RSA RADIUS Server 6.
Contact Information See our web site for regional Customer Support telephone and fax numbers. RSA Security Inc. www.rsasecurity.com RSA Security Ireland Limited www.rsasecurity.ie Copyright Copyright © 2005 RSA Security, Inc. All rights reserved. No part of this document may be reproduced, modified, distributed, sold, leased, transferred, or transmitted, in any form or by any means, without the written permission of RSA Security, Inc. Information in this document is subject to change without notice.
• • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. The name of Cambridge Broadband Ltd. may not be used to endorse or promote products derived from this software without specific prior written permission.
Sun Microsystems, Solaris, and all Sun-based trademarks and logos, Java, HotJava, JavaScript, the Java Coffee Cup Logo, and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Raima, Raima Database Manager and Raima Object Manager are trademarks of Birdstep Technology.
Contents About This Guide Audience .......................................................................................................................... ix What’s In This Manual................................................................................................... ix Related Documentation................................................................................................. xi Chapter 1 About RSA RADIUS Server RSA RADIUS Server Features..........................................
Chapter 2 Installing the RSA RADIUS Server Before You Begin.......................................................................................................... 19 Required Files......................................................................................................... 19 Data Migration/Registration................................................................................ 19 Installing on Windows.......................................................................................
Chapter 5 Administering Profiles About Profiles ................................................................................................................51 Adding a Checklist or Return List Attribute for a Profile ...............................51 Resolving Profile and User Attributes ................................................................52 Default Profile ........................................................................................................52 Setting Up Profiles.........
Appendix A Using the LDAP Configuration Interface LDAP Configuration Interface File ........................................................................... 81 About the LDAP Configuration Interface................................................................ 82 LDAP Utilities........................................................................................................ 82 LDAP Requests .....................................................................................................
About This Guide The RSA RADIUS Server 6.1 Administrator’s Guide describes how to install, configure, and administer the RSA RADIUS Server software on a server running the Solaris operating system, the Linux operating system, or the Windows 2000 or Windows Server 2003 operating systems. Audience This manual is intended for network administrators responsible for implementing and maintaining authentication, authorization, and accounting services.
X Chapter 4, “Administering RADIUS Clients,” describes how to set up remote access server (RAS) devices as RSA RADIUS Server clients. X Chapter 5, “Administering Profiles,” describes how to set up user profiles to simplify user administration. X Chapter 7, “Administering RADIUS Servers,” describes how to manage RADIUS server replication. X Chapter 6, “Displaying Statistics,” describes how to use the monitoring capabilities in RSA RADIUS Server.
X Angle brackets < > enclose a list from which you must choose an item in format and syntax descriptions. X A vertical bar ( | ) separates items in a list of choices. In the following example, you must specify add or replace (but not both): [AttributeName] = Attribute [,Attribute] Related Documentation The following documents supplement the information in this manual. RSA RADIUS Server Documentation The RSA RADIUS Server 6.
X Internet-Draft, “The Protected One-Time Password Protocol (EAP-POTP)”, M. Nystrom, June 2005. ftp://ftp.rsasecurity.com/pub/otps/eap/ draft-nystrom-eap-potp-02.html Third-Party Products For more information about configuring your access servers and firewalls, consult the manufacturer’s documentation provided with each device. Getting Support and Service RSA SecurCare Online https://knowledge.rsasecurity.com Customer Support Information www.rsasecurity.
Chapter 1 About RSA RADIUS Server RSA RADIUS Server is a complete implementation of the industry-standard RADIUS (Remote Authentication Dial-In User Service) protocols. RSA RADIUS Server is designed to meet the access control and policy management requirements of enterprises.
X Centralized configuration management (CCM) provides simplified configuration management and automatic data distribution for multi-server environments. X Authentication logs provide a complete audit trail of user authentication activity and administrative transactions. X Encryption of communication between the RSA RADIUS Server and the RSA Authentication Manager prevents electronic eavesdropping.
Access Client RSA RADIUS Server Remote Access Server RSA Authentication Manager Connection Notification 1. Connection Request 2. TTLS/PAP Tunnel Negotiation TTLS/PAP Tunnel 3. User ID/Passcode? 4. User ID/Passcode 5. User ID/Passcode 8a. Connection Accepted 7a. Access-Accept (Attributes) 6a. Passcode Accepted (Profile Name) 8b. Connection Refused 7b. Access-Reject 6b.
If the user ID is not found or if the passcode is not appropriate for the specified user, the RSA Authentication Manager returns a message indicating the passcode is not accepted (6b). 7 If the RSA RADIUS server receives a message indicating the passcode is accepted, it forwards a RADIUS Access-Accept message to the RAS (7a). Z If the RSA Authentication Manager specified a profile name with the accept message, the RSA RADIUS server sends the return list attributes associated with that profile to the RAS.
