RADIUS Interface

Configuring the RADIUS Module RADIUS Authentication External Helper Accounting Log The CommuniGate Pro Server supports RADIUS authentication for various NAS (Network Access Servers). The RADIUS module acts as a RADIUS server. It receives authentication requests from RADIUS clients (NAS), verifies the supplied credentials and accepts or rejects these requests. The RADIUS module supports the standard PAP and CHAP authentication methods. The RADIUS module can use an external helper application to implement site-specific access policy (based on RADIUS request attributes) and to return additional attributes to NAS. By default the CommuniGate Pro RADIUS server is not activated.

Configuring the RADIUS Module

To configure the RADIUS module, use the WebAdmin Interface. Open the Obscure page in the Settings section and find the RADIUS panel:

RADIUS
Log: Crashes OnlyFailuresMajor & FailuresProblemsLow LevelAll Info listener Password: Channels: 13510152550100 Record

Log

Use this setting to specify what kind of information the RADIUS module should put in the Server Log. Usually you should use the Major or Problems (non-fatal errors) levels. But when you experience problems with the RADIUS module, you may want to set the Log Level setting to Low-Level or All Info: in this case protocol-level or link-level details will be recorded in the System Log as well.

The RADIUS module Log records are marked with the RADIUS tag. Please note that RADIUS is a binary protocol, so all low-level data is presented in the hexadecimal form.

listener

Use this link to open the UDP Listener page and specify the port number and local network address for the RADIUS server authentication service, and access restrictions for that port. When the port number is set to 0, the RADIUS server is disabled.
By default RADIUS clients send requests to the UDP port 1812.
If your server computer is already running some RADIUS server, you may want to specify a non-standard port number here and reconfigure your RADIUS client software to use that port number.

Channels

Use this setting to specify the number of RADIUS module processors (threads) used to process RADIUS requests. If you set this setting to 0, all requests will be processed directly with the RADIUS Listener thread(s).

Password

Use this setting to specify the RADIUS "shared secret". All RADIUS clients should use the same "shared secret" in order to access the RADIUS server.

Record

If this option is enabled, the RADIUS module stores all Accounting request in a text file. See the Accounting Log section below.

RADIUS Authentication

The RADIUS module accepts properly formatted "Access-Request" requests from RADIUS clients, retrieves the User-Name and User-Password attributes and tries to find the specified CommuniGate Pro Account and verify its password. If the password can be verified and the Account and its Domain both have the RADIUS Service enabled, a positive response is sent to the RADIUS client, otherwise a negative response with the error code text is sent.

Note: clients authenticating via RADIUS do not use any network address on the Server, and Secondary Domain users should specify their full account name (account@domain), or should specify a name that is routed to their account using the Router. Because the Router is used to process the User-Name attribute, account aliases can be used for authentication, too. See the Access section of the manual for more details.

External Helper

The CommuniGate Pro Server can use an external Helper program to implement a RADIUS authentication policy. That program should be created by your own technical staff.

The program name and its optional parameters should be specified using the WebAdmin Helpers page. Open the General page in the Settings realm, and click the Helpers link:

External RADIUS
Log: Crashes OnlyFailuresMajor & FailuresProblemsLow LevelAll Info Program Path: Time-out: disabled15 seconds30 secondsminute2 minutes3 minutes5 minutes10 minutes15 minutes30 minuteshour Auto-Restart: disabled5 seconds7 seconds10 seconds15 seconds30 secondsminute2 minutes3 minutes5 minutes10 minutes15 minutes30 minuteshour2 hours3 hours6 hours

See the Helper Programs section to learn the meaning of these options. The External RADIUS module System Log records are marked with the EXTRADIUS tag.

The External RADIUS Interface protocol is based on the generic Helper Protocol.

This manual describes the External RADIUS Interface Version 1.

If the External RADIUS program is not enabled, then the positive authentication response is sent as soon as the user password is verified. The response does not contain any additional attributes.

If the External RADIUS program is enabled, it is used after the user password is verified. The Server sends the following command:
nnnnnn LOGIN name@domain attributes settings
where:

nnnnnn

a unique sequence number for this request

name

user Account name

domain

user Account Domain name

attributes

a dictionary with all request attributes.

settings

a dictionary with the Account settings.

If the login request is accepted, the Helper program should return a positive response:
nnnnnn ACCEPT attributes
where:

nnnnnn

the request sequence number

attributes

a dictionary with the attributes to be added to the RADIUS response.

