| Home Prev |  cOS Stream 4.00.03 Administration Guide
|
Next |
|---|
Centralizing Authentication
In a larger network topology with a larger administration workload, it is often preferable to have a central authentication database on a dedicated server. When there is more than one Clavister NetShield Firewall in the network and thousands of users, maintaining separate authentication databases on each device becomes problematic. Instead, an external authentication server can validate username/password combinations by responding to requests from cOS Stream.The RADIUS Solution
To provide a centralized external authentication source, cOS Stream supports the Remote Authentication Dial-in User Service (RADIUS) protocol. RADIUS is an Authentication, Authorization and Accounting (AAA) protocol widely used to implement the central database approach.RADIUS Architecture
The RADIUS protocol is based on a client/server architecture. The Clavister NetShield Firewall acts as the client of the RADIUS server, creating and sending requests to a dedicated server(s). In RADIUS terminology, the firewall acts as the Network Access Server (NAS).For user authentication, the RADIUS server receives authentication requests and then verifies the user's credentials by consulting its database. It then returns either an "accept" or "reject" reply to the requesting client.
Configuring RADIUS Servers
RADIUS servers are configured as separate objects in cOS Stream. A RADIUS server object's properties are:Name
A suitable logical name for the object.
IPAddress
The IP address of the server. This could be an IP address object from the address book.
Port
The port used for the connection by cOS Stream. This default value is 1812.
RetryTimeout
This is the length of time in milliseconds after which a RADIUS request will have assumed to fail and a retry is attempted.
This value cannot be less than 500 with no upper limit. The default value is 2000.
NumRetries
When a RADIUS request times out, the request is retried. This happens for NumRetries times. The retry minimum is 1 and the maximum is 10. The default is 3.
Shared Secret
To provide request security, a common Shared Secret is configured on both the RADIUS client and the server. This secret enables encryption of the messages sent from the RADIUS client to the server and is commonly configured as a relatively long text string. The string can contain up to 100 characters and is case sensitive.
RADIUS uses PPP to transfer username/password requests between client and RADIUS server, as well as using PPP authentication schemes such as PAP and CHAP. RADIUS messages are sent as UDP messages via UDP port 1812.
NAS-Identifier
This value is required when sending requests to some RADIUS servers.
Example 17.3. Configuring a RADIUS Server
In this example, a RADIUS server will be configured with an IPv4 address of 198.10.2.1 and the shared secret specified as mysecret.
Command-Line Interface
System:/> add RadiusServer IPAddress=198.10.2.1 SharedSecret=mysecretUsing RADIUS Authentication
A RADIUS server is used for authentication with the following steps:Create a RADIUS server object as described above.
Create an Authentication Profile object that uses the RADIUS server as its Authentication Source.
Associate the profile with an IP rule. When the IP rule triggers, authentication of user credentials will then be required to set up the traffic flow.