Each RADIUS packet supports a specific purpose: authentication or accounting. A packet can contain values called attributes. The attributes found in each packet depend upon the type of packet (authentication or accounting) and the device that sent it (for example, the specific make and model of the RAS device acting as a RADIUS client). For information on RADIUS authentication packet structures and attributes, see RFC 2865, Remote Authentication Dial In User Service (RADIUS).
X The RADIUS shared secret to be used by the RSA RADIUS Server and the client device. For information on RADIUS shared secrets, see “Shared Secrets” on page 6. X The UDP ports on which to send and receive RADIUS authentication and accounting packets. RSA RADIUS Server uses UDP ports 1645 and 1812 for authentication and UDP ports 1646 and 1813 for accounting. For more information, see “RADIUS Ports” on page 8. Shared Secrets A shared secret is a text string that serves as a password between hosts.
RADIUS Secret A RADIUS shared secret is a case-sensitive password used to validate communications between a RADIUS server, such as RSA RADIUS Server, and a RADIUS client, such as an Access Point (AP) or Remote Access Server (RAS). RSA RADIUS Server supports shared secrets of up to 127 alphanumeric characters, including spaces and the following special characters: ~!@#$%^&*()_+|\=-‘{}[]:”’;<>?/., Identical shared secrets must be configured on both sides of the RADIUS communication link.
The RSA Authentication Manager software views the RSA RADIUS Server service as a host agent. Communication between RSA RADIUS Server and RSA Authentication Manager uses specific UDP ports, which are configured during installation. To prevent “masquerading” by unauthorized hosts, you configure RSA Authentication Manager with the IP addresses of each RSA RADIUS Server host.
Table 1. RADIUS Authentication Messages and Attributes (Continued) Message Conditions Purpose of Message Attributes When a RADIUS server authenticates a connection request, it returns a RADIUS Access-Accept to the RAS. Allow the RAS to complete access negotiations. Configure connection details such as providing the RAS with an IP address it can assign to the user. Enforce time limits and other “class of service” restrictions on the connection.
Table 2. Message Conditions and Attributes (Continued) Message Conditions Purpose of Message Attributes After receiving an Access-Accept from the server, the RAS completes its access negotiation with the user. The RAS then sends a Start message to the server. Record connection data such as user ID, RAS identifier, RAS port identifier, port type, and connection start time. After a connection is terminated, the RAS sends a Stop message to the server. Record statistics regarding the connection.
Tunneled Accounting During authentication, a user is typically identified by attributes such as User-Name (in the authentication request) and Class (in the authentication accept response). Standard RADIUS accounting requests typically include these attributes in messages flagging Start, Interim, and Stop events so that the user’s identity can be recorded for accounting and auditing purposes.
6 The server processes the accounting request locally. To implement tunneled accounting, you must configure the classmap.ini file to specify how attributes should be presented, and you must configure the spi.ini file to specify the keys that are used to encrypt and decrypt users’ identity information. Attributes You work with RADIUS attributes while setting up users, profiles, and RADIUS clients on the RSA RADIUS Server.
nonstandard attributes that it encounters in the packet. Standard RADIUS attributes are always defined by the radius.dct file. If you do not know the make/model for a RADIUS client, choose the default option: - Standard Radius -. For the most part, the selections currently available in the Make/model field are devices whose vendors have provided up-to-date attribute dictionaries.
During authentication, RSA RADIUS Server filters the checklist based on the dictionary for the RADIUS client that sent the authentication request. The server ignores any checklist attribute that is not valid for this device. Return List Attributes A return list is a list of attributes that RSA RADIUS Server must return to the RAS after authentication succeeds. The return list usually provides additional parameters that the RAS needs to complete the connection, typically as part of PPP negotiations.
Framed-Compression attribute to appear twice in the return list: once with the value VJ-TCP-IP-header-compression and once with the value IPX-header-compression. Orderable Attributes Certain multi-valued return list attributes are also orderable; that is, the attribute can appear more than once in a RADIUS response, and the order in which the attributes appear is important. For example, the Reply-Message attribute allows text messages to be sent back to the user for display.
If an attribute appears once in the checklist marked as default, and the same attribute appears in the return list marked as echo, the server echoes the actual value of the attribute in the RADIUS response if the attribute appears in the RADIUS request. If the attribute does not appear in the RADIUS request, the server echoes the default value (from the checklist) in the response. If you add multiple values of the same attribute to the checklist, only one of them can be marked as default.
The Primary RADIUS Server maintains a list of the Replica RADIUS Servers that have registered with it. The Primary RADIUS Server uses this list to track which servers to notify after it publishes an updated configuration package to resynchronize the configuration of Replica RADIUS Servers.
Recovering a Replica After a Failed Download If a Replica RADIUS Server fails during the download of a configuration package, its configuration may be corrupted or it may have a stale secret. For information on how to recover a Replica after a failed download, refer to “Recovering a Replica After a Failed Download” on page 70.
