User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR44v2

341

342

343

344

345

346

347

348

349

350

346

The RADIUS client may be configured with up to two Network Access Servers (NAS). It may

also have local authentication turned on or off depending on system requirements.

When a user is authenticated, the configured RADIUS servers are contacted first. If a valid

ACCEPT or REJECT message is received from the server, the user is allowed or denied

access respectively. If no response is received from the first server, the second server is

tried (if configured). If that server fails to respond, local authentication is used unless

disabled. If both servers are unreachable and local authentication is disabled, all

authentication attempts fail.

If a RADIUS server replies with a REPLY-MESSAGE attribute (18), the message will be

displayed to the user after the login attempt and after any configured “post-banner”

message. The router will then display a “Continue Y/N?” prompt to the user. If “N” is

selected, the remote session will be terminated. This applies to remote command sessions

and SSH sessions only.

If the login attempt is successful and the server sends an IDLE-TIMEOUT attribute (28), the

idle time specified will be assigned to the remote session. If no IDLE-TIMEOUT attribute is

sent, the router will apply the default idle timeout values to the session.

The access level is determined by the value of the SERVICE-TYPE attribute returned by the

RADIUS server. Administrative access is determined by the value 6 being returned by the

server. Any other value or no value returned will result in the access level “low” being

assigned.

When the session starts and ends, the router will send the RADIUS accounting START/STOP

messages to the configured server. Again, if no response is received from the primary

accounting server, the secondary server will be tried. No further action is taken if the

secondary accounting server is unreachable.

As a consequence of the fact that the router has separate configurations for authorisation

and accounting servers, it is possible to configure the router to perform authorisation

functions only, accounting only, or both. An example of how this might be used could be to

perform local authorisations but send accounting start/stop records to an accounting server.

RADIUS Client n

Configuration – Security> Radius > RADIUS Client n

The following pages describe the configuration parameters available for setting up a RADIUS

client on the router.

Authorization

Primary Authorization Server

IP Address a.b.c.d

The value in this text box specifies the IP address of the primary authorisation NAS.

NAS ID

The value in this text box is an identifier which is passed to the primary authorisation NAS

and is used to identify the RADIUS client. The appropriate value will be supplied by the

primary authorisation NAS administrator.

Password

The value in this text box is the password supplied by the primary authorisation NAS

administrator and is used in conjunction with the primary authorisation NAS ID to

authenticate RADIUS packets.