Clarinet Systems ESB301, ESB3011b, ESB5001, ESB5004, ES101 User Manual

Clarinet Systems RADIUS Technical Information

Introduction

This document describes the RADIUS support in the Clarinet Systems’ EthIR LAN product line.
It also includes the configuration of EthIR LAN, RADIUS server, PalmOS and PocketPC devices.

This document is intended for IT professionals who setup and maintain networking devices and
infrastructure in a corporate environment. Knowledge of TCP/IP, Windows networking
environment and server setup are required.

EthIR LAN R RADIUS implementation supports MS-CHAP, CHAP and PAP authentication

protocols. Each protocol can be enabled and disabled, via our Windows Configuration tool, according
to the settings of your RADIUS server. For example, if your RADIUS server does not support MS­CHAP, you should disable MS-CHAP in the EthIR LAN configuration. If your PDA device does not
support CHAP and only support PAP, you should enable PAP and disable MS-CHAP and CHAP.

Usually there are domain names in Windows NT environment. For Windows RADIUS server, NT

domain name is required. EthIR LAN can be configured with the NT domain name so that PDAs

that do not support NT domain name can access the network.

The RADIUS server has the option of assigning an IP address to the PDA. Radius server assigned
IP address takes precedence over DHCP and static IP. This helps network admin monitoring who is
on the network via IP address

RADIUS accounting can be enabled and disabled. If it is disabled, EthIR LAN does not send out

accounting requests and wait for server response so that connection time and be shorter.

Two RADIUS servers, primary and secondary are supported. EthIR LAN sends requests to

primary server and wait for responses. If there is no response after retries, requests will be sent to
secondary server. Both servers share the same secret.
EthIR LAN RADIUS support is controlled by “key” stored in the EthIR LAN firmware. You can use

our Windows Configuration Tool to tell if an EthIR LAN has the RADUIS support option. If it

does, a RADIUS tab will be displayed (see EthIR LAN RADIUS Configuration section).

Supported Features

EthIR LAN supports RFC2865 “Remote Authentication Dial In User Service” and RFC2866

“RADIUS Accounting” with the following packet types and attributes:

RFC2865 --

1. Supported Packet Types

Packet Type Comment

Access-Request EthIR LAN ! RADIUS server; authentication request
Access-Reject EthIR LAN " RADIUS server; authentication failed
Access-Accept EthIR LAN " RADIUS server; authentication passed

Clarinet Systems, Inc. copyright 10/29/02 p1

Remote Authentication Dial In User Service (RADIUS)

2. Supported Attributes

Attribute Comment

User-Name Combined with domain name (via configuration) for non-

Windows devices in NT domain, passed on to the RADIUS
server

CHAP-Password CHAP password from PDA, passed on to the RADIUS

server

User-Password If PDA does not support CHAP, PAP is used. This is the

user password for PAP.
NAS-IP-address EthIR LAN IP address
NAS-Port Which EthIR LAN IR port (starts from zero) PDA is

connecting
Service-Type “Framed” only
Framed-Protocol “PPP” only
Framed-IP-Address RADIUS server has the option of assigning IP address to

PDA instead of using DHCP so that a fixed IP address can

be associated with a specific user name.

RFC2866 --

1. Supported Packet Types

Packet Type Comment

Accounting-Request EthIR LAN ! RADIUS server, accounting
Accounting-Response EthIR LAN " RADIUS server.

2. Supported Attributes

Acct-Status-Type START and STOP indicating begin and end of PDA

Acct-Session-ID Session ID contains 8 bytes. First 2 bytes indicating the IR

Acct-Session-Time The connection time, in seconds, of this PPP connection.

Service-Type “Framed” only
Framed-Type “PPP” only
NAS-IP-Address EthIR LAN IP address
NAS-Port Which EthIR LAN IR port (starts from zero) the PDA is

Framed-IP-Address IP address assigned to the PDA.

RADIUS Accounting

Attribute Comment

connection

port (starts from zero), following 6 bytes indicating PPP
connection count on this particular IR port.

This attribute only applies in STOP acct-status-type.

connected.

EthIR LAN RADIUS Configuration

This section describes how to configure RADIUS for newly purchased EthIR LAN with RADIUS
option.

Clarinet Systems, Inc. copyright 10/29/02 p2

New EthIR LAN purchased with RADIUS option will have RADIUS disabled when we ship the
product. Followings should be configured by your network system admin with Clarinet’s Windows
Configuration Tool version later than 1.12 (Palm Configuration Tool does not support RADUIS
configuration):

1. Primary RADIUS server IP address. This is the primary RADIUS server. UDP port
1812 is used for authentication and UDP port 1813 is used for accounting.

2. Secondary server IP address. The backup server is used if EthIR LAN cannot
communicate with the primary server. The secondary server uses the same NT domain
name and secret as the primary RADIUS server.

3. Domain name, up to 31 characters. This is for non-Windows devices to access the network
in Windows NT domain environment. For example, the NT domain name is XYZ_DOMAIN
and the user name is John, then “XYZ_DOMAIN\John” is sent to the RADIUS server. For
non-NT domain environment or Windows network without a domain, leave this field blank or
you can un-check the “Microsoft NT server” check box.

4. Shared Secret, up to 15 characters. This is the shared secret both stored on EthIR LAN
and RADIUS server. This shared secret is used for both the primary and secondary server.

5. Enable Authentication check box, provide system admin to temporarily enable/disable
EthIR LAN RADIUS support. If authentication is enabled, you must select the correct
authentication protocols, MS-CHAP, CHAP and PAP. If your RADIUS server does not
support MS-CHAP, un-check MS-CHAP, otherwise your PDA device login will fail.

6. Enable Accounting check box. If un-checked, EthIR LAN does not send out accounting
request and thus speed up time required to make a connection. Otherwise, accounting
information will be sent to the server in the beginning and the end of the PDA connection.

The way to tell if an EthIR LAN supports RADIUS is by using our Windows Configuration Tool,
search and find the EthIR LAN, click on “Edit Configuration” button, a RADIUS configuration tab
will be displayed. You can configure RADIUS with this tab. Once you change the configuration,
you need to update the NVM and reboot the switch to take effect.

NOTE: You need Windows Configuration Tool version later than 1.12 for RADIUS support

Clarinet Systems, Inc. copyright 10/29/02 p3