Chapter 2 Installing the RSA RADIUS Server The RSA RADIUS Server software package includes the server software and various dictionary and configuration files to support authentication and accounting. This chapter describes how to install the RSA RADIUS Server software on a Windows, Solaris, or Linux host. Before You Begin Required Files The RSA RADIUS Server software requires the path to four files (sdconf.rec, radius.cer, radius.key, and server.cer) to communicate with RSA Authentication Manager.
attributes, and return list attributes; and RSA SecurID prompts used to format messages to users. Data migration also registers the RSA RADIUS Server as an agent host with RSA Authentication Manager. Registration information includes the server type (Primary or Replica), fully qualified name, administrative port number, and IP address. NOTE: If aliases are required to support network address translation (NAT), they must be configured manually on the RSA Authentication Manager host.
Installing the RSA RADIUS Server To install the RSA RADIUS Server software on a Windows host: 1 Log on to the Windows server. 2 Run the RSA RADIUS Server software installation from a CD or from a network server. Z Using the CD-ROM installer – If you want to install the RSA RADIUS Server software from a CD, insert the RSA RADIUS Server installation CD-ROM, choose Start > Run, and enter the drive letter and setup command: D:\setup Z Using the .msi file – Run the RSA RADIUS Server.
click the Browse button to locate the directory containing the sdconf.rec, radius.cer, server.cer, and radius.key files on your network. 9 When the Primary RSA RADIUS Server window opens, specify the replication secret used to authenticate communications between the Primary RADIUS Server and Replica RADIUS Servers in the Primary Shared Secret field.
Installing on Solaris This section describes how to install and uninstall the RSA RADIUS Server on a Solaris server. System Requirements The RSA RADIUS Server software package includes the server daemon and various dictionary and database files to support user authentication. Table 4. Solaris Server – System Requirements Hardware Sun UltraSPARC workstation Operating system Solaris 9 Memory At least 256 megabytes of working memory.
Table 5. Command Options for the install_rsa.sh Command (Continued) Option Function -identity Specifies whether you are installing a Primary or Replica RADIUS Server. Valid values are PRIMARY and REPLICA. Default value is PRIMARY. -migrate Indicates you want to run the RSA RADIUS Server migration utility (rsainstalltool), which transfers RADIUS settings from an older version of RSA Authentication Manager and registers the RSA RADIUS Server as a host agent.
Table 5. Command Options for the install_rsa.sh Command (Continued) Option Function -reppkg Specifies the path to the replica.ccmpkg configuration file. Use only when installing a Replica RADIUS Server. Do not use the -reppkg option if you are specifying the -primary, -primary_ips, and -primary_secret options. Default value is /opt. -silent Specifies that, if all required information is supplied through command options, the installer does not display user prompts.
5 Specify the directory where you want to install the RSA RADIUS Server files. By default, the installation script puts the /rsa/radius directory files in the /opt directory (that is, /opt/rsa/radius). Enter install path [/opt]: 6 If you are installing the RSA RADIUS Server software on a host that is not running the RSA Authentication Manager software (remote installation), specify the location of the radius.cer, server.cer, radius.key, and sdconf.rec files.
Enter primary host secret: 13 If you are installing a Primary RADIUS Server on a host running an earlier version of the RSA Authentication Manager software, specify whether you want to migrate data to the current installation. Do you want to migrate data from RSA Server (y/n) [n]? If the installation succeeds, the installer displays the following message. Configuring for use with generic database RSA RADIUS installation succeeded.
5 Type y when you are asked to confirm that you want to uninstall the RSA RADIUS Server software. Confirm removal of sbr-rsa_1.0-1 (y/n) [y]? y Removing /etc/rc2.d/S90radius script. Removing /etc/rc2.d/K90radius script. Removal of was successful. RSARadius removed. Migration Log File If the RSA RADIUS Server migration utility (rsainstalltool) encounters a problem while it is running, it records the problem in the tprsMigReg.
Installing on Linux This section describes how to install and uninstall the RSA RADIUS Server software on a Linux server. System Requirements The RSA RADIUS Server software package includes the server daemon and various dictionary and database files to support authentication. Table 6. Linux Server – System Requirements Hardware X86 workstation Operating system RedHat Enterprise 3.0 Memory At least 256 megabytes of working memory (512 megabytes for servers with more than 10,000 RADIUS users.
Table 7. Command Options for the install_rsa.sh Command (Continued) Option Function -identity Specifies whether you are installing a Primary or Replica RADIUS Server. Valid values are PRIMARY and REPLICA. Default value is PRIMARY. -migrate Indicates you want to run the RSA RADIUS Server migration utility (rsainstalltool), which transfers RADIUS settings from an older version of RSA Authentication Manager and registers the RSA RADIUS Server as a host agent.
Table 7. Command Options for the install_rsa.sh Command (Continued) Option Function -reppkg Specifies the path to the replica.ccmpkg configuration file. Use only when installing a Replica RADIUS Server. Do not use the -reppkg option if you are specifying the -primary, -primary_ips, and -primary_secret options. Default value is /opt. -silent Specifies that, if all required information is supplied through command options, the installer does not display user prompts.
