Creating a RADIUS configuration file
To use a RADIUS server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension are allowed. If an authorization server is not used, you do not need to define the items for it.
#Comment
auth.server.type=radius
auth.server.name=<server_name>
auth.group.mapping=<value>
auth.radius.<Server_name>.<attribute>=<Value>
auth.group.<domain name>.<attribute>=<value>
A full example is shown below:
auth.server.type=radius
auth.server.name=PrimaryServer
auth.group.mapping=true
auth.radius.PrimaryServer.protocol=pap
auth.radius.PrimaryServer.host=xxx.xxx.xxx.xxx
auth.radius.PrimaryServer.port=1812
auth.radius.PrimaryServer.timeout=3
auth.radius.PrimaryServer.secret=secretword
auth.radius.PrimaryServer.retry.times=3
auth.radius.PrimaryServer.attr.NAS-Identifier=xxxxxxxx
auth.group.auth.radius.PrimaryServer.domain.name=radius.example.com
auth.group.auth.radius.PrimaryServer.domain.name.protocol=ldap
auth.group.auth.radius.PrimaryServer.domain.name.host=xxx.xxx.xxx.xxx
auth.group.auth.radius.PrimaryServer.domain.name.port=386
auth.group.auth.radius.PrimaryServer.domain.name.searchdn=CN=sample1,CN=Users,DC=domain,DC=local
auth.group.auth.radius.PrimaryServer.domain.name.searchpw=passwordauth.ldap.PrimaryServer.basedn=CN=Users,DC=domain,DC=local
The attributes are defined in the following table.
RADIUS definition (for authentication server)
|
Attribute |
Description |
Required/Optional |
Default value |
|---|---|---|---|
|
auth.server.type |
Type of an authentication server. Specify radius. |
Required |
None |
|
auth.server.name |
The name of an authentication server. When registering a primary and secondary server, use a comma (,) to separate the names. The name of the server, including the primary name, secondary name, and the comma (1 byte) must be 64 bytes or less. The names can use all ASCII code characters except for the following:\ / : , ; * ? " < > | $ % & ' ˜ In this manual, the value specified here is called <server_ name> hereafter. |
Required |
None |
|
auth.group.mapping |
Information about whether to work together with an authorization server
|
Optional |
false |
|
auth.radius.<server_name>.protocol |
RADIUS protocol to use.
|
Required |
None |
|
auth.radius.<server_name>.host |
A host name, an IPv4 address or an IPv6 address of the RADIUS server. An IPv6 address must be enclosed in square brackets []. |
Required |
None |
|
auth.radius.<server_name>.port |
A port number of the RADIUS server Must be between 1 and 65535.1 |
Optional |
1812 |
|
auth.radius.<server_name>.timeout |
Number of seconds before the connection to the RADIUS server times out. Must be between 1 and 30.2 |
Optional |
10 |
|
auth.radius.<server_name>.secret |
RADIUS secret key used for PAP or CHAP authentication |
Required |
None |
|
auth.radius.<server_name>.retry.times |
Retry times when the connection to the RADIUS server fails. Must be between 0 and 3. 0 means no retry.1 |
Optional |
3 |
|
auth.radius.<server_name>.attr.NAS-Identifier |
Identifier for the RADIUS server to find SVP. Specify this value if the attr.NAS-Identifier attribute is used in your RADIUS environment. ASCII codes are accepted up to 253 bytes. |
Optional2 |
None |
|
auth.radius.<server_name>.attr.NAS-IP-Address |
IPv4 address of SVP. Specify the value of the NAS-IP-Address attribute. This value is transmitted to the RADIUS server when the authentication is requested. |
Optional2 |
None |
|
auth.radius.<server_name>.attr.NAS-IPv6-Address |
IPv6 address of SVP. Specify the value of the NAS-IPv6-Address attribute. This value is transmitted to the RADIUS server when the authentication is requested. |
Optional2 |
None |
|
Notes: 1. If the specified value is not applicable, the default value will be used. 2. Set either "NAS-Identifier,” “NAS-IP-Address,” or “NAS-IPv6-Address.” |
|||
RADIUS definition (for authorization server)
|
Attribute |
Description |
Required/Optional |
Default value |
|---|---|---|---|
|
auth.radius.<server_name>.domain.name |
A domain name that the LDAP server manages. In this manual, the value specified here is called <domain_ name> hereafter. |
Required |
None |
|
auth.radius.<server_name>.dns_lookup |
Information about whether to search the LDAP server with the information registered in the SRV records in the DNS server.
When "host" and "port" are specified, the LDAP server is not searched with the information registered in the SRV records by specifying "true". |
Optional |
false |
|
auth.radius.<domain_name>.protocol |
LDAP protocol to use.
|
Required |
None |
|
auth.radius.<domain_name>.host |
A host name, an IPv4 address or an IPv6 address of the LDAP server. An IPv6 address must be enclosed in square brackets []. |
Optional1 |
None |
|
auth.radius.<domain_name>.port |
A port number of the LDAP server. Must be between 1 and 65535.2 |
Optional |
389 |
|
auth.radius.<domain_name>.searchdn |
DN of the user for searching. |
Required |
None |
|
auth.radius.<domain_name>.searchpw |
Password of the user for searching. Specify the same password that is registered in the LDAP server. |
Required |
None |
|
auth.radius.<domain_name>.basedn |
BaseDN for searching for users to authenticate. Specify DN of hierarchy including all the users for searching because the targeted users for searching are in lower hierarchy than the specified DN.3 |
Optional |
abbr |
|
auth.radius.<domain_name>.timeout |
Number of seconds before the connection to the LDAP server times out. Must be between 1 and 302. |
Optional |
10 |
|
auth.radius.<domain_name>.retry.interval |
Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5.2 |
Optional |
1 |
|
auth.radius.<domain_name>.retry.times |
Retry times when the connection to the LDAP server fails. Must be between 0 and 3. 0 means no retry.2 |
Optional |
3 |
|
Notes:
To enter \ , /, or ", enter a backslash and then the ASCII code in hex for these symbols.
For example, to enter abc\ in the searchdn field, enter abc\5c |
|||