Creating a RADIUS configuration file

To use a RADIUS server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension is allowed. If an authorization server is not used, you do not need to define the items for it.

Caution If you save the configuration file when using the Windows standard Notepad application, specify ANSI for the letter code. If you use an editor other than the memo pad and have the YTF-8 BOM setting, specify No BOM then save. 
auth.server.type=radius 
auth.server.name=server-name
auth.group.mapping=value
auth.radius.server-name.attribute=value
auth.group.domain-name.attribute=value

A full example is shown below: 

auth.server.type=radius 
auth.server.name=PrimaryServer 
auth.group.mapping=true 
auth.radius.PrimaryServer.protocol=pap 
auth.radius.PrimaryServer.host=xxx.xxx.xxx.xxx 
auth.radius.PrimaryServer.port=1812 
auth.radius.PrimaryServer.timeout=3 
auth.radius.PrimaryServer.secret=secretword 
auth.radius.PrimaryServer.retry.times=3 
auth.radius.PrimaryServer.attr.NAS-Identifier=xxxxxxxx 
auth.group.auth.radius.PrimaryServer.domain.name=radius.example.com 
auth.group.auth.radius.PrimaryServer.domain.name.protocol=ldap 
auth.group.auth.radius.PrimaryServer.domain.name.host=xxx.xxx.xxx.xxx 
auth.group.auth.radius.PrimaryServer.domain.name.port=386 
auth.group.auth.radius.PrimaryServer.domain.name.searchdn=CN=sample1,CN=Users,DC=domain,DC=local 
auth.group.auth.radius.PrimaryServer.domain.name.searchpw=password 
auth.ldap.PrimaryServer.basedn=CN=Users,DC=domain,DC=local

The attributes are defined in the following tables.

Table 1: RADIUS definition (for authentication server)
Attribute Description Required / Optional Default value
auth.server.type Type of an authentication server. Specify radius. Required None
auth.server.name The name of an authentication server.

When registering a primary and secondary server, use a comma to separate the names. The name of the server, including the primary name, secondary name, and the comma (1 byte) must be 64 bytes or less.

The names can use all ASCII code characters except for the following:

\ / : , ; * ? " < > | $ % & ' ˜

In this manual, the value specified here is called server-name hereafter.

Required None
auth.group.mapping Information about whether to work together with an authorization server
  • true: Works together
  • false: Does not work together
Optional False
auth.radius.server-name.protocol RADIUS protocol to use.
  • PAP: Password authentication protocol that transmits plaintext user ID and password
  • CHAP: Challenge-handshake authentication protocol that transmits encrypted password
Required None
auth.radius.server-name.host A host name, an IPv4 address or an IPv6 address of the RADIUS server. An IPv6 address must be enclosed in square brackets. Required None
auth.radius.server-name.port A port number of the RADIUS server.

Must be between 1 and 65,535.1

Optional 1,812
auth.radius.server-name.timeout

The number of seconds before the connection to the RADIUS server times out.

Must be between 1 and 30.2

Optional 10
auth.radius.server-name.secret RADIUS secret key used for PAP or CHAP authentication Required None
auth.radius.server-name.retry.times

Retry times when the connection to the RADIUS server fails.

Must be between 0 and 3. 0 means no retry.1

Optional 3
auth.radius.server-name.attr.NASIdentifier Identifier for the RADIUS server to find SVP. Specify this value if the attr.NAS-Identifier attribute is used in your RADIUS environment. ASCII codes up to 253 bytes long are accepted. Optional2 None
auth.radius.server-name.attr.NAS-IPv4-Address IPv4 address of the SVP. Specify the value of the NAS-IP-Address attribute. This value is transmitted to the RADIUS server when the authentication is requested. Optional2 None
auth.radius.server-name.attr.NAS-IPv6-Address IPv6 address of the SVP. Specify the value of the NAS-IPv6-Address attribute. This value is transmitted to the RADIUS server when the authentication is requested. Optional2 None

Notes:

  1. If the specified value is not applicable, the default value will be used.
  2. When NAS modules are installed, set NAS-Identifier, NAS-IP-Address, or NAS-IPv6-Address.

Table 2: RADIUS definition (for authorization server)
Attribute Description Required / Optional Default value
auth.radius.server-name.domain.name A domain name that the LDAP server manages. In this manual, the value specified here is called domain-name hereafter. Required None

auth.radius.server-name.dns_lookup

Information about whether to search the LDAP server with the information registered in the SRV records in the DNS server.
  • true: Searches with the information registered in the SRV records in the DNS server
  • false: Searches with the host name and port number.
When "host" and "port" are specified, the LDAP server is not searched with the information registered in the SRV records by specifying "true". 		Optional false

auth.radius.domain-name.protocol

LDAP protocol to use.
  • ldaps: Uses LDAP over SSL/TLS.
  • starttls: Uses StartTLS.
When you choose ldap, specify "true" to "auth.radius.domain-name.dns_lookup" 		Required None

auth.radius.domain-name.host

A host name, an IPv4 address or an IPv6 address of the LDAP server. An IPv6 address must be enclosed in square brackets ([ ]). Optional1 None

auth.radius.domain-name.port

A port number of the LDAP server.

Must be between 1 and 65535.2

Optional 389

auth.radius.domain-name.searchdn

DN of the user for searching. Required None
auth.radius.domain-name.searchpw User password for searching. Specify the same password that is registered in the LDAP server. Required None
auth.radius.domain-name.basedn Base DN for searching for users to authenticate. Specify DN of the hierarchy, including all the users for searching because the targeted users for searching are in lower hierarchy than the specified DN.3 Optional abbr
auth.radius.domain-name.timeout The number of seconds before the connection to the LDAP server times out. Must be between 1 and 302. Optional 10
auth.radius.domain-name.retry.interval Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5.2 Optional 1
auth.radius.domain-name.retry.times Retry times when the connection to the LDAP server fails. Must be between 0 and 3. 0 means no retry.2 Optional 3

Notes:

  1. The item can be omitted if true is specified for "auth.ldap.server-name.dns_lookup".
  2. If the specified value is not valid, the default value will be used.
  3. To use symbols such as + ; , < = and >, enter a backslash (\) before each symbol. When using multiple symbols, each symbol must have a backslash before it. For example, to enter abc++ in the searchdn field, use \+ instead of + as shown here: abc\+\+

    To enter \ , /, or ", enter a backslash and then the ASCII code in hex for these symbols.

    • Enter \5c for \.
    • Enter \2f for /.
    • Enter \22 for "

    For example, to enter abc\ in the searchdn field, enter abc\5c.

Parent Topic
  • Creating configuration files

    Authentication servers and authorization servers must be configured using configuration files. Configuration files can be created for LDAP, RADIUS, and Kerberos authentication protocols.