5 Specify the directory where you want to install the RSA RADIUS Server files. By default, the installation script puts the /rsa/radius directory files in the /opt directory (that is, /opt/rsa/radius). Enter install path [/opt]: 6 If you are installing the RSA RADIUS Server software on a host that is not running the RSA Authentication Manager software (remote installation), specify the location of the radius.cer, server.cer, radius.key, and sdconf.rec files.
12 Specify the host secret used to authenticate communication between the Primary RADIUS Server and Replica RADIUS Servers. Enter primary host secret: 13 If you are installing a Primary RADIUS Server on a host running an earlier version of the RSA Authentication Manager software, specify whether you want to migrate data to the current installation. Do you want to migrate data from RSA Server (y/n) [n]? If the installation succeeds, the installer displays the following message.
Uninstalling the RSA RADIUS Server Software To uninstall the RSA RADIUS Server software: 1 Stop the RADIUS daemon currently running on your server. 2 Back up your RSA RADIUS Server directory. 3 Log into the Linux server as root. 4 Type the following command to uninstall the RSA RADIUS Server software: # ./uninstall_rsa.sh 5 Type y when you are asked to confirm that you want to uninstall the RSA RADIUS Server software.
Chapter 3 Using RSA RADIUS Administrator The RSA RADIUS Administrator is a Java-based application that enables you to configure settings for the RSA RADIUS Server. This chapter presents an overview of how to use the RSA RADIUS Administrator. Running RSA RADIUS Administrator NOTE: The RSA RADIUS Administrator will not start unless the “Administrator” user in the RSA Authentication Manager application has been configured with a token or password.
Navigating in RSA RADIUS Administrator Figure 4 illustrates the RSA RADIUS Administrator user interface. This section describes how to use the RSA RADIUS Administrator menus and toolbar. Menu Bar Toolbar Navigation Frame Content Frame Figure 4 RSA RADIUS Administrator User Interface RSA RADIUS Administrator Menus The main RSA RADIUS Administrator window has four menus: File, Panel, Web, and Help. File Menu Table 8 describes the functions of each entry in the File menu in the RSA RADIUS Administrator.
Table 8. File Menu Options (Continued) Menu Entry Function Print Prints the information in the active window. When you print the information in a panel, RSA RADIUS Administrator preserves the column spacing used on screen. If a table is wider than the printed page, pages are printed in a matrix, with pages numbered to indicate columns and rows (1-1, 1-2, 2-1, 2-2) in the matrix. Exit Exits the RSA RADIUS Server application.
Web Menu Table 10 describes the functions of each entry in the Web menu in the RSA RADIUS Administrator. Table 10. Web Menu Options Menu Entry Function More about RSA RADIUS Server Opens the Funk Software webpage. NAS Vendor Information Opens the Funk RADIUS/AAA Compatibility Guide webpage, which lets you review information about remote access devices and wireless LAN devices made by third-party vendors.
Figure 5 RSA RADIUS Administrator Toolbar Table 12. RSA RADIUS Administrator Toolbar Toolbar Button Function Refresh Refreshes the displayed list of items in the RSA RADIUS Administrator window. Print Prints the contents of the active panel. Add Adds an object to the RSA RADIUS Server database. Edit Edits an existing object in the RSA RADIUS Server database. Active only when an object is selected in the active panel.
RSA RADIUS Administrator displays an Add window. A sample Add window appears in Figure 6. Figure 6 Sample Add Window Every object of the same type must have a unique name. If the name you assign to an item is already being used by another item of the same type, the RSA RADIUS Administrator displays a warning.
Figure 7 Sample Edit Window Cutting/Copying/Pasting Records Panels displaying tables of items have Cut, Copy, and Paste buttons in the toolbar. You can choose an item from the display and cut or copy it to the Clipboard, and then add a new record to the display by pasting it from the Clipboard. The Clipboard can contain one item of each type, such as one RADIUS client or one user.
Figure 8 Sample Paste Window Resizing Columns You can resize columns in an RSA RADIUS Administrator table by dragging the column header boundary to the left or right. Changing Column Sequence You can change the sequence of columns in an RSA RADIUS Administrator table by dragging the column headers left or right. Sorting Information By default, items in RSA RADIUS Administrator tables are sorted by name. You can sort items in any order by clicking a column header.
If you right-click a blank area in an RSA RADIUS Administrator window, the context menu displays a different set of options. For example, if you right-click a blank space in the RADIUS Client panel, the context menu provides options for refreshing the display and for adding, pasting, or printing information. Accessing Online Help To access help with the RSA RADIUS Server Administrator, click the ? (Help) button on an RSA RADIUS Administrator window, press F1, or choose Help > Contents.
3 When the Add a License for Server window (Figure 10) opens, enter the license key and click OK. When the server displays a confirmation message, click OK. Figure 10 Add a License for Server Window 4 Restart your RSA RADIUS Server. Exiting the RSA RADIUS Administrator To close the RSA RADIUS Administrator, choose File > Exit. Closing the RSA RADIUS Administrator has no impact on the RSA RADIUS Server service or daemon.
