Presentation is loading. Please wait.

Presentation is loading. Please wait.

Funk Software www.funk.com Preside Radius 1. Funk Software www.funk.com Preside Radius 2 Main Menu w Introduction and Overview Introduction and Overview.

Similar presentations


Presentation on theme: "Funk Software www.funk.com Preside Radius 1. Funk Software www.funk.com Preside Radius 2 Main Menu w Introduction and Overview Introduction and Overview."— Presentation transcript:

1 Funk Software Preside Radius 1

2 Funk Software Preside Radius 2 Main Menu w Introduction and Overview Introduction and Overview w Installation and Configuration Installation and Configuration w Monitoring and Logging Monitoring and Logging w External Data Storage LDAP SQL Authentication Accounting w Proxy RADIUS Proxy RADIUS w Troubleshooting and Logging Troubleshooting and Logging w Other Features Other Features w LCI LCI

3 Funk Software Preside Radius 3 Introduction and Overview

4 Funk Software Preside Radius 4 Funk Software w Software Developer & Publisher w Founded 1982 w Headquarter: Cambridge, MA w European Operations: Paris, France w Product focus Access Security Communications

5 Funk Software Preside Radius 5...the short version w 100% fully IETF compliant RADIUS server w Easy administration GUI w Powerful, flexible accounting w Leverages existing SQL/LDAP databases w SecurID authentication w LDAP configuration interface w Load balancing w Concurrent access limits

6 Funk Software Preside Radius 6 RADIUS RFCs w Internet Engineering Task Force web site w Began as “Request For Comments” w Status now “Standards Track” /rfc/rfc2865.txt - RADIUS Authentication/rfc/rfc2865.txt /rfc/rfc2866.txt - RADIUS Accounting/rfc/rfc2866.txt w All standard attributes defined here Both RFCs are dated June 2000 Previous RFCs (2138, 2139) are dated April 1997

7 Funk Software Preside Radius 7 Basic RADIUS Authentication Transaction  Access request  RADIUS client  RADIUS server UserNAS Device RADIUS Server

8 Funk Software Preside Radius 8 RADIUS Clients w PPP servers w Nortel/Ascend w Cisco Access Servers w VPN w Nortel Extranet Switch w Firewalls w Firewall-1, NetScreen w Back Office Software w Oracle 8i w Wireless PDSN GCSN GSM SGSM

9 Funk Software Preside Radius 9 RADIUS AAA Services w Authentication Are the credentials correct? Match username/password to profile w Authorization Which services may be provided? Use profile to validate user’s request w Accounting Track usage during connection’s lifetime Sort, filter, organize attributes Send attributes anywhere (logfile, Proxy, SQL)

10 Funk Software Preside Radius 10 w A device that “supports RADIUS” can receive and send RADIUS messages. w RADIUS messages contain RADIUS attributes. w Attributes = how information is exchanged w Messages Types: Access-Request Access-Reject Access-Accept Access-Challenge RADIUS Messages Accounting-Start Accounting-Stop Accounting-Interim Accounting-On Accounting-Off

11 Funk Software Preside Radius 11 Standard Radius Authentication Attributes w Standard RADIUS authentication attributes are listed in RFC 2865 User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Vendor-Specific Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port

12 Funk Software Preside Radius 12 Standard RADIUS Accounting Attributes w Standard accounting attributes are defined in RFC 2866 User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Framed-AppleTalk-Network Framed-AppleTalk-Zone Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Terminate-Cause Acct-Multi-Session-Id Acct-Link-Count CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Vendor-Specific Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link

13 Funk Software Preside Radius 13 Vendor Specific Attributes w Vendors can create their own attributes that allow their devices to perform authorization functions and provide information relevant to the type of device (ppp, vpn, firewall, etc.) Ascend-Disconnect-Cause Cisco-AVPAIR RB-Context_Name PW_Tunnel_Authentication w All VSAs are defined in configurable text files (.dct files) w VSAs are non-standard (vendor-specific) information packaged into a format that is standard RADIUS w Preside Radius includes comprehensive dictionary lists for most devices on the market today

14 Funk Software Preside Radius 14 The Role of Attributes w Checklist attributes are present in the access-request message “Once the [nas] client has obtained such information, it may choose to authenticate using RADIUS. To do so, the client creates an "Access-Request" containing such Attributes as the user's name, the user's password, the ID of the client and the Port ID which the user is accessing. When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5” – RFC 2865 page 4. w Returnlist attributes are present in the access-response message “If all [checklist] conditions are met, the list of configuration values for the user are placed into an "Access-Accept" response. These values include the type of service (for example: SLIP, PPP, Login User) and all necessary values to deliver the desired service.” –RFC 2865 page 6.

15 Funk Software Preside Radius 15 Access Services... Local SQL NT LDAP TACACS+ Enterprise or Service Provider Remote Users RAS Server VPN Router Firewall Preside Radius

16 Funk Software Preside Radius 16 Managed Services Preside Radius Link to ISP (T1) Preside Radius NetWare Bindery Local NetWare NDS NT Domain NT Host ACE/ Server CPE router, firewall, and/or VPN Private Network / Internet Enterprise LAN - Enterprise or Service Provider RAS Firewall Service Provider Remote Users RAS “A” RAS “B” RAS “C”

17 Funk Software Preside Radius 17 And … Wholesale Data Services Preside Radius Outsourced Modem Pools (UUNET) Remote Users RAS “A” RAS “B” RAS “C” ISP “B” PROXY Native SQL LDAP TACACS+ NT Domain Virtual ISPs ISP “A” ISP “C” Private Network/ Internet

18 Funk Software Preside Radius 18 BSAC w Fully compliant RADIUS server w Easy administration GUI w Powerful, flexible accounting log w Accounting to SQL databases w Authentication against SQL databases w Authentication against LDAP directories w Authentication against token systems (SecurID, TACACS+) w SecurID token caching w Authentication against local O/S w Concurrent connection limits w Expired NT domain passwords w LDAP Configuration Interface available w Basic Proxy RADIUS functionality

