authentication, Kerberos, TACAS, etc. creating the clients file which specifies which RADIUS clients are going to be using this RADIUS server and the secret that they will be using. creating the users file that contains information about the individual users and their environment. Revision 1.0 April, 98 Page 1 of 5

In the examples outlined in this Application Note, the authfile file appears as follows. The entries in this file indicate that the default authentication mechanism is the Unix password method as opposed to Kerberos, TACAS or another form of authentication. # The following entry will typically be configured in the authfile for # the RADIUS server running on the system with the matching DNS name. # It says to use the UNIX password file for authentication. domain.name.com UNIX-PW # This entry says to pass requests with authentication realm names # which didn't appear in this file along to another RADIUS server. DEFAULT UNIX-PW # This next entry says to handle requests which don't have a realm # name appended to the user id as local user ids. NULL UNIX-PW The client file appears as follows: # Client Name Key user/authfile prefix # ---------------- --------------- -------------------- easyserver secret This file indicates that RADIUS authentication requests can be expected from a client called easyserver. As DNS is running on this system, the client name can be used. If DNS was not available, then the IP address of the client would be required. In this example the encryption key or secret used is secret. This must, of course, be the same secret as that used on the EasyServer II. The third file that is created is the users file. This file contains information about the users who will be using the EasyServer II and therefore must be authenticated via the RADIUS server. Details of the users file entries will be given below, along with the corresponding EasyServer II port configuration. Basic EasyServer II Configuration The SHOW SERVER command can be used to determine whether or not the RADIUS feature has been enabled. As can be seen from the output of the command (see Figure 2), the RADIUS optional feature has been enabled. The Dial on Demand feature is enabled by default. Once the RADIUS feature has been enabled, changes can be made to the EasyServer II to enable RADIUS operation. Whilst initial configuration and testing of the EasyServer II is being performed, the fallback option should be enabled. Once configuration and testing is complete, the fallback option can then be disabled. To configure the EasyServer II for RADIUS, the following commands need to be executed. show server Figure 2 ESII-8 Communications Server V6.0.0 Uptime: 20 days 22:17:09 Ethernet: 00-60-1f-00-1a-1f Internet: 192.168.1.24 Name: ESII_00601F001A1F Number: 0 Identification: None Console Port: 1 Prompt: "%N %p>%p " Inactivity Timer: 30 Password limit: 3 Monitor Timer: 3 Session limit: 64 Startup File: Flash Memory File: Enabled Optional Features: RADIUS Authentication, Dial On Demand Enabled Characteristics: Broadcast, Lock, Heartbeat ESII-8.CFG None Revision 1.0 April, 98 Page 2 of 5

change radius authentication server 192.168.1.16 port 1812 change radius accounting server 192.168.1.16 port 1813 change radius support enabled change radius secret "secret" change radius fallback enabled Application Note By default, the EasyServer II uses UDP ports 1812 and 1813, as per RFCs 2138 and 2139, for RADIUS authentication and accounting, rather than ports 1645 and 1646 as used by older RADIUS implementations. It may be necessary to change either the EasyServer II or the RADIUS server software so that the same UDP ports are used by both RADIUS client and server. show radius Figure 3 Radius: Enabled Fallback: Enabled Secret: secret Timeout: 5s Retry count: 4 Authentication Server Port Accounting Server Port 192.168.1.16 1812 192.168.1.16 1813 Port Radius RADIUS also has to be enabled for each port. For example, the command to enable RADIUS on ports 2 to 7 only, would be as follows. change port 2-7 radius enabled 1 Disabled 2 Enabled 3 Enabled 4 Enabled 5 Enabled 6 Enabled 7 Enabled 8 Disabled After RADIUS has been configured for all the required ports of the EasyServer II, the configuration can be verified using the SHOW RADIUS command. The output will appear similar to that displayed in Figure 3. Creating the Users file A RADIUS authentication scheme is usually used where there are dial in clients, connecting from outside of the organization, as with an Internet Service Provider (ISP), for example. This is not the only situation where RADIUS might be used. RADIUS can also be used to authenticate terminal users. The entries in the users file will relate to the type of user that is being authenticated. The entry in the users file for the system administrator, who may just be using a terminal or telnet session, would appear as follows. admin Password = admin Service-Type = Administrative-User As the password is specified in the users file, the default authentication mechanism of Unix-password is not used. If the user being authenticated has an account on the Unix system where the RADIUS server is running, then the user can be authenticated using their Unix password. The users entry would appear as follows. username Authentication-Type = Unix-PW Service-Type = Authenticate-Only, For a dedicated, dialin modem PPP connection, the users entry would be similar to the next example. This applies to a dedicated PPP connection only. The PPP configuration in the EasyServer II should be configured to use either PAP or CHAP as well. In this example, PAP user authentication is used. Revision 1.0 April, 98 Page 3 of 5

