[Top] [Prev] [Next] [Bottom]

Installing and Using the RADIUS Server

This document describes how to install the RADIUS server software, set up RADIUS server database files, and run the RADIUS server. It includes the following sections:

Installing and Compiling the RADIUS Server

Setting Up the RADIUS Server Database Files

Running the RADIUS Server

Installing and Compiling the RADIUS Server

Before You Begin

The GTSecure RADIUS server software is available on the World Wide Web at http://www.nxnetworks.com.

The server software runs on a UNIX® operating system. It comes compiled for SunOS(TM) version 4.1.x or greater. If you are using a different UNIX operating system, you must compile the RADIUS files. To do so, you need the GNU compiler (version 2.5.6 or greater) or the SunOS compiler (cc).

Installing the RADIUS Server

Follow the steps below to install the RADIUS server software.

1. Create a directory for the RADIUS server, copy the radius.tar file to that directory, and go to that directory.

2. To extract the files from the tar format, enter:

tar xvf radius.tar

This command creates three directories and places them in the directory you created, along with a Readme file. The src and obj directories contain the files necessary to compile and run the RADIUS server. The raddb directory contains the RADIUS database files.

You can move these files to another location. However, you must place the executable file (radiusd) in a directory that is parallel to the database files.

Compiling the RADIUS Server

If you are using a UNIX operating system other than SunOS version 4.1.x or greater, follow these steps to compile the RADIUS files.

1. Make sure you have the GNU compiler (version 2.5.6 or later).

2. Change to the /obj directory and enter the following command:

obj# make radiusd

This creates a new executable file called radiusd and places the file in the obj directory.

Setting Up the RADIUS Server Database Files

Table 1 describes the RADIUS database files. These files are in the raddb directory.

Table 1 RADIUS Database Files

Database File This File Contains . . .

clients The IP addresses or names of the GTSecure routers that are clients to the RADIUS server. It also includes the MD5 secret for the GTSecure and RADIUS server.

users Information about all users who authenticate using this server, including name, type of authentication to use, and the user service type or IP filter profiles to make available to the user once they are authenticated.

cryptocards Information on the CRYPTOCard configuration.

Table 1 RADIUS Database Files
Database File	This File Contains . . .
clients	The IP addresses or names of the GTSecure routers that are clients to the RADIUS server. It also includes the MD5 secret for the GTSecure and RADIUS server.
users	Information about all users who authenticate using this server, including name, type of authentication to use, and the user service type or IP filter profiles to make available to the user once they are authenticated.
cryptocards	Information on the CRYPTOCard configuration.

The following sections show how to set up each of these databases. You modify the database files using any UNIX text editor.

Clients Database

The clients database must have an entry for each GTSecure client that uses this RADIUS server to authenticate users.

The clients database has the following format:

Client Name                 Key
--------------------        ------------------------
Client Name or IP Address   MD5 Secret

The following is a description of these fields:

Client Name or IP address

This field identifies the GTSecure client. Enter either

The IP address of the GTSecure interface to which the end user runs HTTP or Telnet.

The name of the GTSecure client as it appears in the UNIX host file.

MD5 Secret

The MD5 secret that the GTSecure client and the RADIUS server share to authenticate each other. This secret must match the MD5 secret configured for this RADIUS server on the GTSecure client. See the GTSecure RADIUS configuration add server command.

Client Name or IP address	This field identifies the GTSecure client. Enter either The IP address of the GTSecure interface to which the end user runs HTTP or Telnet. The name of the GTSecure client as it appears in the UNIX host file.
MD5 Secret	The MD5 secret that the GTSecure client and the RADIUS server share to authenticate each other. This secret must match the MD5 secret configured for this RADIUS server on the GTSecure client. See the GTSecure RADIUS configuration add server command.

The following is an example of a clients database file.

Client Name              Key
--------------------     ------------------------
60.2.20.1                md5secret
gtsecure.com             secret1234

Users Database

The users database must have an entry for each user that the RADIUS server authenticates.

The users database has one of the following formats:

UserName  Type-of-Authentication = Mode or "Password" 
            Framed-Filter-Id = "ProfileName1",
            Framed-Filter-Id = "ProfileName2",
            Framed-Filter-Id = "ProfileName3",UserName  Type-of-Authentication = Mode or "Password" 
            User-Service-Type = Administrative or NAS-Prompt

The following is a description of these fields:

UserName

Name of a user who authenticates using this server. This name must match the user name in the cryptocards database. The name can be up to eight characters.

Type-of-Authentication

You can use two types of authentication:

Password—uses a password to authenticate a user. Password =

Token—uses a token response to authenticate a user.
Token =

Password

If you set the type of authentication as Password, enter a password for the user. Enclose the password in double quotations marks.