19 Funk Software Preside Radius 19 Preside Radius w Built on the scale required by ISPs w Advanced Proxy RADIUS features w Directed authentication, accounting w Advanced accounting log features w SNMP support (Solaris) w perfmon counters and events (Windows NT) w SQL, LDAP load balancing w Authorization based on time of day w Request routing by attribute values w Administrative access levels w Auto-restart of the server w LDAP Configuration Interface built-in w Concurrency Server available

20 Funk Software Preside Radius 20 Preside Radius provides many features that help ISPs (and others) deliver and bill for services. w Time of day w Acct-Status-Types w Attribute aliasing w Configurable accounting log w Activity log levels w Auto-detect make/model w Auto-restart server w User-Name validation w Administrative access levels w Event configuration (NT only) Preside Radius ISP Features

21 Funk Software Preside Radius 21 Data Storage Options

22 Funk Software Preside Radius 22 Preside Radius’s Authentication Options w Preside Radius Native Database w SQL Databases Oracle Informix ODBC-compliant (NT only) w Authentication Servers TACACS+ SecurID Other token systems w LDAP Directories Netscape MS Active Directory Merit w Host O/S Databases NT Domain NT Host Solaris

23 Funk Software Preside Radius 23 SQL Authentication w Any RADIUS attribute can be retrieved from an SQL column w Any SQL column can be mapped to a RADIUS attribute and returned in the response *All data remains in SQL database User NAS SQL Server RADIUS Server

24 Funk Software Preside Radius 24 LDAP Summary w Any RADIUS attribute can be part of the LDAP query w Any LDAP object can be mapped to a RADIUS attribute and returned in the response w Lightweight Directory Access Protocol standard w An example of an “off-line” directory is the phone book or mail- order catalogue. w Suited to reference data (“read from” much more often than it is “written to”). w Very flexible, both in looking up data and in changing the types of information stored. w All data remains in LDAP database

25 Funk Software Preside Radius 25 SecurID Summary w Token card system w Generates new credentials each login w ACE/Server authenticates credentials w Preside Radius can pass-through to ACE/Server w Detailed configuration necessary w New Pin/Next Token w Support of other token systems

26 Funk Software Preside Radius 26 Host O/S Databases w NT Domain & Host w Solaris Password File & NIS w Netware NDS & Bindery

27 Funk Software Preside Radius 27 w A billing system requires these fundamental attributes: w Other attributes (including VSAs) provide additional detail Accounting w Acct-Session-ID Connection’s unique identifier Matches STARTs and STOPs w Acct-Status-Type Start, Stop, Interim, On, Off w Framed-IP-Address IP address of user’s connection Authentication, accounting attribute w User-Name The account using the network Authentication, accounting attribute w Acct-Session-Time For how many seconds did the user receive service?  TIME  = $ MONEY $ w Acct-Input-Packets, Acct-Output Packets, Acct-Input-Octets, Acct-Output-Octets What was the volume of network traffic generated by the user?  TRAFFIC  = $ MONEY $

28 Funk Software Preside Radius 28 SQL Accounting w Preside Radius lets you write to an SQL database the specific accounting information that you want to maintain w INSERT is the query used to write to the database w Any RADIUS accounting attribute listed in Preside Radius’s account.ini file can be used in the INSERT statement w Preside Radius can write the transaction time, full username, NAS name, session time, and record type to the database

29 Funk Software Preside Radius 29 LCI LDAP Command Interface  LDAP Schema mapped onto native database  Using LCI commands: Change passwords, authentication methods Add clients, users, tunnels, IP pools Search current user list  Find and modify any aspect of Preside Radius that the administrative program provides ldapsearch.exe ldapsearch -V 2 -p 667 -D "cn=admin,o=radius" -w radadmin -s sub -T –b "o=radius" objectclass=* ldapmodify.exe ldapmodify -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f ldapadd.exe ldapadd -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f

30 Funk Software Preside Radius 30 Installation and Configuration

31 Funk Software Preside Radius 31 Installation Files w CD is cross-platform w Unix: expand tar file, run install.sh script No compiling. Install script will unpack all directories and files, guide you through the configuration, and start the radius process. Open web browser to the /radadmin/java/index.html to launch admin application. w NT: Run the setup.exe file. Setup.exe installs Radius directory, expands files, starts the Preside Radius process, and launches admin application.

32 Funk Software Preside Radius 32 Servers Dialog

33 Funk Software Preside Radius 33 RAS Clients Dialog w name w IP address w …on both sides, client and server! w shared secret w UDP port

34 Funk Software Preside Radius 34 Make/Model w Determining make/model of RADIUS client: NAS-IP-Address matches a RAS Client entry OR Auto-detect matches any attribute to make/model w Benefits of make/model Identifies correct attribute dictionary Enables vendor-specific configuration help w Make/model field in Administrator GUI w Profiles and make/model Profiles can reference various VSAs Only the current device’s VSAs are used “Other” VSAs filtered out at request time w - Standard Radius - safe choice, all clients

35 Funk Software Preside Radius 35 Make/Model Examples w list box w help file w dictionary (.dct) files w vendor.ini file

36 Funk Software Preside Radius 36 Attribute Dictionaries w dictiona.dcm Inventory of all available attributes Includes all *.dct files w radius.dct Standard RADIUS attributes AND Funk Radius VSAs w *.dct Vendor-specific attributes: Name, ID, length, type, valid values, usage One file per vendor Each file can be edited New *.dct files can be added

37 Funk Software Preside Radius 37 Users Dialog w User type (native vs external) w Password w Attributes vs Profile w Concurrency

38 Funk Software Preside Radius 38 Types of User  Native  NT Domain  NT Host  UNIX User  UNIX Group  SecurID  TACACS+

39 Funk Software Preside Radius 39 RADIUS Attributes wCheck List (Access-Request) A List of criteria that a user must satisfy, in addition to providing a password, before Preside Radius will authenticate them wReturn List (Access-Accept) A list of information that Preside Radius passes back to the NAS once the user has been authenticated. Return List Attribute requirements are defined by the NAS. wAccounting (Acct-Request) Additional information sent from the NAS to the Preside Radius server for accounting purposes.