Chapter 4 Administering RADIUS Clients A RADIUS client is a network device or software application that interfaces with the RSA RADIUS Server when it needs to authenticate a user or to record accounting information about a network connection. This chapter describes how to set up RADIUS clients. RADIUS Clients Panel The RADIUS Clients panel (Figure 11) lets you identify the devices that you want to define as clients of the RSA RADIUS Server. Figure 11 RADIUS Clients Panel RSA RADIUS Server 6.
Adding a RADIUS Client To add a RADIUS client: 1 Open the RADIUS Clients panel. 2 Click the Add button. The Add RADIUS Client window (Figure 12) opens. Figure 12 Add RADIUS Client Window 3 Enter the name of the RADIUS client in the Name field. Although you can assign any name to a RADIUS client entry, you should use the device's hostname to avoid confusion. You can create a special RADIUS client entry called by clicking the (Figure 13).
4 Enter the IP address or DNS name of the RADIUS client in the IP Address field. If you enter a DNS name, the RSA RADIUS Administrator resolves the name you enter to its corresponding IP address and displays the result in the IP Address field. See “Shared Secrets” on page 6. 5 Enter the RADIUS authentication shared secret for the RADIUS client in the Shared secret field. For privacy, asterisks are echoed as you type. You can choose Unmask shared to display the characters in the shared secret.
d Click OK. You must enter the same accounting shared secret when you configure the RADIUS client. 8 Optionally, indicate whether you want to enable keepalive processing and specify how long the server waits for RADIUS packets from the client before assuming connectivity has been lost. If you click the Assume down if no keepalive packets after checkbox, you can enter a value in the (seconds) field.
2 Select the RADIUS client entry you want to delete. 3 Click the Delete button on the RSA RADIUS Administrator toolbar. 4 When you are prompted to confirm the deletion request, click Yes. RSA RADIUS Server 6.
50 Administering RADIUS Clients September 2005
Chapter 5 Administering Profiles This chapter describes how to set up and administer user profiles. About Profiles RSA RADIUS Server lets you define default templates of checklist and return list attributes called profiles. A profile provides specific attributes for one or both lists. You can define as many profiles as you require. Profiles provide a powerful means of managing and configuring accounts.
Resolving Profile and User Attributes If user-specific attributes are stored in the RSA Authentication Manager database, RSA RADIUS Server determines the final set of attributes for a user by merging the attributes stored in the user’s profile with user-specific attributes from the RSA Authentication Manager database. This calculation is performed as follows: 1 The attributes from the profile assigned to the user are retrieved.
Setting Up Profiles The Profiles panel (Figure 15) lets you define standard sets of checklist and return list attributes. You can then associate these profiles with users in the RSA Authentication Manager to simplify user administration. Figure 15 Profiles Panel Adding a Profile To add a profile: 1 Open the Profiles panel. 2 Click the Add button on the RSA RADIUS Administrator toolbar. The Add Profile window (Figure 16) opens.
4 Optionally, enter a description for the profile in the Description field. 5 Add checklist and return list attributes to the profile. a Click the Checklist tab or the Return list tab. b Click Add. The Add Checklist Attribute window or the Add Return List Attribute window (Figure 17) opens. Figure 17 Add Checklist Attribute and Add Return List Attribute Windows c Select the attribute you want to add from the Attributes list. d Select or enter a value for the attribute.
f 6 When you are finished adding attribute/value pairs, click Close to return to the Add Profile window. Click OK to save the profile. Removing a Profile To remove a profile: 1 Open the Profiles panel. 2 Select the entry for the profile you want to remove. 3 Click the Delete button on the RSA RADIUS Administrator toolbar (or right-click the profile entry and choose Delete from the context menu). 4 When you are prompted to confirm the deletion, click Yes. RSA RADIUS Server 6.
56 Administering Profiles September 2005
Chapter 6 Displaying Statistics The Statistics panel lets you display statistics for authentication and accounting transactions by a RADIUS server or RADIUS client. You can also use the Statistics panel to see how long RSA RADIUS Server has been running. Displaying Server Authentication Statistics Authentication statistics (Figure 18) summarize the number of authentication acceptances and rejections, with summary totals for each type of rejection or retry.
Figure 18 Statistics Panel: System Authentication Statistics Table 13 explains the fields on the Authentication tab and describes possible causes for authentication rejections. Table 13. Authentication Statistics Authentication Statistic Meaning Transactions 58 Accepts The current, average, and peak number of RADIUS transactions that resulted in an Access-Accept response since the last time authentication statistics were reset.
Table 13. Authentication Statistics (Continued) Authentication Statistic Meaning Silent Discards The number of requests in which the client could not be identified since the last time authentication statistics were reset. This might occur if a RADIUS client entry cannot be found for a device with the name and/or IP address of a device requesting authentication services. Total Transactions The sum of the accept, reject, and silent discard totals since the last time authentication statistics were reset.
