RSA Security Server 6.1 User Manual
RSA RADIUS Server 6.1
Administrator’s Guide
Powered by Steel-Belted Radius
®
Contact Information
See our web site for regional Customer Support telephone and fax numbers.
RSA Security Inc. RSA Security Ireland Limited
www.rsasecurity.com
www.rsasecurity.ie
Copyright
Copyright © 2005 RSA Security, Inc. All rights reserved. No part of this document may be reproduced, modified,
distributed, sold, leased, transferred, or transmitted, in any form or by any means, without the written permission of
RSA Security, Inc. Information in this document is subject to change without notice.
Portions of this software copyright © 1995–2005 Funk Software, Inc. All rights reserved.
Portions of this software copyright © 1989, 1991, 1992 by Carnegie Mellon University Derivative Work - 1996, 19982000 Copyright 1996, 1998-2000 The Regents of the University of California All Rights Reserved Permission to use,
copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted,
provided that the above copyright notice appears in all copies and that both that copyright notice and this permission
notice appear in supporting documentation, and that the name of CMU and The Regents of the University of California
not be used in advertising or publicity pertaining to distribution of the software without specific written permission.
CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS. IN NO EVENT SHALL CMU OR THE REGENTS OF THE UNIVERSITY OF CALIFORNIA BE LIABLE
FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
RESULTING FROM THE LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
Portions of this software copyright © 2001-2002, Networks Associates Technology, Inc All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
• Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
• Neither the name of the Networks Associates Technology, Inc nor the names of its contributors may be used to
endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Portions of this software are copyright © 2001-2002, Cambridge Broadband Ltd. All rights reserved. Redistribution and
use in source and binary forms, with or without modification, are permitted provided that the following conditions are
met:
• Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer.
• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
• The name of Cambridge Broadband Ltd. may not be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Portions of this software copyright © 1995-2002 Jean-loup Gailly and Mark Adler This software is provided 'as-is',
without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use
of this software. Permission is granted to anyone to use this software for any purpose, including commercial
applications, and to alter it and redistribute it freely, subject to the following restrictions:
• The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If
you use this software in a product, an acknowledgment in the product documentation would be appreciated but is
not required.
• Altered source versions must be plainly marked as such, and must not be misrepresented as being the original
software.
• This notice may not be removed or altered from any source distribution.
HTTPClient package copyright © 1996-2001 Ronald Tschalär (ronald@innovation.ch).
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
License for more details. For a copy of the GNU Lesser General Public License, write to the Free Software Foundation, Inc.,
59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
StrutLayout Java AWT layout manager copyright © 1998 Matthew Phillips (mpp@ozemail.com.au).
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public
License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
License for more details. For a copy of the GNU Lesser General Public License, write to the Free Software Foundation, Inc.,
59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
Trademarks
ACE/Agent, ACE/Server, Because Knowledge is Security, BSAFE, ClearTrust, Confidence Inspired, e-Titlement,
IntelliAccess, Keon, RC2, RC4, RC5, RSA, the RSA logo, RSA Secured, the RSA Secured logo, RSA Security,
SecurCare, SecurID, SecurWorld, Smart Rules, The Most Trusted Name in e-Security, Transaction Authority, and
Virtual Business Units are either registered trademarks or trademarks of RSA Security Inc. in the United States and/or
other countries. All other goods and/or services mentioned are trademarks of their respective companies.
Microsoft, Windows, Windows 2000, Internet Explorer, and other Microsoft products referenced herein are either
trademarks or registered trademarks of the Microsoft Corporation in the United States and other countries. Solaris is a
registered trademark in the U.S. and other countries, licensed exclusively through X/Open Company Limited. Sun,
Sun Microsystems, Solaris, and all Sun-based trademarks and logos, Java, HotJava, JavaScript, the Java Coffee Cup
Logo, and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the
United States and other countries. Raima, Raima Database Manager and Raima Object Manager are trademarks of
Birdstep Technology.
License agreement
This software and the associated documentation are proprietary and confidential to RSA Security, are furnished under
license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the
copyright below. This software and any copies thereof may not be provided or otherwise made available to any other
person.
Neither this software nor any copies thereof may be provided to or otherwise made available to any third party. No title
to or ownership of the software or any intellectual property rights thereto is hereby transferred. Any unauthorized use or
reproduction of this software may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by RSA Security.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of
encryption technologies, and current use, import, and export regulations should be followed when exporting this
product.
Distribution
Limit distribution of this document to trusted personnel.
RSA notice
The RC5™ Block Encryption Algorithm With Data-Dependent Rotations is protected by U.S. Patent #5,724,428 and
#5,835,600.
