CommuniGate Pro
Version 6.3
 

RADIUS Module

The CommuniGate Pro Server supports the RADIUS authentication and account protocol. It can be used with for various NAS (Network Access Server) devices and programs.

The RADIUS module acts as a RADIUS server. It receives authentication requests from RADIUS clients (NAS), verifies the supplied credentials and accepts or rejects these requests.

The RADIUS module supports the following authentication methods:

  • PAP
  • CHAP
  • MS-CHAPv1
  • MS-CHAPv2
  • EAP
    • MD5-Challenge
  • DIGEST-MD5

The RADIUS module can use an external helper application to implement site-specific access policy (based on RADIUS request attributes) and to return additional attributes to NAS.

Configuring the RADIUS Module

By default the CommuniGate Pro RADIUS module is not activated.

CG/PL applications can communicate with remote RADIUS servers: they can send RADIUS requests and receive RADIUS responses. To enable this RADIUS client functionality, the RADIUS module has to be activated.

Use the WebAdmin Interface to configure the RADIUS module. Open the Services pages in the Settings realm, and open the RADIUS page:

Processing
Log Level: Listener
Password: Require NAS ID
Channels: Record
Log
Use this setting to specify what kind of information the RADIUS module should put in the Server Log. Usually you should use the Major or Problems (non-fatal errors) levels. But when you experience problems with the RADIUS module, you may want to set the Log Level setting to Low-Level or All Info: in this case protocol-level or link-level details will be recorded in the System Log as well.

The RADIUS module Log records are marked with the RADIUS tag. Please note that RADIUS is a binary protocol, so all low-level data is presented in the hexadecimal form.

listener
Use this link to open the UDP Listener page and specify the port number and local network address for the RADIUS server authentication service, and access restrictions for that port. When the port number is set to 0, the RADIUS server is disabled.
By default RADIUS clients send requests to the UDP port 1812.
If your server computer is already running some RADIUS server, you may want to specify a non-standard port number here and reconfigure your RADIUS client software to use that port number.
Channels
Use this setting to specify the number of RADIUS module processors (threads) used to process RADIUS requests. If you set this setting to 0, all requests will be processed directly with the RADIUS Listener thread(s).
Require NAS ID
The RADIUS protocol requires all requests to contain a NAS-Identifier or a NAS-IP-Address attribute (or both). If this option is not selected, requests without these attribute are accepted, and the word unknown is used as the Identifier in the module log records.
Password
Use this setting to specify the RADIUS "shared secret". All RADIUS clients should use the same "shared secret" in order to access the RADIUS server.
Record
If this option is enabled, the RADIUS module stores all Accounting requests in a text file. See the Accounting Log section below.

RADIUS Authentication

The RADIUS module accepts properly formatted "Access-Request" requests from RADIUS clients, retrieves the User-Name and User-Password attributes and tries to find the specified CommuniGate Pro Account and verify its password. If the password can be verified and the Account and its Domain both have the RADIUS Service enabled, a positive response is sent to the RADIUS client, otherwise a negative response with the error code text is sent.

If the CommuniGate Password option is enabled for the specified Account, the RADIUS module checks if the Account has the RADIUSPassword setting. If it exists, it is used instead of the standard Password setting. This feature allows an Administrator to assign a alternative Account password to be used for the RADIUS authentication only.

Note: clients authenticating via RADIUS do not use any network address on the Server, and Secondary Domain users should specify their full Account name (account@domain), or should specify a name that is routed to their Account using the Router. Because the Router is used to process the User-Name attribute, account aliases can be used for authentication, too. See the Access section for more details.


External Helper

The CommuniGate Pro Server can use an external Helper program to implement a RADIUS authentication policy. That program should be created by your own technical staff.

The program name and its optional parameters should be specified using the WebAdmin Helpers page. Open the General page in the Settings realm, and click the Helpers link:

External RADIUS
Log Level: Program Path:
Time-out: Auto-Restart:

See the Helper Applications section to learn about these options. The External RADIUS module System Log records are marked with the EXTRADIUS tag.

If the External RADIUS program is not enabled, then the positive authentication response is sent as soon as the user password is verified. The response does not contain any additional attributes.

To learn how to create your own External RADIUS programs, see the Helper Applications section.

Sample External RADIUS programs and scripts can be found at the RADIUS Helper programs site.


Accounting Log

If the Record option is enabled, all RADIUS accounting operations are recorded in a text-based Accounting Log file. The Accounting Log files are stored inside the RADIUSLog file subdirectory.

A single-server system creates the RADIUSLog directory inside the Settings subdirectory of the base directory.
A Dynamic Cluster system creates the RADIUSLog directory inside the Settings subdirectory of the SharedDomains directory.

Each RADIUS Accounting Log file has a yyyy-mm-dd file name (where yyyy is the current year, mm is the current month, and dd is the current month day), with the log file name extension. At local midnight, a new Accounting Log file is created.

Each RADIUS Accounting Log record is a text line containing a time-stamp, the operation type or command (started, ended, updated, inited, stopped), and optionally an account name.
The rest of the line contains accounting request attributes.
Each attribute is stored using the numeric attribute type, the equal (=) symbol, and the attribute value.
Attribute values are encoded in the same way as in they are encoded in dictionaries used in External RADIUS Helper Interface.


CommuniGate Pro Guide. Copyright © 2024, AO SBK