Differences

This shows you the differences between two versions of the page.

Link to this comparison view

netserver_appendix_2_6.0.0 [2014/06/19 20:03]
ybarajas [Third-Party RADIUS Configurations]
netserver_appendix_2_6.0.0 [2014/06/19 20:05] (current)
ybarajas [Third-Party RADIUS Configurations]
Line 1: Line 1:
 +====== Third-Party RADIUS Configurations ======
  
 +
 +This section provides configuration instructions for several different third-party RADIUS products. These configurations will allow the RADIUS server to route iPass traffic to the NetServer, which will route to the iPass Transaction Centers for authentication. Use these instructions only when configuring RADIUS in environments where the NetServer is installed behind the RADIUS server.
 +
 +
 +If your network configuration requires the NetServer to be in any other location relative to your NAS and RADIUS servers, you will need to change your configuration accordingly. For further information on this, please consult the documentation provided with your server software.
 +
 +This help page includes information on the following:
 +
 +  * **[[netserver_appendix_2_6.0.0&#radiator|RADIATOR]]**
 +  * **[[netserver_appendix_2_6.0.0&#freeradius|FreeRADIUS]]**
 +  * **[[netserver_appendix_2_6.0.0&#dtc_radius|DTC RADIUS]]**
 +  * **[[netserver_appendix_2_6.0.0&#cistron_radius|Cistron RADIUS]]**
 +
 +<note important>NetServer supports many varieties of RADIUS server. Instructions found here do not imply that iPass endorses a particular RADIUS solution. We only provide information on these types as a helpful reference as it relates to NetServer operation. Always consult your RADIUS server's documentation for the most current and complete information on configuring your RADIUS server.</note>
 +===== RADIATOR =====
 +
 +
 +iPass providers who use RADIATOR can choose between two different methods of configuration.
 +
 +
 +====Configuring RADIATOR Using the IPASS/ Prefix====
 +
 +
 +To configure RADIATOR to route iPass traffic based on the IPASS/ prefix, you will need to alter your RADIATOR configuration file, radius.cfg.
 +
 +
 +**1.** Add entries to the clients list in the radius.cfg file.
 +
 +
 +In the radius.cfg file (/etc/raddb/radius.cfg), there will be a section containing your clients list. For each client, this file will have a section that looks similar to the example below. To allow RADIATOR to route iPass traffic to the NetServer, add the new italicized line here to the very bottom of every distinct client entry in this file:
 +
 +
 +<code>
 +
 +<Client 123.456.789.0>
 +
 +
 +Secret the-secret-we-share-with-NAS's
 +
 +
 +RewriteUsername s/^IPASS%%\%%///([^@]+)//%%\%%@([^@]+)$/IPASS<nowiki>\</nowiki>/$1#$2<nowiki>\</nowiki>@myipass/
 +
 +
 +</Client>
 +
 +
 +</code>
 +
 +
 +This entry will allow RADIATOR to append @myipass to the username of all iPass users. In addition, the first @ in the username will be changed to a # sign.
 +
 +
 +**2.** Add entries to the Realm list in the radius.cfg file. 
 +
 +
 +In the radius.cfg file (/etc/raddb/radius.cfg), there will also be a section containing your realm list. This section lists all of the realms known to RADIATOR, and defines how they are handled. Add the following entry to the realm list section. It can be placed anywhere within the section, provided it is placed above the DEFAULT realm entry.
 +
 +
 +<code>
 +
 +
 +<Realm myipass>
 +
 +
 +AcctLogFileName %L/ipass/detail
 +
 +
 +RewriteUsername s/^IPASS%%\%%///([^#]+)//%%\%%//#([^@]+)//%%\%%@myipass$/IPASS<nowiki>\</nowiki>/$1<nowiki>\</nowiki>@$2/
 +
 +
 +<AuthBy RADIUS> Host 123.456.789.0
 +
 +
 +AuthPort 11812
 +
 +
 +AcctPort 11813
 +
 +
 +Secret mysecret
 +
 +
 +</AuthBy>
 +
 +
 +</Realm myipass>
 +
 +
 +</code>
 +
 +
 +This entry instructs RADIATOR to handle the @myipass realm by stripping the @myipass off the username and rewriting it in its original format. This means that we do not need the default realm and our proxy will be handled before any handler clauses.
 +
 +
 +The shared secret listed in the entry above must be the same value as the secret of the NetServer found in the ipassNS.properties file of your NetServer.
 +
 +
 +When you have finished editing radius.cfg, save and exit the file. Then restart RADIATOR to allow these changes to take effect.
 +
 +----
 +
 +====Configuring RADIATOR Using the DEFAULT Realm====
 +
 +
 +If it is not possible to configure RADIATOR to recognize the IPASS/ prefix (for example, if you are using an older version of the software), you may opt to route iPass traffic based on a DEFAULT realm. You may only use this option if you are not already using the DEFAULT realm, and you have defined all other realms for which traffic is received by RADIATOR.