First Printing: September 2005
Part Number: M05917ADM
About This Guide
Audience .......................................................................................................................... ix
What’s In This Manual...................................................................................................ix
Related Documentation.................................................................................................xi
Chapter 1 About RSA RADIUS Server
RSA RADIUS Server Features...................................................................................... 1
RSA RADIUS Server Overview.................................................................................... 2
RADIUS Packets...................................................................................................... 4
RADIUS Configuration .......................................................................................... 5
Shared Secrets........................................................................................................... 6
RADIUS Ports.......................................................................................................... 8
Authentication..................................................................................................................8
Accounting........................................................................................................................9
Accounting Sequence ............................................................................................10
Attributes ........................................................................................................................12
Dictionaries .............................................................................................................12
Attribute Lists ......................................................................................................... 13
Attribute Values......................................................................................................14
Default Values ........................................................................................................15
Centralized Configuration Management .................................................................... 16
Replacing a Replica RADIUS Server ..................................................................17
Designating a New Primary RADIUS Server.................................................... 17
Recovering a Replica After a Failed Download ................................................18
Changing the Name or IP Address of a Server................................................. 18
Contents
RSA RADIUS Server 6.1 Administrator’s Guide Contents v
Chapter 2 Installing the RSA RADIUS Server
Before You Begin.......................................................................................................... 19
Required Files......................................................................................................... 19
Data Migration/Registration................................................................................ 19
Installing on Windows.................................................................................................. 20
System Requirements ............................................................................................ 20
Installing the RSA RADIUS Server.................................................................... 21
Uninstalling the RSA RADIUS Server Software .............................................. 22
Installing on Solaris....................................................................................................... 23
System Requirements ............................................................................................ 23
Installer Syntax....................................................................................................... 23
Installing the RSA RADIUS Server Software ................................................... 25
Stopping and Starting the RADIUS Daemon................................................... 27
Uninstalling the RSA RADIUS Server Software .............................................. 27
Migration Log File................................................................................................. 28
Installing on Linux ........................................................................................................ 29
System Requirements ............................................................................................ 29
Installer Syntax....................................................................................................... 29
Installing the RSA RADIUS Server Software ................................................... 31
Stopping and Starting the RADIUS Daemon................................................... 33
Uninstalling the RSA RADIUS Server Software .............................................. 34
Chapter 3 Using RSA RADIUS Administrator
Running RSA RADIUS Administrator...................................................................... 35
Navigating in RSA RADIUS Administrator............................................................. 36
RSA RADIUS Administrator Menus ................................................................. 36
RSA RADIUS Administrator Toolbar............................................................... 38
RSA RADIUS Administrator Windows ............................................................ 39
Using Context Menus ........................................................................................... 42
Accessing Online Help................................................................................................. 43
Displaying Version Information................................................................................. 43
Adding a License Key................................................................................................... 43
Exiting the RSA RADIUS Administrator ................................................................. 44
Chapter 4 Administering RADIUS Clients
RADIUS Clients Panel................................................................................................. 45
Adding a RADIUS Client ............................................................................................ 46
Verifying a Shared Secret ............................................................................................. 48
Deleting a RADIUS Client .......................................................................................... 49
vi Contents September 2005
Chapter 5 Administering Profiles
About Profiles ................................................................................................................51
Adding a Checklist or Return List Attribute for a Profile ............................... 51
Resolving Profile and User Attributes ................................................................ 52
Default Profile ........................................................................................................52
Setting Up Profiles.........................................................................................................53
Adding a Profile......................................................................................................53
Removing a Profile ................................................................................................55
Chapter 6 Displaying Statistics
Displaying Server Authentication Statistics...............................................................57
Displaying Server Accounting Statistics..................................................................... 60
Resetting Server Statistics.............................................................................................62
Displaying RADIUS Client Statistics.......................................................................... 62
Chapter 7 Administering RADIUS Servers
Replication Panel ...........................................................................................................66
Adding a RADIUS Server Manually........................................................................... 66
Enabling a RADIUS Server .........................................................................................68
Deleting a RADIUS Server .......................................................................................... 68
Publishing Server Configuration Information ..........................................................69
Notifying Replica RADIUS Servers ...........................................................................69
Designating a New Primary RADIUS Server ...........................................................70
Recovering a Replica After a Failed Download........................................................ 70
Changing the Name or IP Address of a Server ........................................................71
Regenerating a Node Secret.........................................................................................72
Resetting the RADIUS Database................................................................................73
Chapter 8 Logging
Logging Files ..................................................................................................................75
Using the RADIUS System Log..................................................................................75
Level of Logging Detail.........................................................................................76
Controlling Log File Size ......................................................................................76
Using the Accounting Log ...........................................................................................77
Accounting Log File Format................................................................................77
First Line Headings................................................................................................ 78
Comma Placeholders.............................................................................................78
Standard RADIUS Accounting Attributes.........................................................79
RSA RADIUS Server 6.1 Administrator’s Guide Contents vii
Appendix A Using the LDAP Configuration Interface
LDAP Configuration Interface File ........................................................................... 81
About the LDAP Configuration Interface................................................................ 82
LDAP Utilities........................................................................................................ 82
LDAP Requests ..................................................................................................... 83
Downloading the LDAP Utilities........................................................................ 83
LDAP Version Compliance................................................................................. 84
Configuring the LDAP TCP Port....................................................................... 84
LDAP Virtual Schema.................................................................................................. 85
LDAP Command Examples ....................................................................................... 90
Searching for Records........................................................................................... 90
Modifying Records ................................................................................................ 91
Adding Records ..................................................................................................... 93
Deleting Records ................................................................................................... 94
Statistics Variables......................................................................................................... 95
Counter Statistics ................................................................................................... 95
Rate Statistics.......................................................................................................... 97
Glossary
Index
viii Contents September 2005
Audience
About This Guide
The RSA RADIUS Server 6.1 Administrator’s Guide describes how to install,
configure, and administer the RSA RADIUS Server software on a server running
the Solaris operating system, the Linux operating system, or the Windows 2000 or
Windows Server 2003 operating systems.
This manual is intended for network administrators responsible for implementing
and maintaining authentication, authorization, and accounting services. This
manual assumes that you are familiar with general RADIUS and networking
concepts and the specific environment in which you are installing
RSA RADIUS Server.
What’s In This Manual
This manual contains the following chapters and appendix:
X Chapter 1, “About RSA RADIUS Server,” presents an overview of
RSA RADIUS Server and summarizes important concepts relating to the
operation of RSA RADIUS Server.
