User`s manual
MediaPack SIP User’s Manual 12. Security (MP-11x Only)
Version 4.6 217 June 2005
12.2 RADIUS Login Authentication (MP-11x Only)
Users can enhance the security and capabilities of logging to the gateway’s Web and Telnet
embedded servers by using a Remote Authentication Dial-In User Service (RADIUS) to store
numerous usernames and passwords, allowing multiple user management on a centralized
platform. RADIUS (RFC 2865) is a standard authentication protocol that defines a method for
contacting a predefined server and verifying a given name and password pair against a remote
database, in a secure manner.
When accessing the Web and Telnet servers, users must provide a valid username and
password. When RADIUS authentication isn’t used, the username and password are
authenticated with the Embedded Web Server’s Administrator or Monitoring usernames and
passwords (refer to Section
5.2.1 on page 47) or with the Telnet server’s username and
password stored internally in the gateway’s memory. When RADIUS authentication is used, the
gateway doesn’t store the username and password but simply forwards them to the pre-
configured RADIUS server for authentication (a
cceptance or rejection). The internal Web / Telnet
passwords are used as a fallback mechanism in case the RADIUS server is down. Note that
when RADIUS authentication is performed, the Web / Telnet servers are blocked until a response
is received (with a timeout of 5 seconds).
RADIUS authentication requires HTTP basic authentication, meaning the username and
password are transmitted in clear text over the network. Therefore, users are recommended to
set the parameter ‘HttpsOnly = 1’ to force the use of HTTPS, since the transport is encrypted.
12.2.1 Setting Up a RADIUS Server
A free RADIUS server FreeRADIUS can be downloaded from www.freeradius.org. Follow the
directions on that site for information on installing and configuring the server. If you use a
RADIUS server from a different vendor, refer to its appropriate documentation.
¾ To set up a RADIUS server, take these 4 steps:
1. Define the MP-11x as an authorized client of the RADIUS server, with a predefined ‘shared
secret’ (a password used to secure communication). The figure below displays an example
of the file clients.conf (FreeRADIUS client configuration).
Figure
12-4: Example of the File clients.conf (FreeRADIUS Client Configuration)
#
# clients.conf - client configuration directives
#
client 10.31.4.47 {
secret = FutureRADIUS
shortname = tp1610_master_tpm
}
2. In the RADIUS server, define the list of users authorized to use the MP-11x, using one of the
password authentication methods supported by the server implementation. The following
example shows a user configuration file for FreeRADIUS using a plain-text password.
Figure
12-5: Example of a User Configuration File for FreeRADIUS Using a Plain-Text Password
# users - local user configuration database
john Auth-Type := Local, User-Password == "qwerty"
Service-Type = Login-User
larry Auth-Type := Local, User-Password == "123456"
Service-Type = Login-User