User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR41

341

342

343

344

345

346

347

348

349

350

347

Configuration – Security > RADIUS

The RADIUS client may be used for authentication purposes at the start of remote command

sessions, SSH sessions, FTP sessions, HTTP sessions and Wi-Fi client connections (PEAP &

EAP-TLS). Depending on how the RADIUS client is configured, the router may authenticate

with one or two RADIUS servers, or may authenticate a user locally using the existing table

configured on the router.

There are 2 RADIUS client configurations, RADIUS client 0 and RADIUS client 1, both have

specific functions and the correct instance (0 or 1 or both) should be configured depending

on the requirements.

To use RADUIUS for authenticating router administration access, configure RADIUS client 0.

To use RADUIUS for authenticating Wi-Fi clients, configure RADIUS client 1.

When the router has obtained the remote user username and password, the RADIUS client

is used to pass this information (from the Username and Password attributes) to the

specified RADIUS server for authorisation. The server should reply with an ACCEPT or

REJECT message.

The RADIUS client may be configured with up to two Network Access Servers (NAS). It may

also have local authentication turned on or off depending on system requirements.

When a user is authenticated, the configured RADIUS servers are contacted first. If a valid

ACCEPT or REJECT message is received from the server, the user is allowed or denied

access respectively. If no response is received from the first server, the second server is

tried (if configured). If that server fails to respond, local authentication is used unless

disabled. If both servers are unreachable and local authentication is disabled, all

authentication attempts fail.

If a RADIUS server replies with a REPLY-MESSAGE attribute (18), the message will be

displayed to the user after the login attempt and after any configured “post-banner”

message. The router will then display a “Continue Y/N?” prompt to the user. If “N” is

selected, the remote session will be terminated. This applies to remote command sessions

and SSH sessions only.

If the login attempt is successful and the server sends an IDLE-TIMEOUT attribute (28), the

idle time specified will be assigned to the remote session. If no IDLE-TIMEOUT attribute is

sent, the router will apply the default idle timeout values to the session.

The access level is determined by the value of the SERVICE-TYPE attribute returned by the

RADIUS server. Administrative access is determined by the value 6 being returned by the

server. Any other value or no value returned will result in the access level “low” being

assigned.

When the session starts and ends, the router will send the RADIUS accounting START/STOP

messages to the configured server. Again, if no response is received from the primary

accounting server, the secondary server will be tried. No further action is taken if the

secondary accounting server is unreachable.

As a consequence of the fact that the router has separate configurations for authorisation

and accounting servers, it is possible to configure the router to perform authorisation

functions only, accounting only, or both. An example of how this might be used could be to

perform local authorisations but send accounting start/stop records to an accounting server.