X Chapter 2, “Installing the RSA RADIUS Server,” describes how to install and
uninstall the RSA RADIUS Server software on a Solaris, Linux, or Windows
computer.
X Chapter 3, “Using RSA RADIUS Administrator,” describes how to use the
RSA RADIUS Server Administrator to configure RSA RADIUS Server.
RSA RADIUS Server 6.1 Administrator’s Guide About This Guide ix
X Chapter 4, “Administering RADIUS Clients,” describes how to set up remote
access server (RAS) devices as RSA RADIUS Server clients.
X Chapter 5, “Administering Profiles,” describes how to set up user profiles to
simplify user administration.
X Chapter 7, “Administering RADIUS Servers,” describes how to manage
RADIUS server replication.
X Chapter 6, “Displaying Statistics,” describes how to use the monitoring
capabilities in RSA RADIUS Server.
X Chapter 8, “Logging,” describes how to set up and use logging functions in
RSA RADIUS Server.
X Appendix A, “Using the LDAP Configuration Interface,” describes how to
use the optional LDAP Configuration Interface (LCI) add-on to
RSA RADIUS Server.
X The Glossary provides brief explanations for RADIUS terminology used in
this and other RSA RADIUS Server manuals.
Syntax Conventions
This manual uses the following conventions to present file and command line
syntax.
X radiusdir represents the directory into which RSA RADIUS Server has
been installed. By default, this is
RSA RADIUS
for Windows systems and /opt/rsa/radius on Linux and
C:\Program Files\RSA Security\
Solaris systems.
X Brackets [ ] enclose optional items in format and syntax descriptions. In the
following example, the first
include an optional second
Attribute argument is required; you can
Attribute argument by entering a comma and
the second argument (but not the square brackets) on the same line.
<add | replace> = Attribute [,Attribute]
In configuration files, brackets identify section headers:
the [Configuration] section of
radius.ini
In screen prompts, brackets indicate the default value. For example, if you
press E
uses the indicated default value (
x About This Guide September 2005
NTER without entering anything at the following prompt, the system
/opt).
Enter install path [/opt]:
X Angle brackets < > enclose a list from which you must choose an item in
format and syntax descriptions.
X A vertical bar ( | ) separates items in a list of choices. In the following
example, you must specify
[AttributeName]
<add | replace> = Attribute [,Attribute]
add or replace (but not both):
Related Documentation
The following documents supplement the information in this manual.
RSA RADIUS Server Documentation
The RSA RADIUS Server 6.1 Reference Guide describes configuration options for
the RSA RADIUS Server software.
Vendor Information
You can consult the online Vendor Information file for information about using
RSA RADIUS Server with different remote access servers and firewalls. To
access this file:
1 Start the RSA RADIUS Administrator application.
2 Choose
You can access the same information by clicking the
Web > NAS Vendor Information.
Web Info button on the
Add RADIUS Client or Edit RADIUS Client window.
Requests for Comments (RFCs)
The Internet Engineering Task Force (IETF) maintains an online repository of
Request for Comments (RFC)s online at
X RFC 2865, Remote Authentication Dial In User Service (RADIUS). C. Rigney, S.
Willens, A. Rubens, W. Simpson. June 2000.
X RFC 2866, RADIUS Accounting. C. Rigney. June 2000.
X RFC 2869, RADIUS Extensions. C. Rigney, W. Willats, P. Calhoun. June 2000.
X RFC 2882, Network Access Servers Requirements: Extended RADIUS Practices. D.
Mitton. July 2000.
RSA RADIUS Server 6.1 Administrator’s Guide About This Guide xi
http://www.ietf.org/rfc.html.
X Internet-Draft, “The Protected One-Time Password Protocol
(EAP-POTP)”, M. Nystrom, June 2005.
ftp://ftp.rsasecurity.com/pub/otps/eap/
draft-nystrom-eap-potp-02.html
Third-Party Products
For more information about configuring your access servers and firewalls, consult
the manufacturer’s documentation provided with each device.
Getting Support and Service
RSA SecurCare Online https://knowledge.rsasecurity.com
Customer Support Information www.rsasecurity.com/support
Before You Call for Customer Support
Make sure you have direct access to the computer running the
RSA Authentication Manager software. Have the following information available
when you call:
X Your RSA Security Customer/License ID. You can find this number on the
license distribution medium or by running the Configuration Management
application on Windows servers, or by issuing an
sdinfo command on
Linux or Solaris servers.
X RSA Authentication Manager software version number.
X The make and model of the machine on which the problem occurs.
X The name and version of the operating system under which the problem
occurs.
xii About This Guide September 2005
Chapter 1
About RSA RADIUS Server
RSA RADIUS Server is a complete implementation of the industry-standard
RADIUS (Remote Authentication Dial-In User Service) protocols.
RSA RADIUS Server is designed to meet the access control and policy
management requirements of enterprises. It interfaces with a wide variety of
network access servers—including virtual private networks (VPNs), dial-in
servers, and wireless LAN (WLAN) access points (APs)—and authenticates
remote and WLAN users against your existing security infrastructure. This lets
you control who can access your network and what resources are available to
them, and requires little administration beyond your current management of LAN
users. RSA RADIUS Server then logs all access usage, so you can track and
document usage statistics.
RSA RADIUS Server Features
X Centralized management of user access control and security.
X Support for a wide variety of 802.1X-compliant access points and other
network access servers ensures compatibility in your network environment.