40 Funk Software Preside Radius 40 Profiles Dialog  Design a Template for each class of user.

41 Funk Software Preside Radius 41 Profile Examples w Basic Dial-In w Advanced Dial-In w Free Access w Basic Tunnel { { { {

42 Funk Software Preside Radius 42 Proxy Dialog w name w IP address w …on both sides, target and proxy! w shared secret w UDP port

43 Funk Software Preside Radius 43 Tunnel Dialog w Tunnel attribute storage w DNIS recognition w Tunnel support for specific vendor equipment handled through Users Dialog

44 Funk Software Preside Radius 44 IP/IPX Pools Dialog  Configure Multiple Pools  Create multiple ranges per pool  Associate with users, profiles, or NAS

45 Funk Software Preside Radius 45 Access Dialog  Configure Preside Radius administrators based on domain authentication

46 Funk Software Preside Radius 46 Configuration Dialog w Authentication Methods List w Activate, Deactivate, Sort w Reject Messages w Log File Storage w Tunnel Name Parsing

47 Funk Software Preside Radius 47 Statistics Dialog

48 Funk Software Preside Radius 48 Current Users Dialog

49 Funk Software Preside Radius 49 Preside Radius Data Portability w Import/Export w Database Files w LDAP Configuration Interface

50 Funk Software Preside Radius 50 Import/Export w In Preside Radius Admin w Stores all data configured in Admin GUI w Creates RIF File w Import ASCII files w Cross Platform

51 Funk Software Preside Radius 51 Database Files w Preside Radius NT & Netware radads.dat radclnt.dat w Preside Radius Solaris radiusdata.d01 radiusdata.d02 radiusdata.d03 radiusdata.dbd radiusdata.k01 radiusdata.k02

52 Funk Software Preside Radius 52 LCI LDAP Command Interface  Change Passwords  Add clients, users  Add tunnels, IP pools  Search current user list  Find and modify any aspect of Preside Radius that the administrative program provides ldapsearch.exe ldapsearch -V 2 -p 667 -D "cn=admin,o=radius" -w radadmin -s sub -T –b "o=radius" objectclass=* ldapmodify.exe ldapmodify -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f ldapadd.exe ldapadd -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f

53 Funk Software Preside Radius 53 Monitoring and Logging

54 Funk Software Preside Radius 54 Tools w Activity Logs w Accounting Logs w Statistics Dialog w Current Users w Reporting w Windows NT Performance Monitor w Windows NT Events w SNMP Support w Using The LCI For Reporting

55 Funk Software Preside Radius 55 Activity Log w yyyymmdd.log w typical entries w Sent accept response for user X to client Y w Unable to find user X with matching password w Sent reject response w Shutting down RADIUS Authentication Server w Starting RADIUS Authentication Server

56 Funk Software Preside Radius 56 Activity Log Details w All Preside Radius information is in a daily log file (yyyymmdd.log) w radius.ini controls the level of logging detail in its [Configuration] section LogLevel = 0 = production (sparse) 1 = informational (medium) 2 = debug (verbose) TraceLevel = 0 = no packet tracing 1 = parsed contents of packets are logged 2 = raw contents of packets are logged w Kept for a number of days set in [Configuration] section of radius.ini

57 Funk Software Preside Radius 57 Accounting Log Details w All Preside Radius accounting information is in a daily log file (yyyymmdd.act) w Accounting transactions are also logged to the authentication log file, since accounting start and stop messages impact users’ active sessions w account.ini controls the attributes logged w Kept for a number of days set in [Configuration] section of radius.ini w Comma-separated format for easy importing into other databases or spreadsheet applications Date, Time, RAS-Client, Record-Type, Full-Name, Auth-Type are built in to native accounting All standard RADIUS attributes are listed next by default Depending on the device configured, any VSAs are listed after that Edit account.ini to add/remove any accounting information logged

58 Funk Software Preside Radius 58 Log File Errors w Errors can be looked at from two perpsectives Information contained within a packet may be a source of error Information relative to Preside Radius itself and its connections may be a source of error w Use Tracelevel=1 or 2 for logging to decode packet errors w Use Loglevel=1 or 2 for explanatory Preside Radius application errors

59 Funk Software Preside Radius 59 Statistics Dialog

60 Funk Software Preside Radius 60 Statistics w Authentication Requests w Accounting Requests w Proxy Requests w Transactions, Details, Silent Discards

61 Funk Software Preside Radius 61 Current Users Dialog

62 Funk Software Preside Radius 62 Current Users w Quick View Username RAS Client Port Time Session-ID IP Address w Preside Radius receives an authentication request Generates a phantom record When an accounting message comes in that matches the authentication record, the phantom record is deleted Match is based on NAS IP address and NAS port

63 Funk Software Preside Radius 63 Reporting w Create an RTF report file composed of the selected items. w Information is polled from all aspects of Preside Radius

64 Funk Software Preside Radius 64 Performance Monitor w Run perfmon.exe on the administrative workstation w Add Preside Radius service as an object to the chart items w Add any of the Preside Radius counters needed w Acct-Starts, Auth- Requests, Sessions Online, etc.

