Clarinet Systems RADIUS Technical Information
Introduction
This document describes the RADIUS support in the Clarinet Systems’ EthIR LAN product line.
It also includes the configuration of EthIR LAN, RADIUS server, PalmOS and PocketPC devices.
This document is intended for IT professionals who setup and maintain networking devices and
infrastructure in a corporate environment. Knowledge of TCP/IP, Windows networking
environment and server setup are required.
EthIR LAN R RADIUS implementation supports MS-CHAP, CHAP and PAP authentication
protocols. Each protocol can be enabled and disabled, via our Windows Configuration tool, according
to the settings of your RADIUS server. For example, if your RADIUS server does not support MSCHAP, you should disable MS-CHAP in the EthIR LAN configuration. If your PDA device does not
support CHAP and only support PAP, you should enable PAP and disable MS-CHAP and CHAP.
Usually there are domain names in Windows NT environment. For Windows RADIUS server, NT
domain name is required. EthIR LAN can be configured with the NT domain name so that PDAs
that do not support NT domain name can access the network.
The RADIUS server has the option of assigning an IP address to the PDA. Radius server assigned
IP address takes precedence over DHCP and static IP. This helps network admin monitoring who is
on the network via IP address
RADIUS accounting can be enabled and disabled. If it is disabled, EthIR LAN does not send out
accounting requests and wait for server response so that connection time and be shorter.
Two RADIUS servers, primary and secondary are supported. EthIR LAN sends requests to
primary server and wait for responses. If there is no response after retries, requests will be sent to
secondary server. Both servers share the same secret.
EthIR LAN RADIUS support is controlled by “key” stored in the EthIR LAN firmware. You can use
our Windows Configuration Tool to tell if an EthIR LAN has the RADUIS support option. If it
does, a RADIUS tab will be displayed (see EthIR LAN RADIUS Configuration section).
Supported Features
EthIR LAN supports RFC2865 “Remote Authentication Dial In User Service” and RFC2866
“RADIUS Accounting” with the following packet types and attributes:
RFC2865 --
1. Supported Packet Types
Packet Type Comment
Access-Request EthIR LAN ! RADIUS server; authentication request
Access-Reject EthIR LAN " RADIUS server; authentication failed
Access-Accept EthIR LAN " RADIUS server; authentication passed
Clarinet Systems, Inc. copyright 10/29/02 p1
Remote Authentication Dial In User Service (RADIUS)
2. Supported Attributes
Attribute Comment
User-Name Combined with domain name (via configuration) for non-
Windows devices in NT domain, passed on to the RADIUS
server
CHAP-Password CHAP password from PDA, passed on to the RADIUS
server
User-Password If PDA does not support CHAP, PAP is used. This is the
user password for PAP.
NAS-IP-address EthIR LAN IP address
NAS-Port Which EthIR LAN IR port (starts from zero) PDA is
connecting
Service-Type “Framed” only
Framed-Protocol “PPP” only
Framed-IP-Address RADIUS server has the option of assigning IP address to
PDA instead of using DHCP so that a fixed IP address can
be associated with a specific user name.
RFC2866 --
1. Supported Packet Types
Packet Type Comment
Accounting-Request EthIR LAN ! RADIUS server, accounting
Accounting-Response EthIR LAN " RADIUS server.
2. Supported Attributes
Acct-Status-Type START and STOP indicating begin and end of PDA
Acct-Session-ID Session ID contains 8 bytes. First 2 bytes indicating the IR
Acct-Session-Time The connection time, in seconds, of this PPP connection.
Service-Type “Framed” only
Framed-Type “PPP” only
NAS-IP-Address EthIR LAN IP address
NAS-Port Which EthIR LAN IR port (starts from zero) the PDA is
Framed-IP-Address IP address assigned to the PDA.
RADIUS Accounting
Attribute Comment
connection
port (starts from zero), following 6 bytes indicating PPP
connection count on this particular IR port.
This attribute only applies in STOP acct-status-type.
connected.
EthIR LAN RADIUS Configuration
This section describes how to configure RADIUS for newly purchased EthIR LAN with RADIUS
option.
Clarinet Systems, Inc. copyright 10/29/02 p2
New EthIR LAN purchased with RADIUS option will have RADIUS disabled when we ship the
product. Followings should be configured by your network system admin with Clarinet’s Windows
Configuration Tool version later than 1.12 (Palm Configuration Tool does not support RADUIS
configuration):
1. Primary RADIUS server IP address. This is the primary RADIUS server. UDP port
1812 is used for authentication and UDP port 1813 is used for accounting.
2. Secondary server IP address. The backup server is used if EthIR LAN cannot
communicate with the primary server. The secondary server uses the same NT domain
name and secret as the primary RADIUS server.
3. Domain name, up to 31 characters. This is for non-Windows devices to access the network
in Windows NT domain environment. For example, the NT domain name is XYZ_DOMAIN
and the user name is John, then “XYZ_DOMAIN\John” is sent to the RADIUS server. For
non-NT domain environment or Windows network without a domain, leave this field blank or
you can un-check the “Microsoft NT server” check box.
4. Shared Secret, up to 15 characters. This is the shared secret both stored on EthIR LAN
and RADIUS server. This shared secret is used for both the primary and secondary server.
