RADIUS Module

Configuring the RADIUS Module RADIUS Authentication External Helper Accounting Log The CommuniGate Pro Server supports RADIUS authentication for various NAS (Network Access Servers). The RADIUS module acts as a RADIUS server. It receives authentication requests from RADIUS clients (NAS), verifies the supplied credentials and accepts or rejects these requests. The RADIUS module supports the following authentication methods: PAP CHAP MS-CHAPv1 MS-CHAPv2 EAP DIGEST-MD5 The RADIUS module can use an external helper application to implement site-specific access policy (based on RADIUS request attributes) and to return additional attributes to NAS. By default the CommuniGate Pro RADIUS server is not activated.

Configuring the RADIUS Module

To configure the RADIUS module, use the WebAdmin Interface. Open the Obscure page in the Settings section and find the RADIUS panel:

RADIUS
Log: Crashes OnlyFailuresMajor & FailuresProblemsLow LevelAll Info listener Password: Channels: 13510152550100 Record

Log

Use this setting to specify what kind of information the RADIUS module should put in the Server Log. Usually you should use the Major or Problems (non-fatal errors) levels. But when you experience problems with the RADIUS module, you may want to set the Log Level setting to Low-Level or All Info: in this case protocol-level or link-level details will be recorded in the System Log as well.

The RADIUS module Log records are marked with the RADIUS tag. Please note that RADIUS is a binary protocol, so all low-level data is presented in the hexadecimal form.

listener

Use this link to open the UDP Listener page and specify the port number and local network address for the RADIUS server authentication service, and access restrictions for that port. When the port number is set to 0, the RADIUS server is disabled.
By default RADIUS clients send requests to the UDP port 1812.
If your server computer is already running some RADIUS server, you may want to specify a non-standard port number here and reconfigure your RADIUS client software to use that port number.

Channels

Use this setting to specify the number of RADIUS module processors (threads) used to process RADIUS requests. If you set this setting to 0, all requests will be processed directly with the RADIUS Listener thread(s).

Password

Use this setting to specify the RADIUS "shared secret". All RADIUS clients should use the same "shared secret" in order to access the RADIUS server.

Record

If this option is enabled, the RADIUS module stores all Accounting request in a text file. See the Accounting Log section below.

RADIUS Authentication

The RADIUS module accepts properly formatted "Access-Request" requests from RADIUS clients, retrieves the User-Name and User-Password attributes and tries to find the specified CommuniGate Pro Account and verify its password. If the password can be verified and the Account and its Domain both have the RADIUS Service enabled, a positive response is sent to the RADIUS client, otherwise a negative response with the error code text is sent.

Note: clients authenticating via RADIUS do not use any network address on the Server, and Secondary Domain users should specify their full account name (account@domain), or should specify a name that is routed to their account using the Router. Because the Router is used to process the User-Name attribute, account aliases can be used for authentication, too. See the Access section for more details.

External Helper

The CommuniGate Pro Server can use an external Helper program to implement a RADIUS authentication policy. That program should be created by your own technical staff.

The program name and its optional parameters should be specified using the WebAdmin Helpers page. Open the General page in the Settings realm, and click the Helpers link:

External RADIUS
Log: Crashes OnlyFailuresMajor & FailuresProblemsLow LevelAll Info Program Path: Time-out: disabled15 seconds30 secondsminute2 minutes3 minutes5 minutes10 minutes15 minutes30 minuteshour Auto-Restart: disabled5 seconds7 seconds10 seconds15 seconds30 secondsminute2 minutes3 minutes5 minutes10 minutes15 minutes30 minuteshour2 hours3 hours6 hours

See the Helper Programs section to learn about these options. The External RADIUS module System Log records are marked with the EXTRADIUS tag.

If the External RADIUS program is not enabled, then the positive authentication response is sent as soon as the user password is verified. The response does not contain any additional attributes.

To learn how to create your own External RADIUS programs, see the Helpers section.

Sample External RADIUS programs and scripts can be found at the http://www.stalker.com/CGRADIUS/ site.

Accounting Log

If the Record option is enabled, all RADIUS accounting operations are recorded in a text-based Accounting Log file. The Accounting Log files are stored inside the RADIUSLog file subdirectory.

A single-server system creates the RADIUSLog directory inside the Settings subdirectory of the base directory.
A Dynamic Cluster system creates the RADIUSLog directory inside the Settings subdirectory of the SharedDomains directory.

Each RADIUS Accounting Log file has a yyyy-mm-dd file name (where yyyy is the current year, mm is the current month, and dd is the current month day), with the log file name extension. At local midnight, a new Accounting Log file is created.

Each RADIUS Accounting Log record is a text line containing a time-stamp, the operation type or command (started, ended, updated, inited, stopped), and optionally an account name. The rest of the line contains accounting request attributes. Each attributes is encoded with the same, the numeric attribute type, the equal (=) sign, and the attribute value. Attribute values are encoded in the same way as in they are encoded in dictionaries used in External RADIUS Helper Interface.