Displaying Server Accounting Statistics Accounting statistics provide information such as the number of transaction starts and stops and the reasons for rejecting attempted transactions. The transaction start and stop numbers rarely match, as many transactions can be in progress at any given time. To display accounting statistics for the RSA RADIUS server: 1 Open the Statistics panel. 2 Select the server for which you want to display statistics in the Server list. 3 Click the System tab.
Table 14 describes the accounting statistics and suggested actions in italics (if appropriate). Table 14. Accounting Statistics Accounting Statistic Meaning Transactions Starts The current, average, and peak number of transactions in which a connection was started following a successful authentication since the last time accounting statistics were reset.
Resetting Server Statistics To reset authentication and accounting statistics for an RSA RADIUS server to zero: 1 Open the Statistics panel. 2 Select the server for which you want to reset statistics in the Server list. 3 Click the System tab. 4 Click the View list and choose Accounting or Authentication. 5 Click the Reset button in the toolbar.
5 Optionally, sort the messages by clicking a column header. NOTE: The RADIUS client statistics are not displayed dynamically. To see the most recent statistics for a RADIUS client, click the Refresh button in the toolbar. Figure 20 Statistics Panel: RADIUS Client Statistics RSA RADIUS Server 6.
64 Displaying Statistics September 2005
Chapter 7 Administering RADIUS Servers RSA RADIUS Server supports the replication of RADIUS configuration data from a Primary RADIUS Server to a maximum of 10 Replica RADIUS Servers within a realm on a customer network. All the servers within a realm reflect the current configuration specified by the network administrator: the network administrator modifies the configuration on the Primary RADIUS Server, and the Primary RADIUS Server propagates the new configuration to its Replica RADIUS Servers.
Replication Panel The Replication panel (Figure 21) lists your Primary and Replica RADIUS Servers and indicates whether the configuration of each server is current. Figure 21 Replication Panel Adding a RADIUS Server Manually Under most circumstances, Replica RADIUS Servers register themselves automatically after you install the RSA RADIUS Server software and configuration package file (replica.ccmpkg) and restart the server.
Figure 22 Add Server Window 3 Enter the name of the RADIUS server in the Name field. Although you can assign any name to a RADIUS server, you should use the device's hostname to avoid confusion. 4 Enter the replication secret for the RADIUS server in the Secret field. For privacy, asterisks are echoed as you type. You can click the Unmask checkbox to display the characters in the shared secret. 5 Enter one or more IP addresses for your server. a Click the Add button.
Enabling a RADIUS Server To enable a RADIUS server: 1 Open the Replication panel. 2 Select the RADIUS server you want to enable and click the Edit button (or double-click the RADIUS server entry). The Edit Server window (Figure 24) opens. Figure 24 Edit Server Window 3 Click the Enabled checkbox. 4 Click the Save button. Deleting a RADIUS Server To delete a RADIUS server: 68 1 Open the Replication panel. 2 Select the RADIUS server entry you want to delete.
Publishing Server Configuration Information If you change the configuration of your Primary RADIUS Server, you must publish the modified configuration so that your Replica RADIUS Servers can download the modified settings. To publish server configuration information: 1 Open the Replication panel. 2 Click the Publish button on the toolbar. This creates a file called ../rsa radius/packages/timestamp_RSA.ccmpkg (Solaris/Linux) or ..\RSA Radius\Service\packages\timestamp_RSA.
Designating a New Primary RADIUS Server You can change which server within a realm is designated as the Primary RADIUS Server for that realm. To designate a new Primary RADIUS Server: 1 Stop the RADIUS service/daemon on the Replica RADIUS Server. 2 Log into the Replica RADIUS Server as root (Solaris/Linux) or administrator (Windows). 3 Navigate to the ..RSA Radius\Service (Windows) or /opt/rsa/radius (Solaris/Linux) directory.
2 Log into the Replica RADIUS Server as root (Solaris/Linux) or administrator (Windows). 3 Navigate to the ..RSA Radius\Service (Windows) or /opt/rsa/radius (Solaris/Linux) directory. 4 Run the rsainstalltool (Windows) or rsaconfiguretool (Solaris/Linux) utility with the identity option and information on where to download configuration information. To obtain configuration from a configuration package, issue the following command: # .
4 Run the rsainstalltool (Windows) or rsaconfiguretool (Solaris/Linux) utility with the identity option. To rename a Primary RADIUS Server, enter the following command: # ./rsaconfiguretool -identity PRIMARY To rename a Replica RADIUS Server, enter the following command: # ./rsaconfiguretool -identity REPLICA 5 Restart the updated server so that it can load its new configuration. 6 Run the RSA RADIUS Administrator and modify the DNS name or IP address for the server you want to rename.
To regenerate the node secret for a a Replica RADIUS Server, enter the following command: # ./rsaconfiguretool -identity REPLICA 5 Restart the RSA RADIUS service. Resetting the RADIUS Database If the RSA RADIUS Server fails, the RADIUS database may remain running. If this happens, the RSA RADIUS Server may refuse to run. To resolve this problem, execute the following command to stop the mkded (btrieve) daemon. /etc/init.
