9.10. Internal Radius Servers

Home Prev	cOS Core 14.00.17 Administration Guide	Next

cOS Core has the ability to act as an authenticating RADIUS server by defining a RADIUS Authentication Service object. This object will listen for incoming RADIUS requests on a specified interface and an optional filter can be applied so that only specific source IP addresses will get a response. Multiple RADIUS Authentication Service objects can be defined.

It should be noted that this feature does not provide a general RADIUS server but is intended for the specific use case where clients need to authenticate themselves using EAP over a TLS connection to the firewall using their certificate. Once a client is authenticated, the cOS Core rule sets can then allow or prevent connections from the client to different resources, in the same way that an external RADIUS server might be used for authentication.

Setup Steps

The following steps are needed to set up this feature:

Upload a suitable CA public key certificate to the firewall and define a Certificate object for this in cOS Core with its Type property set to the value Remote.

This is the certificate that will authenticate the client's certificate.
Upload the public and private key files to the firewall for the server's own certificate, and define a Certificate object for this in cOS Core with its Type property set to the value Local.

This will be used for the EAP-TLS connection to the client. The algorithms used by this certificate can be different from the CA certificate.
Define a RADIUS Authentication Service object which references the above certificates. The definition must specify the interface on which cOS Core will listen for RADIUS requests from clients. An example of defining this object can be found in Example 9.11, “Configuring an RADIUS Authentication Service”.
Activate the new configuration.

There is no need to create a separate Authentication Rule. Authentication is enabled as soon as the RADIUS Authentication Service is created and the new configuration activated.

The following should be noted about the RADIUS Authentication Service:

Both the CA and server certificate must be specified.
The default listening port number is 1812 but this can be changed.
A source address filter must be specified. A value of all-nets should be specified if no filtering is to be done.
In the current release of this feature the only type of authentication supported is certificate-based EAP-TLS. The Method property of the server will default to this value and so it does not need to be specified.

Non-EAP requests will get an Access-Reject response.
Client EAP messages must have the Message-Authenticator attribute present and it must be set to a valid value.
The EAP request type must be either the basic types 1 to 3, or type 13. Other types will be dropped.

Note that if the wrong type is sent, the server will not send a Desired-Type message.
If the client sends a certificate that cannot be authenticated using the server's configured CA certificate, the authentication request will fail. It will also fail if no certificate is sent.
If authentication fails, the RADIUS message Access-Reject as well as the message EAP-Failure are sent to the client.

Example 9.11. Configuring an RADIUS Authentication Service

This example shows how a RADIUS Authentication Service can be configured. It assumes that accepted RADIUS requests can have any source IP address. It will also be assumed the following Certificate objects A and B already exist in the cOS Core configuration:

A. CA Certificate (public key only):

          Property  Value          Remarks
 -----------------  -------------  ---------
             Name:  my_ca_cert
             Type:  Remote
  CertificateData:  (binary data)
        CRLChecks:  Disabled
 CRLDistPointList:  <empty>
          PKAType:  RSA            Read-only
             IsCA:  Yes            Read-only
        Attribute:  <empty>
         Comments:  <empty>

B. Server Certificate (both public and private key):

          Property  Value          Remarks
 -----------------  -------------  ---------
             Name:  my_server_cert
             Type:  Local
  CertificateData:  (binary data)
       PrivateKey:  (binary data)
        CRLChecks:  Disabled
 CRLDistPointList:  <empty>
          PKAType:  EC             Read-only
             IsCA:  No             Read-only
        Attribute:  <empty>
         Comments:  <empty>

Command-Line Interface

Device:/> add RadiusAuthService my_radius_server
			SourceInterface=If2
			ClientIPFilter=all-nets
			SharedSecret=mysecretcode
			Certificate=my_server_cert
			ClientCACertificate=my_ca_cert

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

Go to: Policies > User Authentication > RADIUS > Add > RADIUS Authentication Service
Now enter:
- Name: my_radius_server
- Source Interface: If2
- Client IP Filter: all-nets
- Shared Secret: mysecretcode
- Server Certificate: my_server_cert
- Client CA Certificate: my_client_cert
Click OK