5. Enable Authentication check box, provide system admin to temporarily enable/disable
EthIR LAN RADIUS support. If authentication is enabled, you must select the correct
authentication protocols, MS-CHAP, CHAP and PAP. If your RADIUS server does not
support MS-CHAP, un-check MS-CHAP, otherwise your PDA device login will fail.
6. Enable Accounting check box. If un-checked, EthIR LAN does not send out accounting
request and thus speed up time required to make a connection. Otherwise, accounting
information will be sent to the server in the beginning and the end of the PDA connection.
The way to tell if an EthIR LAN supports RADIUS is by using our Windows Configuration Tool,
search and find the EthIR LAN, click on “Edit Configuration” button, a RADIUS configuration tab
will be displayed. You can configure RADIUS with this tab. Once you change the configuration,
you need to update the NVM and reboot the switch to take effect.
NOTE: You need Windows Configuration Tool version later than 1.12 for RADIUS support
Clarinet Systems, Inc. copyright 10/29/02 p3
Win2000 Server RADIUS Server Configuration
The RADIUS server for Windows 2000 is named Internet Authentication Service (ISA). For all
installation and configuration of this service, please refer to Microsoft document titled Checklist:
Configuring IAS for dial-up and VPN access. Please note that this document is only available
in server or advance server help document. This section only provides additional information and
notes when configuring RADIUS on a Win2000 server to work with EthIR LAN.
Verify RADIUS is installed
The Internet Authentication Service is a part of Windows 2000 package and can be
installed under Network Services in Windows Component at Add/Remove Software.
Clarinet Systems, Inc. copyright 10/29/02 p4
RADIUS Authentication and User Account Setting
Please note that some options might not be available if your Windows 2000 Server is NOT
running in Native Mode. Please consult the windows documents for further instructions.
EthIR LAN supports MS-CHAP, CHAP and PAP. These settings are available in the profile
of each Remove Access Policies.
Clarinet Systems, Inc. copyright 10/29/02 p5
For CHAP authentication, the server must be able to decrypt the password to authenticate
the login. The “Store password using reversible encryption” checkbox must be checked
if the user account belongs to a domain. The modification can be made in the account tab
within the property of the user account.
It might also be necessary to modify the content of dial-in tab in the property of the user
account depending the setup of Remote Access Policy. It is not necessary to verify the
caller ID or enable callback option. You can also assign a static IP to the user by check the
“Assign a Static IP Address” check box and enter the desired IP address.
Clarinet Systems, Inc. copyright 10/29/02 p6
Upgrading Existing EthIR LAN products
Existing EthIR LAN products, with firmware version earlier than the versions in the following table,
can be upgraded to support RADIUS. The following table shows firmware versions that support
RADUIS:
EthIR LAN Firmware version that
supports RADIUS
ES101 1.12 or later
ES208 2.07 or later
ES301 5.07 or later
ES3011b 7.01 or later
ES1000 4.13 or later
Note: Firmware download is free, but you need to purchase Key (part number: RAD-KEY-1-8) to
enable RADIUS.
The RADIUS Upgrade Procedure:
1. Download new firmware from our web site for your EthIR LAN products
2. Use the Windows Configuration Tool to update the firmware
3. Send us the serial numbers of all the EthIR LAN you would like to upgrade
4. We will send you a key for each EthIR LAN
5. Use the Windows Configuration Tool to program the key. Click the “Modify” button and
enter new key that we send you. Each EthIR LAN has its unique key. You would need
to get and program the keys for all your existing EthIR LAN products individually.
Clarinet Systems, Inc. copyright 10/29/02 p7
6. Configure RADIUS according to the previous section: “EthIR LAN RADIUS
Configuration”
7. Click “Update” button and then “Done” button.
8. EthIR LAN will reboot and RADIUS will be activated.
EthIR LAN new purchase
The RADIUS will be enabled if you order the RADIUS security (part number: “RADIUS-1” for single
port EthIR LAN and “RADIUS-8” for multi-port EthIR LAN) while purchase a new EthIR LAN.
PalmOS
Please refer to our web site, http://www.clarinetsys.com/site/ClarinetIR/index.htm
ClarinetIR or configure PlamOS device yourself. When RAIUDS is used, make sure you enter user
name and password for the network service you use.
Note to ClarinetIR (version 1.01) user: Since ClarinetIR network service was created without a user
name and password, you need to enter them if RADIUS is used.
for how to use
PocketPC 2001 and PocketPC 2002
Please refer to our web site, http://www.clarinetsys.com/site/ClarinetIR/index.htm
ClarinetIR or configure PocketPC device yourself. Make sure you enter user name and password on
the network connection you created. Both PocketPC2001 and PocketPC2002 have an option of
Clarinet Systems, Inc. copyright 10/29/02 p8
for how to use
saving the password or not. If you choose to save it, you don’t have to enter it the next time you try
to connect. Otherwise, you would be asked to enter the password the next time.
Note to PocketPC2001 ClarinetIR (version 1.02) user: Since the network connection “Clarinet IR”
created by ClarinetIR does not have user name and password, you would need to enter them if
RADIUS is used.
Note to PocketPC2002 ClarinetIR (version 1.02) user: Since the network connection created by
ClarinetIR does not appear in “Settings”, you need to create a new network connection yourself by
following the instructions in the above link on our web site, and use it as your Internet connection.
ClarinetIR, version 1.02, cannot be used with RADIUS.
Clarinet Systems, Inc. copyright 10/29/02 p9
Loading...