X Support for a variety of authentication methods, including Tunneled
Transport Layer Security (TTLS), Protected Extensible Authentication
Protocol (PEAP), Generic Token Card, RSA Security EAP (EAP-15), and
Protected One-Time Password (EAP-32).
X Use of encryption keys eliminates the possibility of spoofing or masquerading
as an “imposter agent.”
RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 1
X Centralized configuration management (CCM) provides simplified
configuration management and automatic data distribution for multi-server
environments.
X Authentication logs provide a complete audit trail of user authentication
activity and administrative transactions.
X Encryption of communication between the RSA RADIUS Server and the
RSA Authentication Manager prevents electronic eavesdropping.
RSA RADIUS Server Overview
RADIUS is an industry-standard protocol for providing authentication,
authorization, and accounting services.
X Authentication is the process of verifying a user’s identity and determining
whether the user is allowed on the network.
X Authorization is the process of controlling the network resources that the
user can access on the protected network, such as privileges and time limits.
X Accounting is the process of generating log files that record statistics
describing each connection session, used for billing, system diagnosis, and
usage planning.
Figure 1 illustrates a simple RSA RADIUS authentication and authorization
sequence using a TTLS/PAP tunnel to facilitate communication between the
access client and the RSA RADIUS server.
Note that some access clients may be configured to use RSA Security EAP or
Protected One-Time Password (POTP) instead of a TTLS/PAP tunnel. In such
cases, the sequence of transactions is similar, though the communication
mechanics are different.
Note also that the RSA RADIUS server and the RSA Authentication Manager
can reside on the same network host or on different network hosts.
2 About RSA RADIUS Server September 2005
Access
Client
Remote
Access
Server
RSA
RADIUS
Server
RSA
Authentication
Manager
1. Connection Request
2. TTLS/PAP Tunnel Negotiation
TTLS/PAP Tunnel
4. User ID/Passcode
8a. Connection Accepted
8b. Connection Refused
Connection Notification
3. User ID/Passcode?
7a. Access-Accept (Attributes)
7b. Access-Reject
5. User ID/Passcode
6a. Passcode Accepted (Profile Name)
6b. Passcode Rejected
Figure 1 RSA RADIUS Authentication
1A RADIUS access client, who could be a dial-in user, a mobile user with
wireless network access, or someone working at a remote office, sends an
authentication request to a remote access server (RAS), which might be a wireless
Access Point, an ISDN bridge, or a modem pool.
NOTE: The terms “remote access server” (RAS) and “network access server”
(NAS) are interchangeable. This manual uses RAS, though some attribute
names and parameters retain the older ‘NAS’ in their names.
2 When the RAS receives a user’s connection request, it performs an initial
access negotiation with the user to establish connection information. It
forwards this information to the RSA RADIUS server, which uses the
information to create a tunnel between itself and the access client.
3 The RSA RADIUS server sends a request for the user’s credentials through
the TTLS tunnel.
4 The access client sends a user ID and passcode (tokencode and personal
identification number) to the RSA RADIUS server.
5 The RSA RADIUS server forwards the user’s user ID and passcode to the
RSA Authentication Manager, which verifies that the user ID exists and that
the passcode is correct for that user at that specific time.
6 If the user’s information is accepted, the RSA Authentication Manager
returns a message indicating that the passcode is accepted (6a). The
RSA Authentication Manager may also return the name of the profile
associated with this user in the Access-Accept message.
RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 3
If the user ID is not found or if the passcode is not appropriate for the
specified user, the RSA Authentication Manager returns a message indicating
the passcode is not accepted (6b).
7 If the RSA RADIUS server receives a message indicating the passcode is
accepted, it forwards a RADIUS Access-Accept message to the RAS (7a).
Z If the RSA Authentication Manager specified a profile name with the
accept message, the RSA RADIUS server sends the return list attributes
associated with that profile to the RAS.
Z If the RSA Authentication Manager did not specify a profile name with
the accept message, the RSA RADIUS server sends the return list
attributes associated with the default profile to the RAS.
For example, the Access-Accept message might specify that the access client
must use a specific IP address or be connected to a specific VLAN on the
network.
If the RSA RADIUS server receives a message indicating the passcode is
rejected, it forwards a RADIUS Access-Reject message to the RAS (7b).
NOTE: If the user requesting the network connection is in New Pin mode
or New Token mode (not shown), the RSA Authentication Manager sends
a message asking for more information, which the RSA RADIUS server
forwards to the user. When the user responds with values the
RSA RADIUS server can accept, the authentication sequence continues.
8 Depending on what information the RAS receives from the RSA RADIUS
server, the RAS accepts and configures the user connection or rejects the
user connection.
9 Based on the information it receives from the RSA RADIUS server, the RAS
grants or denies the connection request.
After the user is authenticated and the connection established, the RAS might
forward accounting data to the RSA RADIUS server to document the
transaction; the RSA RADIUS server can store or forward this data to support
billing for services provided during the network connection.
RADIUS Packets
A RADIUS client and a RADIUS server communicate by means of RADIUS
packets. RADIUS packets carry messages between the RADIUS client and
RADIUS server in a series of request and response transactions: the client sends a
request and expects a response from the server. If the response does not arrive,
the client can retry the request periodically.
4 About RSA RADIUS Server September 2005
Each RADIUS packet supports a specific purpose: authentication or accounting.
A packet can contain values called attributes. The attributes found in each packet
depend upon the type of packet (authentication or accounting) and the device
that sent it (for example, the specific make and model of the RAS device acting as
a RADIUS client).