65 Funk Software Preside Radius 65 Windows NT Events w Event Service types: Core event relating to the functioning of Preside Radius itself RADCAT_CORE ID=1 Events relating to the authentication service RADCAT_AUTH ID=2 Events relating to the accounting service RADCAT_ACCT ID=3

66 Funk Software Preside Radius 66 Severity of Preside Radius Events w Informational Events Service has started Service has stopped w Warning Events Count of available threads has dropped below nnnn. Amount of free file system space has dropped below minimum threshold w Error Events Unable to create thread The connection to Accounting Server has failed

67 Funk Software Preside Radius 67 SNMP Support w Requires Solstice Enterprise Agent (SEA) w Preside Radius acts as a subagent w Three MIB files that get copied to the SNMP Manager rauths.mib, raccs.mib, and fnkradtr.mib w Queries are defined in the rauths and raccs mib files w Traps and alarms are defined in the fnkradtr mib file Informational, Warning, and Error messages Similar to Windows NT Events w Events.ini configures the reporting options. Can dilute (reduce the frequency) reporting of common events

68 Funk Software Preside Radius 68 LCI Reporting Options w Use the LCI to report current users by client, IP address, Session ID, full name: ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” client=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” ipaddressfrompool=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” acct-session-id=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” fullname=*

69 Funk Software Preside Radius 69 LDAP

70 Funk Software Preside Radius 70 LDAP Summary w Lightweight Directory Access Protocol w A “directory” is a specialized database w An example of an “off-line” directory is the phone book or mail-order catalogue. w Suited to reference data (“read from” much more often than it is “written to”). w Very flexible, both in looking up data and in changing the types of information stored.

71 Funk Software Preside Radius 71 LDAP Authentication w RADIUS client w Preside Radius w LDAP database server User NAS LDAP Server RADIUS Server

72 Funk Software Preside Radius 72 LDAP Authentication w You have user data in an LDAP database. w Create an.aut file that (1) BINDs Preside Radius to an LDAP database and (2) issues a SEARCH query to retrieve the password, based on the username. w Name the authentication method ( InitializationString = ) w Stop and restart the Preside Radius server. w Enable, disable, and re-order the method in the Preside Radius Administrator, Configuration Dialog, Authentication Methods list. w Reference the method from a directed realm.

73 Funk Software Preside Radius 73 Secondary LDAP Searches w Issue an additional search based on whether a search did or did not find the user in the initial search base w An OnFound section executes a secondary search after the first returns found Execute second search based on parameters from original search and parameters from original access-request message Execute a search for additional parameters in another branch of the LDAP directory based on the found user w An OnNotFound section executes a secondary search after the first returns not found Execute a search on a separate branch of the LDAP directory in a secondary attempt to validate the user

74 Funk Software Preside Radius 74 Decision Tree Processing w Based on OnFound and OnNotFound portions of an LDAP authentication method w Develop a process as complex as necessary to suit organization’s needs Found? Execute initial search $REJECT$ACCEPT DSL subscriber? No Dial-up subscriber? Yes No Return DSL Profile No Search an alternate branch Found? Yes No

75 Funk Software Preside Radius 75 Bind vs. BindName w Bind Connect to directory as the dial-in user The connection has this user’s rights w BindName Connect to directory as the same user for all filters; for example an administrative account Directory view does not change from transaction to transaction

76 Funk Software Preside Radius 76 LDAP Bind Example w LDAP Bind w Standard Netscape schema w Same profile (TheUserProfile) for all Accepts w [Response] section could be empty  Return no attributes in an Accept

77 Funk Software Preside Radius 77 LDAP BindName Example w BindName using an administrative account w LDAP Search for user’s stored credentials w Standard Netscape schema w RAS Client is Ascend device w DNIS callback number returned with Accept

78 Funk Software Preside Radius 78 w Understanding and Deploying LDAP Directory Services Timothy A. Howes, Mark C. Smith, Gordon S. Good Comprehensive Easy to read Defines key terms w Openldap.org w Netscape dap.htmlhttp://developer.netscape.com/software/tools/index.html?content=l dap.html LDAP References

79 Funk Software Preside Radius 79 SQL Authentication

80 Funk Software Preside Radius 80 SQL Authentication  RADIUS client  Preside Radius  SQL database server  Any RADIUS attribute can be retrieved from SQL  Any SQL column can be returned in the response User NAS SQL Server RADIUS Server

81 Funk Software Preside Radius 81 SQL Summary w Structured Query Language w A way to read from/write to databases w Tried and trusted, it’s everywhere w Suited to fast-changing data (frequent r/w) w Inflexible format (rows and columns only) w Map SQL columns to any RADIUS attribute

82 Funk Software Preside Radius 82 SQL Configuration w You have user data in a SQL database. w Create an.aut file that (1) connects to the SQL database and (2) issues a SELECT query to retrieve the password, based on the username. w Username, password, profile, as well as any desired attribute stored in database w Execute stored procedures in MSSql, stored functions in Oracle w Name the authentication method ( InitializationString = ) w Enable.aut file (Enable = 1) w Stop and restart the Preside Radius server. w Activate, deactivate, and re-order the method in the Preside Radius Administrator, Configuration Dialog, Authentication Methods list.

83 Funk Software Preside Radius 83 SQL SELECT w SELECT is used in the authentication process to retrieve information from the database. w Preside Radius uses the SELECT statement to return the user’s password, stored in the external database. w If the password returned from the external database matches the password received in the Access- Request for the user, Preside Radius will accept the connection. w Sample syntax:

84 Funk Software Preside Radius 84 SELECT Examples w SQL Table  w Retrieve only the password from the database: w Retrieve password and profile from the database: w Authenticate user only if user’s account is paid: w In each case: What if the Access-Request contains the credentials Kevin/Test ? What if the Access-Request contains the credentials Mel/Test3 ? What if the Access-Request contains the credentials Nicole/Test4 ?

