Setting Up the RADIUS Client

This chapter describes how to set up the router for RADIUS authentication. It includes the following sections:

Authentication Configuration and Monitoring Prompts

Configuring the RADIUS Client for HTTP Authentication

Configuring the RADIUS Client for Telnet Authentication

Authentication Commands

Authentication Configuration and Monitoring Prompts

Authentication commands are available at the Auth Config> prompt and the Auth> prompt.

At the Auth Config> prompt, changes that you make to the configuration are saved in the router's configuration memory. These changes do not take effect until you restart the router.

Display the Auth Config> prompt as follows:

*config

Config>authentication
Auth Config>

At the Auth> prompt, changes that you make take effect immediately. Unless you explicitly save your changes using the save command, they are not saved when you restart the router.

Display the Auth> prompt as follows:

*monitor

Monitor>authentication

Auth>

Setting Up the Router's HTTP Server

The router has a built-in Web (HTTP) server that lets users authenticate using RADIUS. You may need to enable the Web server or change some of the server's parameters. The following steps show how to do so:

1. Display the Http Config> prompt as follows:

Config>http

Http Config>

2. Enable HTTP, which enables the router as an HTTP (Web) server.

Http Config>enable http

3. If necessary, adjust the following parameters for the router's HTTP server.

The TCP port number that the router's HTTP server uses. The default is 80.
The number of simultaneous TCP sessions that the router's HTTP server handles. The default is 25.
A timeout period for interactions between the user and the HTTP server. The default is 60 seconds.

Http Config>set port=81 sessions=30 timeout=90

Configuring the RADIUS Client for HTTP Authentication

Follow these steps to set up the router as a RADIUS client for users who connect to the router using HTTP. See Communication Between the Router and the User.

1. Display the Authentication configuration prompt.

Config>authentication
Auth Config>

2. Add a RADIUS server to the configuration.

GTSecure uses this server to authenticate users. Include the IP address of the server. You can optionally add an MD5 secret, a priority, a port number, and a timeout. See add server for more information on these options.

Auth Config>add server 128.185.50.1 secret=md5secret   priority=3 timeout=3

Note: You can add and prioritize up to four RADIUS servers.

3. Exit the Authentication configuration process and restart the router for the configuration to take effect.

Auth Config>exit
Config> Ctrl P
*restart

Configuring the RADIUS Client for Telnet Authentication

Follow these steps to set up the GTSecure router as a RADIUS client for users who connect to the router using Telnet. See Communication Between the Router and the User.

1. Add at least one user with administrative privileges to the router configuration.

Config>add user
Enter user name: ? admin
Enter authentication type: (N)one, (P)assword, (C)hallenge, or (Q)uit  [P]? p
Enter password:
Enter password again:
Enter permission: (A)dmin, (O)perations, (M)onitor, or (Q)uit  [A]? A
User 'admin' has been added

Notes:

Do not enter an authentication type of Challenge unless you have the Nx Networks GTSecure Login software. Without the GTSecure Login software, you cannot respond to a challenge. The GTSecure Login software is optional software that you can order from your Nx Networks supplier.
Adding a user automatically enables the router's console-login feature, which requires any user who runs Telnet to the router to enter their user name and authentication information. You must have console-login enabled to allow users to run RADIUS authentication using Telnet. If you previously disabled console-login, enable it.
```
Config>enable console-login 
```

2. Display the Authentication configuration prompt.

Config>authentication
Auth Config>

3. Add a RADIUS server to the configuration.

Auth Config>add server 128.185.50.1 secret=md5secret   priority=3 timeout=3

Note: You can add up to four RADIUS servers.

4. Exit the Authentication configuration process and restart the router for the configuration to take effect.

Auth Config>exit
Config> Ctrl P
*restart

Authentication Commands

Table 2 summarizes the Authentication commands.

[C] means the command is available at the Auth Config> prompt.

[M] means the command is available at the Auth> prompt.

Table 2 Authentication Commands

Command Function

Add Server [C] [M] Adds a RADIUS server to the configuration.

Delete Server [C] [M] Deletes a RADIUS server from the configuration.

Disable [C] [M] Disables authentication.

Enable [C] [M] Enables authentication.

Exit [C] [M] Returns to the previous prompt.