For information on RADIUS authentication packet structures and attributes, see
RFC 2865, Remote Authentication Dial In User Service (RADIUS). For information
on RADIUS accounting packet structures and attributes, see RFC 2866, RADIUS
Accounting.
RADIUS Configuration
You must configure a RADIUS client and a RADIUS server before they can
communicate. If the client and server are on the same network, one administrator
might be able to configure both sides of the RADIUS communication. If the
client and server are on different networks, you might have to coordinate
RADIUS configuration details with the administrators of other networks.
RADIUS Server Configuration
You must configure how a RADIUS server responds to each of its clients. To
configure the RSA RADIUS Server, run the RSA RADIUS Administrator,
(described in “Running RSA RADIUS Administrator” on page 35), open the
RADIUS Clients panel (described in “RADIUS Clients Panel” on page 45), and
enter the following information for each RADIUS client:
X The IP address of the client device.
X The authentication shared secret used by RSA RADIUS Server and the client
device. For information on RADIUS shared secrets, see “Shared Secrets” on
page 6.
X The make and model of the client device, selected from a list of devices that
RSA RADIUS Server supports. If a specific make and model is not listed,
choose
- Standard Radius -.
RADIUS Client Configuration
You must configure each RADIUS client to contact its RADIUS server. To
configure a client to work with an RSA RADIUS Server, log on to the client
device, run its administration program, and enter the following information:
X The IP address of the RSA RADIUS Server.
RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 5
X The RADIUS shared secret to be used by the RSA RADIUS Server and the
X The UDP ports on which to send and receive RADIUS authentication and
Shared Secrets
A shared secret is a text string that serves as a password between hosts.
RSA RADIUS Server uses three types of shared secrets:
X RADIUS secret – Used to authenticate communication between a RADIUS
X Replication secret – Used to authenticate communication between a primary
X Node secret – Used to authenticate communication between a RADIUS
client device. For information on RADIUS shared secrets, see “Shared
Secrets” on page 6.
accounting packets. RSA RADIUS Server uses UDP ports 1645 and 1812 for
authentication and UDP ports 1646 and 1813 for accounting. For more
information, see “RADIUS Ports” on page 8.
server and a RADIUS client
RADIUS server and a replica RADIUS server
server and an RSA Authentication Manager server.
Replica
RADIUS
Access
Point
Server
Replication
Secret
Remote Access
Server (RAS)
802.1X-Compatible
Switch
Virtual Private
Network
RADIUS
Secret
Replication
Secret
Node
Secret
Primary
RADIUS
Server
Replica
RADIUS
Server
RSA
Authentication
Manager Server
Figure 2 Shared Secrets
6 About RSA RADIUS Server September 2005
RADIUS Secret
A RADIUS shared secret is a case-sensitive password used to validate
communications between a RADIUS server, such as RSA RADIUS Server, and a
RADIUS client, such as an Access Point (AP) or Remote Access Server (RAS).
RSA RADIUS Server supports shared secrets of up to 127 alphanumeric
characters, including spaces and the following special characters:
~!@#$%^&*()_+|\=-‘{}[]:”’;<>?/.,
Identical shared secrets must be configured on both sides of the RADIUS
communication link.
NOTE: Not all RAS devices support shared secrets of up to 127
alphanumeric/special characters. You should select shared secrets that are
fully supported by RADIUS devices in your network.
Most RADIUS clients allow you to configure different secrets for authentication
and accounting. On the server side, the configuration interface allows you to
create a list of known RADIUS clients (RAS devices). You should be able to
identify the authentication shared secret and accounting shared secret that a
server uses to communicate with each of the clients on this list.
During an authentication transaction, password information must be transmitted
securely between the RADIUS client (RAS or AP) and the RSA RADIUS Server.
RSA RADIUS Server uses the authentication shared secret to encrypt and
decrypt password information.
No encryption is involved in transmitting accounting data between a RADIUS
client and RADIUS server. However, the accounting shared secret is used by each
device to verify that it can “trust” any RADIUS communications it receives from
the other device.
Replication Secret
A replication secret is a text string used to authenticate communications between
a Primary RADIUS Server and a Replica RADIUS Server. You do not need to
configure the replication secret for a realm: the Primary RADIUS Server
generates it automatically, and each Replica RADIUS Server in a realm receives
the replication secret as part of its configuration package.
Node Secret
A node secret is a pseudorandom string known only to the RSA RADIUS Server
and RSA Authentication Manager. Before the RSA RADIUS Server sends an
authentication request to the RSA Authentication Manager, it encrypts the data
using a symmetric node secret key.
RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 7
RADIUS Ports
The RSA Authentication Manager software views the RSA RADIUS Server
service as a host agent. Communication between RSA RADIUS Server and
RSA Authentication Manager uses specific UDP ports, which are configured
during installation. To prevent “masquerading” by unauthorized hosts, you
configure RSA Authentication Manager with the IP addresses of each
RSA RADIUS Server host. Before RSA Authentication Manager accepts an
authentication request, it verifies that the source address contained in the request
matches an authorized host agent.
The RADIUS standard initially used UDP ports 1645 and 1646 for RADIUS
authentication and accounting packets. The RADIUS standards group later
changed the port assignments to 1812 and 1813, but many organizations continue
using the old 1645 and 1646 port numbers for RADIUS.
Any two devices that exchange RADIUS packets must use compatible UDP port
numbers. If you are configuring a RAS to exchange authentication packets with a
RADIUS server, you must find out which port the server uses to receive
authentication packets from its clients (1812, for example). You must then
configure the RAS to send authentication packets on the same port (1812). The
same is true for RADIUS accounting.