85 Funk Software Preside Radius 85 Stored Procedures: Authentication w Support of execution of stored procedures in MSSql 7 w Authentication Example: SQL= EXECUTE authenticate_user %name/20s, %password/20s w Returns a profile with the following stored procedure: CREATE PROCEDURE varchar(20) AS SELECT userprofile FROM usertable WHERE username AND password

86 Funk Software Preside Radius 86 Stored Procedures: Accounting w Support of execution of stored procedures in MSSql 7 w Inserts accounting data into accounting table: SQL=EXECUTE add_account %transactiontime/20s, \ %TYPE/4s,

87 Funk Software Preside Radius 87 Stored Functions in Oracle: Authentication w Support of execution of stored functions in Oracle w Authentication Example: SQL= SELECT authenticate_user (%name/20s, %password/20s) FROM DUAL w Returns a profile with the following stored function: CREATE OR REPLACE FUNCTION authenticate_user (un IN VARCHAR2, pw IN VARCHAR2) RETURN VARCHAR2 IS profile LONG; BEGIN SELECT userprofile INTO profile FROM usertable WHERE username = un AND password = pw; RETURN profile; END authenticate_user; /

88 Funk Software Preside Radius 88 Stored Functions in Oracle: Accounting w Support of execution of stored functions in Oracle w Inserts accounting data into accounting table: SQL=SELECT add_account (%transactiontime/20s, \ %TYPE/4s, FROM DUAL

89 Funk Software Preside Radius 89 Common SQL Tech Notes w RD260: Setting up Steel-Belted Radius-NT ODBC to a MS-SQL Server database (http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/104 dab75b858c53f852566b80054d15a?OpenDocument)http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/104 dab75b858c53f852566b80054d15a?OpenDocument w RD212: Oracle SQL setup for Steel-Belted Radius-UNIX (http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/b5ef 55bf97feb5d f2251?OpenDocument)http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/b5ef 55bf97feb5d f2251?OpenDocument w RD211: Informix SQL setup for Steel-Belted Radius-UNIX 2.10 (http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/7fcd 8f3a44905a ed591?OpenDocument)http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/7fcd 8f3a44905a ed591?OpenDocument w RD272: Steel-Belted Radius rejects SQL users when the password field is defined as 'char' type (http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/5ba 7f5d40c0981db852566c1001cbb17?OpenDocument)http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/5ba 7f5d40c0981db852566c1001cbb17?OpenDocument w RD298: SQL configuration files: database connectivity options (http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/afe3 aad0b7908f ?OpenDocument)http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/afe3 aad0b7908f ?OpenDocument

90 Funk Software Preside Radius 90 w The Practical SQL Handbook: Using Structured Query Language 3rd ed Judith S. Bowman, Sandra L. Emerson, Marcy Darnovsky Includes sample software on CD-ROM Cross-references different SQL products: w Oracle w Microsoft w Generic Introduction to SQL: SQL References

91 Funk Software Preside Radius 91 Accounting

92 Funk Software Preside Radius 92 SQL Accounting w You have billing records in a SQL database. w Create an.acc file that (1) connects to the SQL database and (2) issues an INSERT query that writes accounting data to it. w Name the accounting method ( InitializationString = ). w Enable the accounting method ( Enable = 1 ). w Stop and restart the Preside Radius server. w Optionally, you may reference from a directed realm.

93 Funk Software Preside Radius 93 RADIUS Accounting Attributes w On Off These messages tell us about the NAS device. They provide information about the startup or shutdown of a RADIUS client. They enable Preside Radius to notify devices and management tools on the network about the status of the RADIUS client. w What do they tell us? How are they used? w Start Stop Interim These messages tell us about the user. When a user starts to receive service on the network, these messages provides type-of- connection and other activity information. They give “notice” when the user has stopped using the network. These messages enable us to account for network usage and bill for “consumptive” use. (Flat-rate, monthly billing does not require accounting.)

94 Funk Software Preside Radius 94 SQL INSERT w Preside Radius lets you write to an SQL database the specific accounting information that you want to maintain. w INSERT is the query used to write to the database. w Any RADIUS accounting attribute listed in Preside Radius’s account.ini file can be used in the INSERT w Preside Radius also can write the transaction time, full username, NAS name and record type to the database. %Value w Sample syntax:

95 Funk Software Preside Radius 95 w A rudimentary billing system requires only these attributes: w Acct-Session-ID Connection’s unique identifier Matches STARTs and STOPs w Acct-Status-Type Start, Stop, Interim, On, Off w Framed-IP-Address IP address of user’s connection Authentication, accounting attribute w User-Name The account using the network Authentication, accounting attribute w Acct-Session-Time For how many seconds did the user receive service?  TIME  = $ MONEY $ w Acct-Input-Packets, Acct-Output Packets, Acct-Input-Octets, Acct-Output-Octets What was the volume of network traffic generated by the user?  TRAFFIC  = $ MONEY $ w Other attributes (including VSAs) provide additional detail. Accounting and Billing

96 Funk Software Preside Radius 96 INSERT Examples w SQL Table  w A simple INSERT statement might capture: The time of the transaction The username The NAS to which the user connected The type of accounting message The total connect time w Expect to create complex INSERT statements like these:

97 Funk Software Preside Radius 97 Native Accounting Log File  yyyymmdd.ACT  comma-delimited  typical entry (a single line)

98 Funk Software Preside Radius 98 Proxy Radius

99 Funk Software Preside Radius 99 w Enables outsourcing w Customer info realm The larger carrier does not get it Customer keeps control of its own data w Users of Proxy RADIUS AOL, MSN, Compuserve iPass Any organization looking to sell wholesale network access Why Proxy RADIUS?

100 Funk Software Preside Radius 100 w BSAC Radius receives request (User-Name = w BSAC Radius forwards request to server Funk w Target server authenticates request (User-Name = Carol) w All realms are treated the same way Proxy RADIUS BSAC

101 Funk Software Preside Radius 101 w Options, options, options... Proxy RADIUS Preside

102 Funk Software Preside Radius 102 w Preside Radius receives request User-Name = w Preside Radius checks if it’s hosting the realm If so, Preside Radius authenticates the request If not, the request is forwarded to realm Funk (realm Funk must exist) w Various options are applied to request w Request is authenticated User-Name = Carol OR User-Name = Proxy RADIUS Preside

103 Funk Software Preside Radius 103 w Customer requirements not all the same w “Sense of self” Support for wholesaling Hosting RADIUS services w Different ways of routing Username prefix and suffix support DNIS routing Routing by any attribute Multiple hops w Realm-specific configuration options Preside Proxy Features