74 Administering RADIUS Servers September 2005
Chapter 8 Logging This chapter describes how to set up and use logging functions in RSA RADIUS Server. Logging Files The following files establish settings for logging and reporting. Table 15. Logging and Reporting Files File Name Function radius.ini Controls the types of messages RSA RADIUS Server records in the RADIUS system log file and the location of the log directory.
Level of Logging Detail You can control the level of detail recorded in the system log files with LogLevel, LogAccept, and LogReject settings. X The LogLevel setting determines the level of detail given in the RADIUS system log file. The LogLevel can be 0, 1, or 2, where 0 is the least amount of information, 1 is intermediate, and 2 is the most verbose. It is specified in the [Configuration] section of radius.ini file.
By default, RADIUS system log files are located in the RADIUS database directory. You can specify an alternate destination directory in the [Configuration] section of the radius.ini file. Using the Accounting Log RADIUS accounting events are recorded in the accounting log file. Accounting events include START messages, which indicate the beginning of a connection; STOP messages, which indicate the termination of a connection; and INTERIM messages, which indicate a connection is ongoing.
You can edit the account.ini initialization file to add, remove or reorder the standard RADIUS or vendor-specific attributes that are logged. For more information on the account.ini file, refer to the RSA RADIUS Server 6.1 Reference Guide. First Line Headings The first line of the accounting log file is a file header that lists the attributes that have been enabled for logging in the order in which they are logged.
aligned with their headings. For example, based on the “first line” of headings described above, the following is a valid accounting log entry, in which the value of the Acct-Status-Type attribute is 7: "12/23/1997","12:11:55","RRAS","Accounting-On", ,,,,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,, Standard RADIUS Accounting Attributes Table 16 lists the standard RADIUS accounting attributes defined in RFC 2866, “RADIUS Accounting.” Table 16.
Table 16. Standard RADIUS Accounting Attributes (Continued) Acct-Input-Packets Number of packets received by the port over the connection; present only in STOP records. Acct-Output-Packets Number of packets sent by the port over the connection; present only in STOP records.
Appendix A Using the LDAP Configuration Interface The LDAP Configuration Interface (LCI) is an optional add-on to RSA RADIUS Server. You must enter a separate license number and restart RSA RADIUS Server to activate LCI functions. After the license key is registered, you can edit the settings in the configuration files. For information on adding license numbers, see “Adding a License Key” on page 43.
About the LDAP Configuration Interface The LDAP Configuration Interface (LCI) consists of an LDAP interface in the RSA RADIUS Server and an LDAP virtual schema. The LDAP virtual schema enables the LDAP interface to translate LDAP requests into a format that can be understood by the RSA RADIUS Server database. Figures 25 illustrates the relationship between LDAP components.
in a specified file. Because ldapmodify uses LDIF update statements, ldapmodify can do everything ldapdelete can do. X ldapdelete – The ldapdelete utility deletes entries from an existing LDAP directory. ldapdelete opens a connection to the specified server using the distinguished name and password you provide, binds, and deletes the entry or entries. LDAP Requests LDAP requests are submitted in two ways: X By specifying options on the LDAP command line.
Z nsldapssl32v30.dll (if you are on a Windows host) Z libldap30.so (if you are on a Solaris host) To run the LDAP utilities, execute them from this directory. If you set the path environment variable to point to this directory, you can run them any location on the system. NOTE: The examples that follow assume you are using the LDAP utilities provided as part of the Sun ONE Directory SDK. If you are using LDAP utilities from another source, the command options you use may be different.
199.198.197.196 196.197.198.199 If the [LDAPAddresses] section is omitted or empty, RSA RADIUS Server listens for LCI requests on all bound IP interfaces. 3 Specify the same port number using the -p option on the LDAP command line.
Root o=radius cn=admin radiusstatus= sessions_by_calling_station radiusstatus= sessions_by_called_station radiusstatus= sessions_by_user calling-station-id= called-station-id= username= radiusstatus= sessions radiusstatus= sessions_by_ipaddress framed-ip-address=
radiusstatus= statistics stattype= authentication stattype=server Available Attributes: start-time up-time ip-address
radiusstatus= acct_stats_by_nas radiusstatus= acct_stats_by_nasipaddr cn= nasname= nasipaddr= Available Attributes: dn version threads connection currentconnections totalconnections dtablesize writewaiters readwaiters opsinitiated opscompleted entriessent bytessent currenttime
X Substrings – There are several places where a list of strings is the value of an attribute. The rule for specifying the data portion for these lists is that semicolons must delimit the substrings. For example, a DNIS list for a tunnel entry might be specified as 555-1212;5551212. If a semicolon needs to appear inside a substring, it can be escaped by placing a backslash character (\) before it.
