The CommuniGate Pro Server supports RADIUS authentication for various NAS (Network Access Servers).
The RADIUS module acts as a RADIUS server. It receives authentication requests from
RADIUS clients (NAS), verifies the supplied credentials and accepts or rejects these requests.
The RADIUS module supports the following authentication methods:
The RADIUS module can use an external helper application to implement site-specific access policy
(based on RADIUS request attributes) and to return additional attributes to NAS.
By default the CommuniGate Pro RADIUS server is not activated.
Configuring the RADIUS Module
To configure the RADIUS module, use the WebAdmin Interface. Open the
Obscure page in the Settings section and find the RADIUS panel:
- Use this setting to specify what kind of information the RADIUS module
should put in the Server Log. Usually you should use the Major
or Problems (non-fatal errors)
levels. But when you experience problems with the RADIUS module, you may want
to set the Log Level setting to Low-Level or All Info:
in this case protocol-level or link-level details will be recorded in the
System Log as well.
The RADIUS module Log records are marked with the RADIUS
tag. Please note that RADIUS is a binary protocol, so all low-level
data is presented in the hexadecimal form.
- Use this link to open the UDP Listener page and specify the port number and
local network address for the RADIUS server authentication service, and access restrictions for
that port. When the port number is set to 0, the RADIUS server is disabled.
By default RADIUS clients send requests to the UDP port 1812.
If your server computer is already running some RADIUS server, you may want to specify
a non-standard port number here and reconfigure your RADIUS client software to use that
- Use this setting to specify the number of RADIUS module processors (threads) used to process
RADIUS requests. If you set this setting to 0, all requests will be processed directly with the RADIUS
- Use this setting to specify the RADIUS "shared secret". All RADIUS clients should
use the same "shared secret" in order to access the RADIUS server.
- If this option is enabled, the RADIUS module stores all Accounting request in a text file. See
the Accounting Log section below.
- The RADIUS module accepts properly formatted "Access-Request" requests from RADIUS
clients, retrieves the User-Name and User-Password attributes and tries to find the specified
CommuniGate Pro Account and verify its password. If the password
can be verified and the Account and its Domain both have the RADIUS Service enabled, a positive
response is sent to the RADIUS client, otherwise a negative response with the error code text
Note: clients authenticating via RADIUS do not use any network address on the Server,
and Secondary Domain users should specify their full account name (account@domain),
or should specify a name that is routed to their account using the Router.
Because the Router is used to process the User-Name attribute, account aliases can be used for
authentication, too. See the Access section for more details.
The CommuniGate Pro Server can use an external Helper program to implement a RADIUS authentication policy.
That program should be created by your own technical staff.
The program name and its optional parameters should be specified using the WebAdmin Helpers page.
Open the General page in the Settings realm, and click the Helpers link:
See the Helper Programs section to learn about these options.
The External RADIUS module System Log records are marked with the EXTRADIUS tag.
If the External RADIUS program is not enabled, then the positive authentication response is sent as
soon as the user password is verified. The response does not contain any additional attributes.
To learn how to create your own External RADIUS programs, see the Helpers section.
Sample External RADIUS programs and scripts can be found at the
- If the Record option is enabled, all RADIUS accounting operations are recorded in a text-based
Accounting Log file. The Accounting Log files are stored inside the RADIUSLog file subdirectory.
A single-server system creates the RADIUSLog directory
inside the Settings subdirectory of the base directory.
A Dynamic Cluster system creates the RADIUSLog directory
inside the Settings subdirectory of the SharedDomains directory.
Each RADIUS Accounting Log file has a yyyy-mm-dd file name (where
yyyy is the current year, mm is the current month, and dd is the current month day),
with the log file name extension. At local midnight, a new Accounting Log file is created.
Each RADIUS Accounting Log record is a text line containing a time-stamp, the operation type
or command (started, ended, updated, inited, stopped),
and optionally an account name. The rest of the line contains accounting request attributes. Each
attributes is encoded with the same, the numeric attribute type, the equal (=) sign, and the
attribute value. Attribute values are encoded in the same way as in they are encoded in dictionaries used
in External RADIUS Helper Interface.
CommuniGate® Pro Guide. Copyright © 1998-2006, Stalker Software, Inc.