RSA RADIUS Server can listen on multiple ports. For compatibility, the server
listens to the old and new default RADIUS ports: ports 1645 and 1812 for
authentication, and ports 1646 and 1813 for accounting.
Authentication
Table 1 describes the conditions under which each type of RADIUS
authentication message is issued, and the purpose of any RADIUS attributes the
message contains.
Table 1. RADIUS Authentication Messages and Attributes
Message Conditions Purpose of Message Attributes
When a RAS receives a connection
request from a user, the RAS
authenticates the request by sending an
Access-Request to its RADIUS server.
8 About RSA RADIUS Server September 2005
Identify the user.
Describe the type of connection the user is
trying to establish.
Table 1. RADIUS Authentication Messages and Attributes (Continued)
Message Conditions Purpose of Message Attributes
When a RADIUS server authenticates a
connection request, it returns a RADIUS
Access-Accept to the RAS.
When a RADIUS server is unable to
authenticate a connection request, it
returns an Access-Reject to the RAS.
If initial authentication conditions are
met, but additional input is needed from
the user, the RADIUS server returns an
Access-Challenge to the RAS.
Accounting
To understand the RSA RADIUS Server accounting sequence, you need an
overview of RADIUS accounting messages. Table 2 describes the conditions
under which each type of message is issued, and the purpose of any RADIUS
attributes that a message contains.
Allow the RAS to complete access
negotiations.
Configure connection details such as
providing the RAS with an IP address it
can assign to the user.
Enforce time limits and other “class of
service” restrictions on the connection.
Terminate access negotiations.
Identify the reason for the authorization
failure.
Enable the RAS to prompt the user for
more authentication data.
Complete the current Access-Request, so
the RAS can issue a new one.
Table 2. Message Conditions and Attributes
Message Conditions Purpose of Message Attributes
Accounting data is sent from client to
server using an Accounting-Request
message. The client manufacturer
decides which types of accounting
requests are sent, and under which
conditions. This table describes the
most typical conditions.
The client ensures that the server
receives accounting requests. Most
clients retry periodically until the server
responds.
Depending on the value of the
Acct-Status-Type attribute, the message
type is considered to be Start, Stop,
Interim-Acct, Accounting-On, or
Accounting-Off.
RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 9
Table 2. Message Conditions and Attributes (Continued)
Message Conditions Purpose of Message Attributes
After receiving an Access-Accept from
the server, the RAS completes its
access negotiation with the user. The
RAS then sends a Start message to the
server.
After a connection is terminated, the
RAS sends a Stop message to the
server.
At intervals of approximately every six
minutes, the RAS sends an Interim-Acct
message to the server.
Every time a client device comes online,
whether after a failure or after an orderly
shutdown, it sends an Accounting-On
message to the server.
Every time a client device experiences
an orderly shutdown, before completing
its shutdown sequence it sends an
Accounting-Off message to the server.
Upon receipt of an Accounting-Request
message, the server sends an
Accounting-Response.
Record connection data such as user ID,
RAS identifier, RAS port identifier, port
type, and connection start time.
Record statistics regarding the connection.
One message contains the final value of
every statistic that this RAS is capable of
recording about this type of connection.
Record a “snapshot” of statistics regarding
the connection. One message contains the
current value of every statistic that this
RAS is capable of recording about this
type of connection.
Identify the device that is going online and
clear all session information.
Identify the device that is going offline and
clear all session information.
Complete the request/response cycle.
Accounting Sequence
A RAS can issue an Accounting-Request whenever it chooses, for example upon
establishing a successful connection. Each time an Accounting-Request message
arrives at the RSA RADIUS Server, an accounting transaction begins. During this
transaction, the server handles the message by examining the Acct-Status-Type
and other attributes within the message, and taking the appropriate action.
Comma-Delimited Log Files
When the RSA RADIUS Server accounting log is enabled, all of the RADIUS
accounting attributes that the server receives are reformatted and logged to a
Comma Separated Value (CSV) text file, which is easily imported into
spreadsheets and database programs for report generation and billing.
10 About RSA RADIUS Server September 2005
Tunneled Accounting
During authentication, a user is typically identified by attributes such as
User-Name (in the authentication request) and Class (in the authentication accept
response). Standard RADIUS accounting requests typically include these
attributes in messages flagging Start, Interim, and Stop events so that the user’s
identity can be recorded for accounting and auditing purposes.
When an organization uses a tunneled authentication protocol such as
EAP/TTLS or EAP/PEAP, the identity of a user requesting authentication might
be concealed from the RAS; the User-Name attribute carried by the outer
authentication protocol is typically a nonunique value such as anonymous. As a
result, the outer User-Name value included in accounting requests might not be
sufficient to determine a user’s identity. Class attributes provided by an
authentication server cannot be included in cleartext in an outer Access-Accept
message because they might contain clues about the user’s identity, thereby
defeating the identity-hiding feature of the tunneled protocol.
Tunneled accounting enables RSA RADIUS Server to pass user identity
information to accounting processes without exposing user identities to a RAS or
AP that should not see them. When tunneled accounting is enabled, RADIUS
attributes are encrypted and encapsulated in a Class attribute. If the information
for a Class attribute exceeds the attribute payload size (253 octets),
RSA RADIUS Server returns more than one Class attribute for a user.
Tunneled accounting works as follows:
1 The RSA RADIUS Server acting as the tunnel endpoint for EAP/TTLS or
EAP/PEAP encrypts a user’s inner User-Name and Class attributes when it
authenticates the user.