LDAP Command Examples This section explains how to use the LDAP commands ldapdelete, ldapmodify, and ldapsearch to configure the server. Each example describes the LDAP command line options in detail. Note that a space must appear between each LDAP command option (for example, -p) and its value (for example, 354). Command syntax is case sensitive. Searching for Records You can use the ldapsearch command to dump information out of the LDAP tree.
Table 17. Searching for Records Using the ldapsearch Command (Continued) ldapsearch Option Meaning -s sub Recursion is to be used starting at the base. -T To make the output more readable, long output lines are not continued on the next line. -b This is the base at which the search operation is to "radiusclass=Client,o=radius" begin. radiusname=* This is the criterion which matched objects must satisfy.
Table 18. Modifying Records Using the ldapmodify Command (Continued) ldapmodify Option Meaning -w radadmin The command is providing an authentication password of radadmin. NOTE: The -w parameter value (in this case, radadmin) must match the password of the account named by the -D parameter. -f filename This is the input LDIF file to process. NOTE: You can also use the -h option with ldapmodify to specify the name of a remote host on which the LDAP interface is available.
The following syntax is valid if the same keyword applies throughout the transaction: dn: distinguished-name-of-entry changetype: keyword subkeyword: attribute attribute: value subkeyword: attribute attribute: value subkeyword: attribute attribute: value . . . subkeyword: attribute entries are optional and indicate that you want to apply the change to a specific attribute within the entry. If there are no subkeyword: attribute entries in the transaction, the change applies to the entire entry.
changetype: add. Once your editing is complete, run an ldapmodify -f command that references the new LDIF file. When the ldapmodify command finishes processing, your new database is populated with the records you extracted from the old database. Deleting Records You can use the ldapdelete command to remove records from the LDAP database. For example, to delete entries names PROFILE1 through PROFILE5, you would create a file called deletexample.ldf.
This file can be passed to the ldapmodify command as follows: ldapmodify -V2 -h hostname -p 667 -D"cn=admi,o=radius" -w password -f deletemodify.ldf Warning: Use caution when deleting items. An error could delete an entire container in some directory servers without any prompting for confirmation. If that happens, the directory server can fail. Statistics Variables Server statistics record the number of certain types of events.
high-auth-threads: 2 high-acct-threads: 0 high-total-threads: 2 stattype: authentication dn: stattype=authentication,radiusstatus=statistics,o=radius objectclass: top objectclass: radiusstatus radiusstatus: statistics stattype: authentication accept: 1 reject: 0 silent-discard: 0 total-transactions: 8 invalid-request: 0 failed-authentication: 0 failed-on-check-list: 0 insufficient-resources: 0 transactions-retried: 0 total-retry-packets: 0 stattype: accounting dn: stattype=accounting,radiusstatus=statisti
Rate Statistics Rate statistics are derived from other statistics by taking time into consideration. Three types of rate values are calculated for each of these counter statistics: X Current rate statistics identify the rate measured over the most recent rate interval. The seconds-per-interval value identifies the number of seconds in the interval over which the rate statistics are gathered. X Average rate statistics identify the rate measured since startup, or the most recent statistics reset command.
98 Using the LDAP Configuration Interface September 2005
Glossary 802.1X The IEEE 802.1X standard defines a mechanism that allows a supplicant (client) to connect to a wireless access point or wired switch (authenticator) so that the supplicant can provide authentication credentials that can be verified by an authentication server. AAA Authentication, authorization, and accounting.
CA Certificate authority. A trusted entity that registers the digital identity of a site or individual and issues a digital certificate that guarantees the binding between the the identity and the data items in a certificate. CCM Centralized configuration management. The process by which information is shared between a Primary RADIUS server and one or more Replica RADIUS servers in a multi-server environment.
IETF Internet Engineering Task Force. Technical subdivision of the Internet Architecture Board that coordinates the development of Internet standards. MIB Management Information Base. NAS Network Access Server. Network device that accepts connection requests from remote users, authenticates users through RADIUS, and routes users onto the network. Identical in meaning to RAS.
information about users and administering multiple security systems across complex networks. RAS Remote Access Server. Network device that accepts connection requests from remote users, authenticates users through RADIUS, and routes users onto the network. Identical in meaning to NAS. realm A logical grouping of authentication servers (Primary RADIUS Server and Replica RADIUS Servers). Replica RADIUS Server A server that participates in balancing the load of user authentication requests within a realm.
tokencode The pseudorandom number that is displayed on the LCD of a hardware token or generated by a software token during logon. TLS Transport Layer Security. TTLS Tunneled Transport Layer Security. UTC Universal Time Coordinated. Also known as Greenwich Mean Time (GMT) or Zulu time. RSA SecurID tokens are synchronized to UTC to provide a standard time basis for tokencode calculation. VSA Vendor Specific Attribute.
104 Glossary September 2005
Index Numerics 802.
Protected Extensible Authentication Protocol (PEAP) 1 Protected One-Time Password (POTP) 1 Protected One-Time Password, see POTP R RADIUS daemon, starting and stopping 27, 33 radius.