If the password was not accepted, a negative response should be returned:
nnnnnn REJECT optional-error-message

If the External RADIUS program is enabled, it is used to process the Start, Stop, and Interim-Update accounting requests. The Server sends the following command:
nnnnnn ACCNT command name@domain attributes
where:

nnnnnn

a unique sequence number for this request

command

the accounting command (started, ended, updated)

name

user Account name

domain

user Account Domain name

attributes

a dictionary with all request attributes.

The Helper program should return a positive response:
nnnnnn OK
where:

nnnnnn

the request sequence number

The attributes in dictionaries should use the attribute type numeric values as keys (for example 27 for Session-Timeout).

The following attributes are interpreted as 32-bit integer values and they are encoded as numeric strings in dictionaries:
NAS-Port, Service-Type, Framed-Protocol, Framed-Routing, Framed-MTU, Framed-Compression, Login-Service, Login-TCP-Port, Framed-IPX-Network, Session-Timeout, Idle-Timeout, Termination-Action, Framed-AppleTalk-Link, Framed-AppleTalk-Network, Event-Timestamp, NAS-Port-Type, Port-Limit, ARAP-Zone-Access, Password-Retry, Prompt, Tunnel-Type, Tunnel-Medium-Type, Tunnel-Preference, Acct-Interim-Interval, Acct-Delay-Time, Acct-Input-Octets, Acct-Output-Octets, Acct-Authentic, Acct-Session-Time, Acct-Input-Packets, Acct-Output-Packets, Acct-Terminate-Cause, Acct-Link-Count, Acct-Input-Gigawords, Acct-Output-Gigawords.

The following attributes are interpreted as 32-bit IP addresses and they are encoded as aaa.bbb.ccc.ddd strings in dictionaries:
NAS-IP-Address, Framed-IP-Address, Framed-IP-Netmask, Login-IP-Host.

The following attributes are not passed to the Helper and are ignored in Helper responses:
User-Name, User-Password, CHAP-Password, State, Proxy-State, EAP-Message, Message-Authenticator, Acct-Status-Type.

All other attribute values are encoded either as a String or as DataBlocks. The Server uses the DataBlocks format for those attribute values that contain bytes outside the hexadecimal 0x20-0x7F range. The DataBlock format must be used is the value contains binary zero bytes.

If an attribute has multiple values, the attribute value is encoded as an Array.

Accounting requests also have a numeric attribute 0 - the RADIUS protocol request ID. It can be used to detect retransmitted packets (duplicate requests).

Sample session (I: - server commands sent to the program standard input, O: - responses the program writes to its standard output):

I: 00001 INTF 1
O: 00001 OK 1
I: 00002 LOGIN user1@domain1.com {4=10.0.0.1;32="NAS 1";31=4153837164;} {RealName="User"; NATIP="192.168.1.3";}
O: 00002 ACCEPT {8=192.168.1.3; 9=255.255.255.0; 13=(0,3);}
I: 00002 LOGIN user1@domain1.com {32="NAS 2";31=415.5512.12; 8=192.168.1.3;} {NATIP="10.0.1.114";}
O: 00003 REJECT
I: 00004 ACCNT started user1@domain1.com {0=120;32="NAS 2";31=415.5512.12; 8=192.168.1.3;}
O: 00004 OK

Note: the Server can send several concurrent requests for the same target Account.

Note: the External RADIUS program is called when the target Account is open. In a Dynamic Cluster system this means that External RADIUS programs should run on backend servers, and that it is impossible that External RADIUS programs running on two different backend servers get requests for the same Account at the same time.

Sample External RADIUS programs and scripts can be found at the http://www.stalker.com/CGRADIUS/ site.

Accounting Log

If the Record option is enabled, all RADIUS accounting operations are recorded in a text-based Accounting Log file. The Accounting Log files are stored inside the RADIUSLog file subdirectory.

A single-server system creates the RADIUSLog directory inside the Settings subdirectory of the base directory.
A Dynamic Cluster system creates the RADIUSLog directory inside the Settings subdirectory of the SharedDomains directory.

Each RADIUS Accounting Log file has a yyyy-mm-dd file name (where yyyy is the current year, mm is the current month, and dd is the current month day), with the log file name extension. At local midnight, a new Accounting Log file is created.

Each RADIUS Accounting Log record is a text line containing a time-stamp, the operation type or command (started, ended, updated, inited, stopped), and optionally an account name. The rest of the line contains accounting request attributes. Each attributes is encoded with the same, the numeric attribute type, the equal (=) sign, and the attribute value. Attribute values are encoded in the same way as in the dictionaries used in External RADIUS Helper Interface.