Mode

If you set the type of authentication as Token, enter the mode to use, CRYPTOCard or RandomCryptocard. See Types of Challenges and Responses.

CRYPTOCard. The server uses reduced-entry mode to generate a challenge. Nx Networks recommends this mode because it is just as secure as RandomCryptocard, but it is much easier to use.

RandomCryptocard. The server uses a fully random challenge-response mode to generate a challenge.

When you program the user's CRYPTOCard, you must configure it to match this setting. See your CRYPTOCard documentation for instructions.

Framed-Filter Id

The names of the IP filter profiles that you want to make available to this user once the user has been authenticated. When the RADIUS server authenticates this user, the server sends this list of profiles to GTSecure. GTSecure presents the list of profiles to the user, and the user can select the profile(s) they wish to install.

User-Service-Type

The type of service you want to make available to this user once the user has been authenticated. When the RADIUS server authenticates this user, the server logs this user directly into the router with Administrative or NAS-Prompt service type. A user logged in with Administrative service type can configure the router. A user logged in with NAS-Prompt service type can obtain status and configuration information but cannot configure the router.

UserName	Name of a user who authenticates using this server. This name must match the user name in the cryptocards database. The name can be up to eight characters.
Type-of-Authentication	You can use two types of authentication: Password—uses a password to authenticate a user. `Password =` Token—uses a token response to authenticate a user. `Token =`
Password	If you set the type of authentication as Password, enter a password for the user. Enclose the password in double quotations marks.
Mode	If you set the type of authentication as Token, enter the mode to use, CRYPTOCard or RandomCryptocard. See Types of Challenges and Responses. CRYPTOCard. The server uses reduced-entry mode to generate a challenge. Nx Networks recommends this mode because it is just as secure as RandomCryptocard, but it is much easier to use. RandomCryptocard. The server uses a fully random challenge-response mode to generate a challenge. When you program the user's CRYPTOCard, you must configure it to match this setting. See your CRYPTOCard documentation for instructions.
Framed-Filter Id	The names of the IP filter profiles that you want to make available to this user once the user has been authenticated. When the RADIUS server authenticates this user, the server sends this list of profiles to GTSecure. GTSecure presents the list of profiles to the user, and the user can select the profile(s) they wish to install.
User-Service-Type	The type of service you want to make available to this user once the user has been authenticated. When the RADIUS server authenticates this user, the server logs this user directly into the router with Administrative or NAS-Prompt service type. A user logged in with Administrative service type can configure the router. A user logged in with NAS-Prompt service type can obtain status and configuration information but cannot configure the router.

The following is an example of a users database file.

wrkflt    TOKEN = RANDOM_CRYPTOCARD 
            Framed-Filter-Id = "FTPEmail",
            Framed-Filter-Id = "TelnettoServerA",
            Framed-Filter-Id = "All_Access",jagflt    TOKEN = CRYPTOCARD 
            Framed-Filter-Id = "TFTP",
            Framed-Filter-Id = "TelnettoServerA",
            Framed-Filter-Id = "FTP_Email",drsflt    Password = "bar" 
            Framed-Filter-Id = "TelnettoServerA",
            Framed-Filter-Id = "Email"cbarbari  Password = "aylbeeba" 
            User-Service-Type = Administrativestroxell  Password = "uncus" 
            User-Service-Type = NAS-Prompt

Cryptocards Database

The cryptocards database holds information on how the user's CRYPTOCard is configured. The entries in this file must match the configuration of each user's CRYPTOCard. The cryptocards database has the following format:

User           Key (OCTAL)        Display   Challenge
------    ----------------------  -------   ---------
UserName   Key                     Display   Challenge

The following is a description of these fields:


UserName	Name of a user who authenticates using this server. This name must match the user name in the users database. The name can be up to eight characters.
Key (OCTAL)	This entry must match the DES (Data Encryption Standard) key that you program into the user's CRYPTOCard. It is made up of 24 octal digits (8 sequences of 3-digits).
Display	The format used to display the challenge and response. Make sure your CRYPTOCard display configuration matches this entry. To display the response in a decimal telephone number format, enter 1 (one). This option is the easiest to use. To display the first eight encryption characters as is, enter 0 (zero).
Challenge	A number that the server uses to calculate the initial challenge that the server sends to the user. Enter any eight digits. The server updates this number each time the user is authenticated.

The following is an example of a cryptocards database:

User           Key (OCTAL)        Display   Challenge
------  ------------------------- -------   ---------
wkrft   123123123123123123123123    1       12345678
jag     234234234234234234234234    1       23456789

Running the RADIUS Server

Once you have installed the RADIUS server and set up your database files, enter the following command to start the server:

radiusd

Viewing the Logfile

The RADIUS server software logs all authentication transactions. You can view them in the logfile, which is in the raddb directory.

[Top] [Prev] [Next] [Bottom]