Setting up Radius Authentication


This article applies to:

  • R3000

Question:

Setting up Radius Authentication

Reply

Setting up Radius Authentication

The Radius feature uses a Radius accounting server that determines which accounts will be filtered and how they will be filtered. The user profile in the Radius accounting server holds the filter definition for the user.  Depending on your network setup, there may be more than one accounting server.  Also there may be a client (Network Access Server or proxy server) that sends accounting request packets to the Radius accounting server.

The filter definition for the user must be a Class Attribute 25 (String). As an example:

xstop:Rule4

Rule4 would be a preconfigured Rule defined on the R3000 and xstop:Rule4 is the
Class Attribute for the radius user profile.

Enable Radius

The Radius Mode is Off by default. To use Radius, click the On radio button.  This action displays the Radius Authentication Settings frame.

Specify Radius Authentication Settings

1. In the Radius Server field, 1.2.3.9 displays by default. Enter the IP address of the Radius accounting server.

2. In the Radius Port number field, 1813 displays by default. Change this number only if the Radius accounting server uses a different port number.

3. In the Byte Order Mode field, specify the format in which bytes will be transferred:

- Click the radio button corresponding to Network Byte Order to transfer the most significant byte first.

- Click the radio button corresponding to Host Byte Order to use the byte order stored in the server (big endian or little endian order).

NOTE: The byte order should match the setting on the Radius accounting server.

4. In the Forward Mode field, specify whether accounting request packets will be delivered from the client (NAS or proxy server) to the Radius accounting server.

To enable the Forward Mode option:

- Click the On radio button. The NAS will forward accounting request packets to the Radius accounting server.

- Check the box for Use R3000 IP as Source IP, if the IP address of the R3000 server (eth0 or eth1) should be used when forwarding packets instead of the IP address of the NAS.

To disable the Forward Mode option, click the Off radio button. This action causes the Use R3000 IP as Source IP field to display greyed out.

5. In the Reply Mode field, specify whether the server that sent a request should receive a response.

To enable the Reply Mode option:

 - Click the On radio button. A reply and accounting response packet will be submitted to the sender (NAS or Radius server).

- Enter an Authenticated Phrase to be shared by the Radius server and NAS.

- At the Copy Proxy State field, click the On radio button if you wish to copy the proxy state attribute to the packet.

NOTE: The copy proxy state attribute will only be added to the response packet if the Reply Mode is On. If the Radius accounting server is in the Forward Mode and the Reply Mode is Off, the copy proxy state attribute will be forwarded to the destination server but will not reply back to the client.

Apply Settings

Click Apply to save your settings.

----------------------

The R3000 requires the following information from the Radius account server:

For the logons:
1. User
2. Framed_ipaddr
3. Acct_status{Start}
4. Class

For the logoff:
1. Framed_ipaddr
2. Acct_status{stop}

------------------------

Radius string examples:

xstop:A, R PORN, 1

Make sure there is no space after the word "xstop". This would be WRONG: "xstop: A"

More examples:

To block the Pornography category, and deliver a custom block page:
xstop:B 80 I,J R GPORN I, 1,http://www.company.com/blockpage.html

To use a pre-defined Rule instead of specifying categories:
xstop:Rule6,http://www.company.com/blockpage.html

To use a Rule, deliver a custom block page, and enable filtering options (in this case, Yahoo/Google/Ask/AOL Safe Search Enforcement):
xstop:Rule6,http://www.company.com/blockpage.html,0x5


This article was previously published as:
8e6 KB 300308

Last Modified 1/5/2009.
https://support.trustwave.com/kb/KnowledgebaseArticle12641.aspx