RADIUS NAS
The RADIUS NAS view presents the scaffolds associated with manipulating the external RADIUS server identity management integration mechanisms built into the rXg captive portal web application.
When an external RADIUS server is used as the credential store, the captive portal must be enabled. The end-user web browser is then redirected to the rXg captive portal web application. At this point, the end-user must present credentials to the external authentication client that is integrated into the portal. The end-user supplied credentials are then sent to an external RADIUS server. The response is then interpreted by the rXg integrated external authentication client and access to the WAN is manipulated appropriately.
Group membership is determined by the creation of the RADIUS groups records and the association of those records with RADIUS realms. In addition, RADIUS groups are associated with policies in a manner similar to local groups ( MAC groups , IP groups and account groups ). Membership of end-users into particular RADIUS groups may also be specified by the RADIUS server through the Class attribute that passed back in Access-Accept messages.
Several RADIUS realms may be configured to support multiple simultaneous logical partitions. For example, many operators wish to setup agreements with as many wireless account aggregators (e.g., iPass, Boingo, T-mobile, etc.) as possible. Each of the aggregators has their own servers that require specific RADIUS attributes to be transmitted with Access-Request messages. Thus, each aggregator must be configured as an independent RADIUS realm record.
Credential database servers are defined by the associated records in the server scaffolds of the associated protocol. For example, the RADIUS servers that will be queried are defined by the RADIUS servers scaffold. Several RADIUS servers may be associated with a single RADIUS realm for failover purposes.
RADIUS Groups
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
An entry in the RADIUS groups scaffold defines a group object that can be used as a membership destination for end-users that have been authenticated via the RADIUS protocol in a partition defined by a RADIUS realm.
The priority field determines the effective group when an end-user or device is a member of more than one group. By default, RADIUS groups have a priority of 4, which puts them ahead of the default priority of all group objects configured by internal identities.
The Class attribute field is used when RADIUS realms are configured to read group from Class. When configured in this manner, a single RADIUS realm can make end-users members of several different RADIUS groups. The RADIUS Access-Accept message is parsed for a Class attribute. If found, the value of the Class attribute is compared to the Class attribute field of all RADIUS groups. If a match is found, the matching RADIUS group becomes the destination for the end-user.
The RADIUS realms field determines which logical partitions of the RADIUS NAS will send end-users to become members of this RADIUS group (and hence, take part in the enforcement defined by the policy ).
The policy field associates this group object with a policy object. The policy object relates the group to objects that specify the configuration of the control and communication features of the rXg that determine the end-user experience.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
RADIUS Servers
An entry in the RADIUS servers scaffold defines a server that may be queried for end-user credential validity using the RADIUS protocol.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The priority field is used when multiple RADIUS servers are associated with a RADIUS realm. The RADIUS server with the highest priority is queried first. If the RADIUS server with the highest priority does not respond within the window defined by the tries and timeout fields, the next highest priority server is queried. If no RADIUS servers respond, the end-user is denied access.
The IP field specifies the IP address of the RADIUS server to be queried for credential validation.
The port field specifies the UDP port to use when sending the RADIUS request for credential validation. Similarly the accounting port field specifies the UDP port to use when sending the RADIUS accounting start, stop and intermediate updates. Leave these fields blank to use the defaults.
The tries and timeout fields govern the retry and failure detection behavior of the RADIUS NAS. Increase these values when communicating with servers that are heavily loaded or connected via congested networks.
The secret field is the RADIUS shared secret. It is used to encode and decode messages being sent to and from the RADIUS server. This setting must match that of the RADIUS server in order for credential validation to operate.