104 Funk Software Preside Radius 104 w Customer requirements not all the same w Multiple targets Redundancy Load balancing Failure options w Username handling First Proxy might not be the final stop Outsourcing by the outsourcer w Attribute filters Preside Proxy Features

105 Funk Software Preside Radius 105 w Simplify hosting of RADIUS services w Permit prefix, suffix, or DNIS routing w Enable individual accounting files for each customer w Remove requirement for additional RADIUS servers (permit a unique RADIUS configuration for each customer on the same server) w Leverage investment in SQL or LDAP w Promote savings on hardware, software, support/maintenance, training, and facilities Directed Authentication and Accounting Methods

106 Funk Software Preside Radius 106 w Directed Authentication Carriers can host AAA servers for their customers Each realm: Points to a specific auth method only May have specific auth order attempted against Ford’s database only! w Directed Accounting Customer records handled separately in logfiles or SQL db Simplifies delivery of accounting information to the customer (no Proxy RADIUS needed at customer site) Why Directed Methods?

107 Funk Software Preside Radius 107 w 10 licenses with Preside Radius w Each directed method consumes 1 license w Authentication, accounting methods are counted individually: 6 authentication plus 4 accounting = 10 1 accounting plus 9 authentication = 10 w Additional 5-packs available w Add licenses without re-installing Preside Radius Directed Methods Licensing

108 Funk Software Preside Radius 108 Filters w When directing messages to and from Preside Radius realms, filters can be applied that place or remove attribute information into or from the message filter.ini defines all filter names and filter rules Filter names are referenced from realm configuration files:.pro and.dir

109 Funk Software Preside Radius 109 Filter Options w Create Allow, Exclude, or Add attribute rules in filter.ini [filtername] Allow Exclude NAS-Identifier Add Idle-Timeout 60 w Reference filternames in realm.pro/.dir files [Auth] FilterIn=filtername1 FilterOut=filtername2 [Acct] FilterIn=filtername3 FilterOut=filtername4

110 Funk Software Preside Radius 110 Troubleshooting and Logging

111 Funk Software Preside Radius 111 Process w Find out what happened (logs) w Remove Preside Radius from the picture w Use configuration checklists w Use system tools (perfmon, top, event viewer, etc...)

112 Funk Software Preside Radius 112 Activity Log w yyyymmdd.log w typical entries w Sent accept response for user X to client Y w Unable to find user X with matching password w Sent reject response w Shutting down RADIUS Authentication Server w Starting RADIUS Authentication Server

113 Funk Software Preside Radius 113 Activity Log Details w All Preside Radius information is in a daily log file (yyyymmdd.log) w radius.ini controls the level of logging detail in its [Configuration] section LogLevel = 0 = production (sparse) 1 = informational (medium) 2 = debug (verbose) TraceLevel = 0 = no packet tracing 1 = parsed contents of packets are logged 2 = raw contents of packets are logged w Kept for a number of days set in [Configuration] section of radius.ini

114 Funk Software Preside Radius 114 Accounting Log Details w All Preside Radius accounting information is in a daily log file (yyyymmdd.act) w Accounting transactions are also logged to the authentication log file, since accounting start and stop messages impact users’ active sessions w account.ini controls the attributes logged w Kept for a number of days set in [Configuration] section of radius.ini w Comma-separated format for easy importing into other databases or spreadsheet applications Date, Time, RAS-Client, Record-Type, Full-Name, Auth-Type are built in to native accounting All standard RADIUS attributes are listed next by default Depending on the device configured, any VSAs are listed after that Edit account.ini to add/remove any accounting information logged

115 Funk Software Preside Radius 115 Log File Errors w Errors can be looked at from two perpsectives Information contained within a packet may be a source of error Information relative to Preside Radius itself and its connections may be a source of error w Use Tracelevel=1 or 2 for logging to decode packet errors w Use Loglevel=1 or 2 for explanatory Preside Radius application errors

116 Funk Software Preside Radius 116 Packet Specific Errors w Trace packets to decode information that is contained within RADIUS messages Determine whether appropriate attributes are present in packet Determine whether appropriate attribute values are present in packet Determine whether a device is sending valid RADIUS packets

117 Funk Software Preside Radius 117 RADIUS Attributes w Standard RADIUS: ID Length Data w Vendor-specific: 1a 0e ad ID Length VendorID ID Length Data { {

118 Funk Software Preside Radius 118 Preside Radius Logging Error Messages w Preside Radius will log connection attempts to any external databases (sql, ldap) w Log file will record messages transmitted to and from other RADIUS devices Read these to determine if packets are being sent to and from other RADIUS clients, servers w Configuration issues can be seen here Invalid license strings failure to load configuration files failure to execute SQL SELECT and INSERT statements w Accept and Rejection messages are logged from upstream clients and downstream servers

119 Funk Software Preside Radius 119 Refer to Manual Index w Example: “Which password protocols does Preside Radius support?”

120 Funk Software Preside Radius 120 Common Tech Notes w Steel-Belted Radius tech notes found in the support section of w RD124: Realm name appended to username causes Steel-Belted Radius reject w RD143: NT RAS Dial-in clients failing authentication while other dial-in clients are authenticated w RD162: Setting up a SecurID/ACE Server w RD168: How to Disable CHAP Password on a NT RAS w RD175: User rights problems when installing on NT PC that is NOT Domain Controller w RD207: Simple Cisco set up w RD208: Native Users works, but pass-through authentication doesn’t w RD219: Need to test Steel-Belted Radius in stand alone mode (testrig) w RD231: Forgot admin password on Preside Radius UNIX w RD254: Requirements for persistence mode functionality w/ Steel-Belted Radius v 1.5 and later w RD259: MS-CHAP authentication supports Preside Radius w RD260: Setting up Steel-Belted Radius NT ODBC to a MS SQL server database w RD269: How to decode Radius packets w RD279: Logging additional attributes to Steel-Belted Radius “*.ACT” files w RD285: “Matching request found in auth. Cache and cached response being re-sent” log msg