2 The server returns the encrypted information to the RAS or AP encapsulated
in a Class attribute in the outer Access-Accept message. The RAS or AP
associates this encapsulated identity attribute with the user, and echoes the
encapsulated identity attribute whenever it generates an accounting request
for the user.
3 When the RSA RADIUS Server receives an accounting request from a RAS
or Access Point, the server scans the request for an encapsulated identity
attribute.
4 If the server finds an encapsulated identity attribute, it decapsulates and
decrypts the attributes to reconstitute the original inner User-Name and Class
attributes.
5 The server substitutes the decrypted attributes for the ones returned from
the RAS or AP.
RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 11
6 The server processes the accounting request locally.
Attributes
Dictionaries
To implement tunneled accounting, you must configure the
to specify how attributes should be presented, and you must configure the
spi.ini file to specify the keys that are used to encrypt and decrypt users’
identity information.
You work with RADIUS attributes while setting up users, profiles, and RADIUS
clients on the RSA RADIUS Server. The RSA RADIUS Server Administrator
program allows you to choose RADIUS attributes by name from a predefined list.
For each attribute, the RSA RADIUS Administrator prompts you to enter values
using familiar data types such as string, integer, telephone number, or network
address.
RSA RADIUS Server uses dictionary files to store lists of RADIUS attributes.
RSA RADIUS Server uses these dictionaries to parse authentication and
accounting requests and generate responses.
The main RSA RADIUS Server dictionary file (
defined by the RADIUS standard. The
directory as the RSA RADIUS Server service (usually
\RSA Security\RSA RADIUS\Service
/opt/rsa/radius on Solaris and Linux computers).
radius.dct file resides in the same
radius.dct) lists attributes
on Windows computers and
classmap.ini file
C:\Program Files
Vendor-Specific Attributes
In addition to the standard attributes, many RAS devices use vendor-specific
attributes (VSAs) to complete a connection. RSA RADIUS Server supports a
large number of specific RAS devices by providing vendor-specific, proprietary
dictionary files. These files also reside in the server directory and use the filename
extension
.dct.
Make/Model Field
During RSA RADIUS Server configuration, when you make a selection in the
RADIUS client
contains the VSAs for this client device. Thereafter, whenever the server receives
a RADIUS packet from this client device, it can consult this dictionary file for any
12 About RSA RADIUS Server September 2005
Make/model field, you are telling the server which dictionary file
nonstandard attributes that it encounters in the packet. Standard RADIUS
attributes are always defined by the
make/model for a RADIUS client, choose the default option:
Radius -
.
radius.dct file. If you do not know the
- Standard
Attribute Lists
For the most part, the selections currently available in the
Make/model field are
devices whose vendors have provided up-to-date attribute dictionaries.
Documentation for these vendors and their products is available online by
clicking the
Web info button on the RADIUS Clients panel (described on
page 45).
Updating Attribute Information
If your RAS vendor announces a new product, a new attribute, or a new value for
an attribute, you can add this information to your RSA RADIUS Server
configuration. You can edit the dictionary file for that vendor to add new
attributes or attribute values, or you can create a new vendor-specific dictionary
file that contains new attributes and values.
For information on modifying vendor dictionary files, refer to the
RSA RADIUS Server 6.1 Reference Guide.
You can use profiles to control authentication at finer levels of detail than simple
user ID and password checking allow. Checklists and return lists provide powerful
tools for the authentication and authorization of users.
Checklist Attributes
A checklist is a list of attributes that must accompany the request for connection
before the connection request can be authenticated. The RAS must send
attributes that match the checklist associated with a user entry; otherwise,
RSA RADIUS Server rejects the user even if the user’s name and password are
valid.
By including appropriate attributes in the checklist, a variety of rules can be
enforced. For example, only specific users might be permitted to use ISDN or
dial-in connections to a particular RAS, or Caller ID might be used to validate a
user against a list of acceptable originating telephone numbers.
A checklist is created by choosing attributes from a list of all RADIUS attributes
known to the RSA RADIUS Server. This list can include a variety of
vendor-specific attributes.
RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 13
During authentication, RSA RADIUS Server filters the checklist based on the
dictionary for the RADIUS client that sent the authentication request. The server
ignores any checklist attribute that is not valid for this device.
Return List Attributes
A return list is a list of attributes that RSA RADIUS Server must return to the RAS
after authentication succeeds. The return list usually provides additional
parameters that the RAS needs to complete the connection, typically as part of
PPP negotiations. Return list attributes can be “authorization configuration
parameters.”
By including appropriate attributes in the return list, you can create a variety of
connection policies. Specific users can be assigned particular IP addresses or IPX
network numbers; IP header compression can be turned on or off; or a time limit
can be assigned to the connection.
You create a return list by choosing attributes from a list of all RADIUS attributes
known to the RSA RADIUS Server. This list can include a variety of
vendor-specific attributes.
During authentication, RSA RADIUS Server filters the return list based on the
dictionary for the specific RADIUS client that sent the authentication request.
The server omits any return list attribute that is not valid for this device.
Attribute Values
The value of each RADIUS attribute has a well-defined data type: numeric, string,
IP or IPX address, time, or hexadecimal. For example,
string and contains a telephone number. RAS-Port-Type is an item
type
from a list, and can be
Sync, Async, and so forth.
Multi-Valued Attributes
Attributes can be single- or multi-valued. Single-valued attributes appear at most
once in the checklist or return list; multi-valued attributes might appear several
times.