List [C] [M] Displays the current Authentication configuration.

Revert [M] Restores the saved Authentication configuration.

Save [M] Saves the active Authentication configuration.

Set [C] [M] Changes parameters for connections between the router and the RADIUS server.

Table 2 Authentication Commands
Command	Function
Add Server [C] [M]	Adds a RADIUS server to the configuration.
Delete Server [C] [M]	Deletes a RADIUS server from the configuration.
Disable [C] [M]	Disables authentication.
Enable [C] [M]	Enables authentication.
Exit [C] [M]	Returns to the previous prompt.
List [C] [M]	Displays the current Authentication configuration.
Revert [M]	Restores the saved Authentication configuration.
Save [M]	Saves the active Authentication configuration.
Set [C] [M]	Changes parameters for connections between the router and the RADIUS server.

Add Server [C] [M]

Adds a RADIUS server to the configuration and lets you set options for the server. Enter the IP address of the RADIUS server. You can add up to four RADIUS servers.

Syntax: add server IP-address

Example: add server 128.185.50.1

When you add a RADIUS server, you can include the following options to set a port number, priority, an MD5 secret, or a timeout. You can add to or change these options later using the set server command.

port

The assigned port for RADIUS servers is 1812, and the router software uses 1812 as the default. Some older RADIUS servers may use port 1645. If you need the router to communicate with a server that uses 1645, you can use this option to change the port number over which the RADIUS server and the router communicate.

Syntax: port=#

Example: add server port=1645

priority

If you are using multiple RADIUS servers, you can prioritize them. GTSecure queries the lower priority server first. If it cannot reach that server, it tries the next higher priority server. The range is 1 to 4. The default is 4.

Syntax: priority=#

Example: add server 128.185.50.1 priority=2

secret

An MD5 secret that GTSecure and the RADIUS server use to authenticate each other to prevent an unauthorized intruder from responding to authentication requests. This secret must match the secret you entered in the RADIUS server client database. See Clients Database for more information.

Syntax: secret=MD5-secret

Example: add server 128.185.50.1 secret=md5secret

timeout

A timeout for the RADIUS server. If GTSecure does not receive a response from the server within this time period, it closes the connection to the server. For high speed links, set this default to a low number. Nx Networks recommends 2 or 3 seconds. The range is 1 to 10 seconds. The default is 2 seconds.

Syntax: timeout=#-of-seconds

Example: add server 128.185.50.1 timeout=2

Delete Server [C] [M]

Deletes a RADIUS server from the configuration. Enter delete server followed by the IP address of the server.

Syntax: delete server IP-address

Example: delete server 128.185.50.1

Disable [C] [M]

Disables authentication.

Syntax: disable

http
radius

http

Disables HTTP authentication.

Example: disable http

radius

Disables RADIUS authentication. Adding a RADIUS server automatically enables RADIUS authentication.

Example: disable radius

Enable [C] [M]

Enables authentication.

Syntax: enable

http
authentication

http

Enables HTTP authentication.

Example: enable http

radius

Enables RADIUS authentication. Adding a RADIUS server automatically enables RADIUS authentication. You need to use this command only if you previously disabled RADIUS authentication.

Example: enable radius

Exit [C] [M]

Returns to the previous prompt.

Syntax: exit

Example: exit

Config>

List [C] [M]

Displays the Authentication configuration.

Syntax: list

Example: list

RADIUS authenticated is Enabled

IP address               Secret               Priority  Timeout  Port
----------------------------------------------------------------------
128.185.123.208          testing123             1         2      1812
128.185.123.74           nxnetworks             3         2      1812

Revert [M]

Reverts to the saved configuration.

Syntax: revert

Example: revert

Save [M]

Saves changes you make at the Auth> prompt to permanent memory so they are still present after you restart the router.

Syntax: save

Example: save

Set [C] [M]

Sets parameters for the router's HTTP server or changes parameters for connections between the router and the RADIUS server.

Syntax: set

server ip-address options

server IP-address option(s)

Changes the MD5 secret, port number, priority, or timeout of a RADIUS server that you previously added. Enter set server followed by the IP address of the server and the options you want to change. See add server for a description of the options.

Example: set server 128.185.50.1 secret=newsecret timeout=3

[Top] [Prev] [Next] [Bottom]