121 Funk Software Preside Radius 121 Common Tech Notes w RD296: NT Trust Issues across multiple domains; authentication against remote domains w RD306: Steel-Belted Radius Database Files w RD311: Limiting NAS access for specific users w RD334: Definitions for checklist and returnlist attributes w RD336: Default Ports for Preside Radius w RD367: License issue for upgrades, etc. (“no valid primary license found”) w RD369: Radius authentication via PAP or CHAP w RD371: SQL authentication and accounting for NT 4.0 using MS Access 97 w RD376: Importing flat text users/passwords into Preside Radius w RD407: Sample “LDAPSEARCH” strings for use with LCI w RD411: System Requirements for Preside Radius w RD414: Windows 2000 Set Up considerations – install crashes 79% and get –115 error w RD417: Recommend Steps for Upgrading Steel-Belted Radius w RD436: Sample file for authorization against LDAP using Bind w RD437: Using Bind Name w RD447: LDAP EXE Files w RD463: NT Expired Password – Setting up Profiles w RD291: “Pipe” messages in the Steel-Belted Radius daily activity log

122 Other Features

123 Funk Software Preside Radius 123 Tunnels w Preside Radius supports the authentication and accounting needs of existing tunnels w Can store and pass back information the NAS device needs to establish a tunnel connection w Track number of tunnels in use and compare to maximum number of tunnels allowed

124 Funk Software Preside Radius 124 Tunnel Process w Preside Radius looks for the Called-Station-ID in the access-request message and looks for a tunnel entry matching this attribute w Alternately, Preside Radius looks for a tunnel entry matching the username decoration: Username tunnelname Tunnelname username w Preside Radius can place tunnel-specific attributes into the access- accept message that will enable the NAS device to establish a tunnel connection: Ascend-Tunneling-Protocol Tunnel-Assignment-ID Tunnel-Medium-Type w Authentication occurs after this point. Successful authentication at the enterprise site will complete the connection

125 Funk Software Preside Radius 125 Auto Restart w Enables Preside Radius to restart itself whenever it experiences a shutdown w Disabled by default Stop radius process Edit /etc/rc2.d/S90radius script Uncomment this line: –# RADIUS=“$RADIUSDIR/radiusd --server $RADIUSDIR/radius” w Runs the radius process as a child of radiusd

126 Funk Software Preside Radius 126 Auto Restart Options w The child process is polled based on cofiguration options defined in the radiusd Perl script # config $ping_interval = 5; $max_pong = 17; $max_startup = 60; $max_shutdown = 60; $debug_mode = 0; w If syslog is available to Perl, all informational, warning and debugging messages are recorded in syslog Optionally, a specific log file can be specified If not specified, and syslog is not available, messages are written to radiusd.log in the radius directory

127 Funk Software Preside Radius 127 Time Of Day Restrictions w Using the “Allowed-Access-Hours” Funk standard attribute, time-of-day restrictions can be enforced w Apply this attribute to a native user, a profile, a host OS user/group, or token system user w Store this attribute/value in LDAP or SQL, apply it to externally authenticated users Time ranges are 24 hour represents 8 AM to 10 PM Day ranges: M, Tu, W, Th, F, Sa, Su M-Th represents Monday through Thursday inclusively Day and time ranges can intermix, but there must be at least one time range for any day that is used Allowed-Access-Hours M-W Allowed-Access-Hours Tu,Th-F Allowed-Access-Hours Sa-Su

128 Funk Software Preside Radius 128 IP Resource Management

129 Funk Software Preside Radius 129 Managing IP Data w IP Resources can be managed by: Preside Radius Static IP addresses assigned to native users Named Pools of IP addresses that can be associated with a user, a profile, or a NAS device External Databases Store and return specific IP addresses or names of address pools in LDAP or SQL. Preside Radius will then return that IP address (or an IP address in one of its named IP Pools) in the authentication response Enable external applications to manage these data stores Existing DHCP Servers Preside Radius can request IP information from a DHCP server and pass that information back to the NAS device and dial-in client. From then on, the client, NAS, and DHCP server negotiate the IP lease

130 Funk Software Preside Radius 130 IP / IPX Pools Dialog w Configure Multiple Pools w Create multiple ranges per pool w Associate with users, profiles, or NAS

131 Funk Software Preside Radius 131 Static IP Assignment w Store static IP addresses in your SQL or LDAP database w Store static IP addresses with native users in Preside Radius w Return an IP Address from SQL: In [Settings] section of sqlauth.aut: SELECT password, ipaddress FROM usertable WHERE username=%name/40 w Return IP Address from LDAP Directory: In [Response] section of ldap.aut: [Response] Framed-IP-Address = ipaddress

132 Funk Software Preside Radius 132 IP Pool Assignment w Store IP Pool names in your SQL or LDAP database. Value in database must match existing Preside Radius IP Pool name. w Return an IP Address Pool Name from SQL: In [Settings] section of sqlauth.aut: SELECT password, ipaddresspool FROM usertable WHERE username=%name/40 In [Results] section: Password=1/48 Framed-IP-Address=2/48 w Return IP Address Pool name from LDAP Directory: In [Response] section of ldap.aut: [Response] Framed-IP-Address = ipaddresspool w IP Pools can also be associated with an Preside Radius-defined profile or a specific NAS device w If an IP Pool runs out of addresses, users will get rejected

133 Funk Software Preside Radius 133 DHCP Support w Leverage existing DHCP servers to maintain IP Address management w Configure dhcp.ini and.dhc files w Return IP Pool name from external source that corresponds to a DCHP defined pool name. w RADIUS attributes can be mapped to and from DHCP options in the.dhc file: [Request] 12s = Calling-Station-ID 60s = “\x01\x02\x03\x04\x05” [Reply] Framed-IP-Netmask = 1ip Framed-MTU = 26n16