If an attribute appears more than once in the checklist, this means that any one of
the values is valid. For example, you can set up a checklist to include both
and
Async values for attribute RAS-Port-Type. This means that the user can
dial into a Sync port or an Async port, but not one of the ISDN ports.
If an attribute appears more than once in the return list, each value of the
attribute is sent as part of the response packet. For example, to enable both IP
and IPX header compression for a user, you would configure the
14 About RSA RADIUS Server September 2005
Callback-Number is of
Sync
Framed-Compression
VJ-TCP-IP-header-compression and once with the value
value
IPX-header-compression.
attribute to appear twice in the return list: once with the
Orderable Attributes
Certain multi-valued return list attributes are also orderable; that is, the attribute
can appear more than once in a RADIUS response, and the order in which the
attributes appear is important.
For example, the
to the user for display. A multi-line message is sent by including this attribute
multiple times in the return list, with each line of the message in its proper
sequence.
Reply-Message attribute allows text messages to be sent back
System Assigned Values
Some attributes do not allow the administrator to set a value.
RSA RADIUS Server retrieves the appropriate values for these attributes when
they are needed.
Echo Property
Using the echo property, you can force an attribute from the RADIUS request to
be echoed in the RADIUS response. For example, you might add
Callback-Number to the return list and click the echo checkbox.
RSA RADIUS Server takes the value of the Callback-Number it receives in the
RADIUS request and echoes it back to the client in the RADIUS response; if it
receives no Callback-Number, it echoes nothing.
You enter
indicates that one of the callback numbers you supplied must be present in the
RADIUS request, and that number should be echoed in the RADIUS response.
Callback-Number one or more times into the checklist. This
Default Values
Choosing default for a checklist attribute specifies that, if the RADIUS request
does not include this attribute, the request should not be rejected. Instead, the
value supplied as the default should be used as if it were received as part of the
request. One use for default values is to require that an attribute in a RADIUS
request must have one of several values, or must not be present at all. Another use
is to provide a default value for an attribute in conjunction with the echo property
in the return list.
RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 15
If an attribute appears once in the checklist marked as default, and the same
attribute appears in the return list marked as
echo, the server echoes the actual
value of the attribute in the RADIUS response if the attribute appears in the
RADIUS request. If the attribute does not appear in the RADIUS request, the
server echoes the default value (from the checklist) in the response.
If you add multiple values of the same attribute to the checklist, only one of them
can be marked as default.
For example, an administrator adds several Callback-Number values to the
checklist and marks one of them as default. The administrator adds
Callback-Number to the return list and specifies it as echo.
X If a Callback-Number value is present in the RADIUS request, it must match
one of the checklist values or the user is rejected.
X If it does match, the user is accepted and the value supplied is echoed in the
RADIUS response.
X If no Callback-Number is supplied in the request, the user is accepted and
the default value is echoed in the response.
Other checklist attributes provide configuration for the user, such as time-of-day
and concurrent-login-limit information.
Centralized Configuration Management
The RSA RADIUS Server supports the replication of RADIUS configuration
data from a Primary RADIUS Server to a maximum of 10 Replica RADIUS Servers
within a realm on a customer network. Replica servers help balance the load of
authentication requests coming in from RADIUS clients, and ensure that
authentication services are not interrupted if the Primary or other Replica
RADIUS servers stops working.
All the servers within a realm reflect the current configuration specified by the
network administrator: the network administrator modifies the configuration on
the Primary RADIUS Server, and the Primary RADIUS Server propagates the
new configuration to its Replica RADIUS Servers. For example, after a network
administrator configures a new RADIUS client or profile on the Primary
RADIUS Server, the network administrator tells the Primary RADIUS Server to
publish a configuration package file (
updated configuration information. After publication, the Primary RADIUS
Server notifies each Replica RADIUS Server that a new configuration package is
ready. Each Replica then downloads and installs the configuration package to
update its settings.
16 About RSA RADIUS Server September 2005
replica.ccmpkg) that contains the
The Primary RADIUS Server maintains a list of the Replica RADIUS Servers
that have registered with it. The Primary RADIUS Server uses this list to track
which servers to notify after it publishes an updated configuration package to
resynchronize the configuration of Replica RADIUS Servers.
RADIUS
Replica 1
RADIUS
Replica 2
Primary
RADIUS
Server
RADIUS
Replica 10
Figure 3 Primary and Replica RADIUS Servers
Replacing a Replica RADIUS Server
To replace a failed Replica RADIUS Server, a network administrator shuts down
the failed server, installs the RSA RADIUS Server software on a replacement
server, and enables the Replica RADIUS Server. The Replica RADIUS Server
then downloads and installs its configuration package from the Primary RADIUS
Server.
Designating a New Primary RADIUS Server
You can change which server within a realm is designated as the Primary
RADIUS Server for that realm. For more information, see “Designating a New
Primary RADIUS Server” on page 70.
RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 17
Recovering a Replica After a Failed Download
If a Replica RADIUS Server fails during the download of a configuration
package, its configuration may be corrupted or it may have a stale secret. For
information on how to recover a Replica after a failed download, refer to
“Recovering a Replica After a Failed Download” on page 70.
Changing the Name or IP Address of a Server
To change the DNS name or IP address of a Primary or Replica RADIUS Server,
you run the
(Solaris/Linux) utility. For more information, refer to “Changing the Name or IP
Address of a Server” on page 71.
rsainstalltool (Windows) or the rsaconfiguretool
18 About RSA RADIUS Server September 2005
Loading...