pppuser Authentication-Type = Unix-PW Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500 The corresponding EasyServer II port configuration would appear as detailed in Figure 4. In this case the user pppuser has a Unix user account and is being authenticated using the Unix-PW mechanism. Also, the local and host IP addresses being used, are those configured on the EasyServer II port. Application Note Figure 4 DEFINE PORT 4 Autobaud DISABLED DEFINE PORT 4 Modem Control ENABLED DEFINE PORT 4 PPP ENABLED DEFINE PORT 4 Radius ENABLED DEFINE PORT 4 SPEED 115200 DEFINE PORT 4 STOP BITS 1 FLOW CONTROL CTS DEFINE PORT 4 PPP COMPRESS ENABLED DEFINE PORT 4 PPP LOCAL ADDRESS 192.168.1.24 DEFINE PORT 4 PPP HOST ADDRESS 192.168.1.122 DEFINE PORT 4 PPP SUBNET MASK 255.255.255.0 DEFINE PORT 4 PPP PAP USER DEFINE PORT 4 DEDICATED PPP If it is necessary for some particular reason to associate a particular IP address with a specific user, an IP address can be configured in the users file. Any IP addresses configured in the users file will then override the host IP address configured on the EasyServer II port. pppuser Authentication-Type = Unix-PW Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 192.168.50.2, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP Figure 5 In the output of the SHOW PORT 4 PPP command, we can see that the originally configured IP address of 192.168.1.122, as used in the previous example, has now been overridden by the user specific IP address of 192.168.50.2 show port 4 ppp Port 4: PORT_04 Name: PORT_04 Status: Connected LCP:open IPCP:open Local Addr: 192.168.1.24 MTU: 1500 Remote Addr: 192.168.50.2 Compress: Enabled Subnet Mask: 255.255.255.0 Character Map: FFFFFFFF PAP Security: User CHAP Security: Disabled CHAP Retry: 0 CHAP Rechallenge Time: 0 For a more generalized dial in user configuration, where the user may or may not be using PPP, the EasyServer II port configuration may appear as follows. The users file will not change. There are three significant changes in the configuration of this port as opposed to port 4 in the previous example. 1) The Login Account characteristic has been enabled 2) The PAP user authentication characteristic has been disabled 3) The port is no longer dedicated to PPP operation Figure 6 DEFINE PORT 5 Autobaud DISABLED DEFINE PORT 5 Login Account ENABLED DEFINE PORT 5 Modem Control ENABLED DEFINE PORT 5 PPP ENABLED DEFINE PORT 5 Radius ENABLED DEFINE PORT 5 SPEED 115200 DEFINE PORT 5 STOP BITS 1 FLOW CONTROL CTS DEFINE PORT 5 PPP COMPRESS ENABLED DEFINE PORT 5 PPP LOCAL ADDRESS 192.168.1.24 DEFINE PORT 5 PPP HOST ADDRESS 192.168.1.123 DEFINE PORT 5 PPP SUBNET MASK 255.255.255.0 When the incoming user connects to the EasyServer II, they will be presented with a username prompt, followed by a password prompt. This username and password prompt will then be authenticated by RADIUS in the usual way. After the authentication phase has been completed, the Service-Type associated with the Revision 1.0 April, 98 Page 4 of 5

user will then commence. This may be a Framed-Protocol, such as PPP, the Administrative-User service, or any other allowable service. No changes to the users file examples given above are required for this feature to work, only changes to the EasyServer II configuration. Conclusions The RADIUS feature of the EasyServer II, in conjunction with a RADIUS server, provides a very flexible and secure mechanism for authenticating users and providing them with standard user connection profiles. These features are particularly appropriate in situations that involve a large number of dialin users, e.g. an ISP. This article does not touch on the user accounting features that are available with RADIUS. That will be the subject of a separate Application Note. INFORMATION CONTAINED IN THIS DOCUMENT (referred to as an Application Note) IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND BY STALLION TECHNOLOGIES PTY LTD, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. The user assumes the entire risk as to the accuracy and the use of this Application Note. This Application Note may be copied and distributed subject to the following conditions: 1) All text must be copied without modification and all pages must be included. 2) If software is included, all files on the disk(s) must be copied without modification. 3) All components of this Application Note must be distributed together. 4) This Application Note may not be distributed for profit. Copyright (C) 1998 Stallion Technologies. All Rights are Reserved Revision 1.0 April, 98 Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information