134 Funk Software Preside Radius 134 IP Address Leakage w Addresses assigned through Preside Radius may ‘leak’, or become unavailable for use when: An accounting-stop message is not sent from the NAS A NAS device shuts down unexpectedly Packet loss occurs Device is not configured correctly: i.e. sending accounting packets to a secondary RADIUS server when primary server is available Mis-matched authentication, accounting messages: when phantom and start messages fail to match, phantom sessions may not removed properly When start and stop messages fail to match, start sessions may not be removed properly

135 Funk Software Preside Radius 135 Solutions w Leaked addresses will remain so until manually deleted from Current Users list or… w Preside Radius will automatically release address when another request comes in from the same NAS on the same port: Preside Radius assumes that the previous user can no longer be using the same NAS/port combination Preside Radius clears out all current users associated with a NAS when it receives an accounting-on message from that NAS w Manually delete remaining sessions w Use DHCP leasing to lessen the impact of leaked addresses Leased addresses are released back into the pool after configurable time periods w Stopping Preside Radius, deleting the radads.hst file, and restarting Preside Radius will also delete all current users.

136 Funk Software Preside Radius 136 Statistics Dialog

137 Funk Software Preside Radius 137 Current Users Dialog

138 Funk Software Preside Radius 138 LCI Reporting Options w Use the LCI to report current users by client, IP address, Session ID, full name: ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” client=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” ipaddressfrompool=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” acct-session-id=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” fullname=* w See LCI Schema for more options

139 Funk Software Preside Radius 139 Wildcards – Strings w Use wildcard values in checklist attributes, extended proxy, and attribute mapping w The expression for any number of variable characters in a string is the * character. w For any single character, use the ? w Precede all strings with ^ to indicate that the string be treated for wildcard values w Example using a checklist attribute: Calling-Station-Id ^508* Allows user dialing in from anywhere within the 508 area code Set multiple Calling-Station-Id checklist attributes to enable more area codes

140 Funk Software Preside Radius 140 Wildcards – IP Numbers w Use IP wildcards to filter checklist attributes by network w IP Numbers are wildcarded by class notation: represents through represents through represents through

141 Funk Software Preside Radius 141 Blacklisting w Automatically reject any user that fits a defined profile w Create the profile to be blacklisted w Add that profile name to blacklist.ini w From that point on, an administrator can automatically reject an authentication request based on any standard RADIUS, Funk-standard, or vendor-specific attribute

142 Funk Software Preside Radius 142 Account Lockout w User accounts can be configured to lock after a configurable number of failed attempts w Lock is released after either: Configurable time period has elapsed Administrator manually unlocks account w All options administered in lockout.ini

143 LCI LDAP Command Interface

144 Funk Software Preside Radius 144 LCI LDAP Summary w Change Passwords w Add clients, users w Add tunnels, IP pools w Search current user list w Find and modify any aspect of Preside Radius that the administrative program provides ldapsearch.exe ldapsearch -V 2 -p 667 -D "cn=admin,o=radius" -w radadmin -s sub -T –b "o=radius" objectclass=* ldapmodify.exe ldapmodify -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f ldapadd.exe ldapadd -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f

145 Funk Software Preside Radius 145 LCI Schema (1)

146 Funk Software Preside Radius 146 LCI Schema (2)

147 Funk Software Preside Radius 147 LCI Schema (3)

148 Funk Software Preside Radius 148 ldapsearch Options w –V 2 The version 2 dialect of LDAP is to be used to communicate with the server w –p 354 TCP port 354 is to be used to communicate with the LDAP interface of the server. The –p value must match the TCPPort setting in the [LDAP] section of radius.ini. If the –p option is not specified, the default port number for the server and the LDAP utilities is used (port 389) w –D "cn=oper,o=radius" The command will be authenticated using an adminsitrative account called oper w –w radadmin The command is providing an authentication password of radadmin w -h To search a remote host, insert the host’s IP address after the –h option w –s sub Recursion is to be used starting at the base w –T To make the output more readable, long output lines are not to be continued on the next line w –b "radiusclass=Client,o=radius" This is the base at which the search operation is to begin w radiusname=* This is the criteria which matched objects must satisfy

149 Funk Software Preside Radius 149 ldapmodify, ldapadd Options w –c The command is to run in continuous mode; it will not stop on errors w –V 2 The version 2 dialect of LDAP is to be used to communicate with the server w –p 354 TCP port 354 is to be used to communicate with the LDAP interface of the server. The –p value must match the TCPPort setting in the [LDAP] section of radius.ini. If the –p option is not specified, the default port number for the Preside Radius server and the LDAP utilities is used (port 389) w –D "cn=oper,o=radius" The command will be authenticated using an adminsitrative account called oper w –w radadmin The command is providing an authentication password of radadmin w -h To search a remote host, insert the host’s IP address after the –h option w –f This is the input LDIF file to process

150 Funk Software Preside Radius 150 LCI Reporting Options w Use the LCI to report on current users by client, IP address, Session ID, full name: ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” client=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_ipaddress,o=radius” framed-ip- address=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” acct-session-id=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” fullname=*

151 Funk Software Preside Radius 151 LDIF Example w This file will add a proxy target to Preside Radius w Store this text as addproxy.ldif w ldapmodify -c -V 2 -p 667 -D “cn=admin,o=radius” - w radadmin -f addproxy.ldif dn: radiusname=PROXYTARGET,radiusclass=Proxy,o=radius changetype: add ip-address: accounting: both retry-count: 3 retry-timeout: 5000 shared-secret: testing123 include-in-auth-list: no

152 Funk Software Preside Radius 152 LDIF Example w This file will add a user to Preside Radius w Store this text as adduser.ldif w ldapadd -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f adduser.ldif dn: radiusname=PASSERVER,radiusclass=Proxy,o=radius changetype: add ip-address: accounting: both retry-count: 3 retry-timeout: 5000 shared-secret: testing123 include-in-auth-list: no

153 End


Download ppt "Funk Software www.funk.com Preside Radius 1. Funk Software www.funk.com Preside Radius 2 Main Menu w Introduction and Overview Introduction and Overview."

Similar presentations


Ads by Google