The RADIUS realms field determines which logical partitions of the RADIUS NAS will use the server specified in this record for queries. There are several reasons a given RADIUS server will be shared across multiple RADIUS realms. One very common scenario is when an account aggregator outsources the operation of their OSS to a well established third-party. Another is when a single corporate RADIUS server is used for authenticating several different classes of devices or end-users.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
RADIUS Realms
An entry in the RADIUS realms scaffold defines a logical partition for the RADIUS NAS that is integrated into the captive portal web application.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
If read group from Class is checked, the RADIUS NAS will look for the RADIUS Class attribute in Access-Accept messages. If the RADIUS Class attribute is found, the value is decoded and compared with the values of the class attribute field of the RADIUS groups that are configured. If a match is found, the authenticated end-user is made a member of the RADIUS group with the matching class attribute. If no match is found, the RADIUS group setting of the RADIUS realm is used to determine group membership.
The RADIUS group field specifies the default RADIUS group record that authenticated end-users will be made members of. If the read group from class field is not checked, the authenticated end-users are always made members of the RADIUS group specified here.
The accounting checkbox enables the transmission of start and stop RADIUS accounting messages. Accounting messages are sent to the same RADIUS server as authentication messages but on a different port as specified in the RADIUS Server configuration.
The encoding field specifies the password encoding used when sending RADIUS Access-Request messages. This setting must match what is accepted by the RADIUS server.
The use Session-Timeout and session minutes fields control the length of the user session for authenticated end-users. If use Session-Timeout is checked, the RADIUS NAS will look for the RADIUS Session-Timeout attribute in all Access-Accept messages. The session length of the end-user is set to the decoded value If a reasonable value is found. If no reasonable value is found, the session minutes field is used to set the end-user session length. If the use Session-Timeout field is not checked, the end-user session length is always set to session minutes.
If the automatic login box is checked, the rXg will attempt to automatically login a returning end-user after the first successful authentication, assuming the user has the same MAC address and/or browser cookie. This requires storing the end-user's password in the rXg's database in encrypted format.
The servers field associates the logical partition defined by this RADIUS realm record with one or more RADIUS server records that define which RADIUS servers to send Access-Request messages.
The RADIUS NAS can send optional RADIUS attributes to the RADIUS server in Access-Accept messages. The supported optional RADIUS attributes are NAS-IP-Address, Called-Station-Id, NAS-Identifier, NAS-Port and NAS-Port-Type. Many RADIUS servers and third-party account aggregation services have very specific requirements for the attributes and values present in RADIUS Access-Request messages. Incorrect configuration of optional attributes usually results in universal rejection of all Access-Accept messages.
Each of these optional attributes has a set of synonymous configuration fields. A checkbox is provided to enable the sending of the optional attribute (e.g., send NAS-IP-Address ). Optional attributes will not be sent unless the appropriate box is checked. The values to be sent in the optional attribute is also configurable. All optional attributes may be transmitted with an arbitrary static value that is specified in a text-field. In addition, different dynamic values are available for the the optional attributes. For example, a common value for the NAS-Identifier attribute is the domain name of the RADIUS NAS and this is enabled by checking the box next to the use domain name field.
The IP and/or MAC address of the rXg may be sent to the RADIUS server in all Access-Request messages by checking the boxes next to the send requesting node IP and send requesting node MAC fields. The RADIUS attribute that will contain the address is configured via the requesting node IP attribute and requesting node MAC attribute. Many RADIUS servers and third-party account aggregation services have specific requirements regarding these fields. In addition, some third-party account aggregators require pre-registration of the MAC and/or IP address of the RADIUS NAS (i.e., the rXg) before credential validation will operate.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.
WISPr Prefixes
WISPr (Wireless Internet Service Provider roaming) is a mechanism that allows software clients installed on devices to authenticate end-users without the end-user experiencing a forced browser redirect. Each entry in the WISPr prefixes scaffold defines a prefix that is used by all software clients from the same account aggregator and associates that prefix with a RADIUS realm. Enabling WISPr support on the rXg requires documentation and cooperation of the account aggregator providing the software clients to end-users.
The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.
The prefix field stores the string that is defined by the account aggregators and needs to match the value sent in the software clients.
The RADIUS realm field associates a RADIUS realm record that defines the logical partition of the RADIUS NAS with the prefix that will be transmitted by software clients.
The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.