 +
 +
 +If not all other realms are defined, all users with undefined domains will be routed to the NetServer. To use this configuration, add the following entry to as the final realm in the Realm section of the radius.cfg file (/etc/raddb/radius.cfg):
 +
 +
 +<code>
 +
 +
 +<Realm DEFAULT>
 +
 +
 +<AuthBy RADIUS>
 +
 +
 +Host 123.456.789.0
 +
 +
 +AuthPort 11812
 +
 +
 +AcctPort 11813
 +
 +
 +Secret mysecret
 +
 +
 +</AuthBy>
 +
 +
 +</Realm>
 +
 +</code>
 +
 +
 +The shared secret listed in the entry must be the same value as the secret of the NetServer found in the ipassNS.properties file of your NetServer.
 +
 +
 +When you have finished, restart RADIATOR to allow these changes to take effect.
 +
 +
 +===== FreeRADIUS =====
 +
 +
 +iPass providers using FreeRADIUS will need to edit <path to radius>/raddb/sites-enabled/default, <path to radius>/raddb/modules/realm, and the <path to radius>/raddb/proxy.conf configuration files to allow iPass traffic to travel through their network.
 +
 +
 +**1.** Edit the realm section of your **<path to radius>/raddb/modules/realm** file.
 +
 +
 +Within the <path to radius>/raddb/sites-enabled/default, there will be a section containing your realm list. This section lists all of the realms known to FreeRADIUS, and defines how they are handled. To enable FreeRADIUS to recognize the IPASS/ prefix, make sure the following is uncommented in the realm file (and please add it if it is not present):
 +
 +
 +<code>
 +
 +realm IPASS {
 +
 +
 +format = prefix
 +
 +
 +delimiter = "/"
 +
 +
 +}
 +
 +
 +</code>
 +
 +
 +**2.** Edit the authorization section of your **<path to radius>/raddb/sites-enabled/defaul** file.
 +
 +
 +Within the <path to radius>/raddb/sites-enabled/default file, there will also be an authorization section. This section defines how FreeRADIUS will authorize users. You will want to ensure that the listings in this section are in the order shown below to allow FreeRADIUS to perform authorization properly. The entry below allows FreeRADIUS to preprocess all users against the hints or huntgroups files, then to process all realms, and finally to look in the users file. The order of the realm modules will determine the order in which the FreeRADIUS will try to find a matching realm. You will need to add an entry for the IPASS/ prefix above the line for the suffix to allow these users to be processed first. When complete, this section should look similar to the example below:
 +
 +
 +<code>
 +
 +
 +authorize {
 +
 +
 +preprocess
 +
 +
 +IPASS
 +
 +
 +suffix
 +
 +
 +files
 +
 +
 +}
 +
 +
 +</code>
 +
 +
 +**3.** Edit the pre-accounting section of your **<path to radius>/raddb/sites-enabled/default** file. Another section you will need to edit in the <path to radius>/raddb/sites-enabled/default file is the pre-accounting section. The following entry allows FreeRADIUS to look for a proxy realm in the order that each realm is listed, then to look at the acct_users file, and finally to preprocess users using the hints file. You will need to add an entry for the IPASS/ prefix above the line for the suffix to allow these users to be processed first. When complete, this section should look similar to the example below:
 +
 +
 +<code>
 +
 +
 +preacct {
 +
 +
 +IPASS
 +
 +
 +suffix
 +
 +
 +files
 +
 +
 +preprocess
 +
 +
 +}
 +
 +
 +</code>
 +
 +
 +When you have finished editing radiusd.conf, save and exit the file.
 +
 +
 +**4.** Edit the users file.
 +
 +
 +The users file (/etc/raddb/users) dictates how FreeRADIUS authenticates users. You will need to ensure that there is a DEFAULT entry in the users file similar to the one shown below. Please note that this is only an example of the type of entry needed. If you already have a default entry, please let your iPass technician know what it is before modification:
 +
 +
 +<code>
 +
 +
 +DEFAULT Auth-Type = Local
 +
 +
 +</code>
 +
 +
 +When you have finished editing the users file, save and exit the file.
 +
 +
 +**5.** Add the IPASS/ realm entry to your proxy.conf file. 
 +
 +
 +To complete this configuration and allow FreeRADIUS to proxy iPass traffic to your NetServer, you must add an entry for the IPASS/ prefix realm to your proxy.conf file(/etc/raddb/proxy.conf). The following entry can be to this file anywhere within the list of realm entries, provided it is placed above the DEFAULT realm entry.
 +
 +
 +<code>
 +
 +
 +realm IPASS {
 +
 +
 +type = RADIUS
 +
 +
 +authhost = IP.Address.of.NetServer:11812
 +
 +
 +accthost = IP.Address.of.NetServer:11813
 +
 +
 +secret = mysecret
 +
 +
 +nostrip
 +
 +
 +}
 +
 +
 +</code>
 +
 +
 +The shared secret listed in the entry must be the same value as the secret of the NetServer found in the ipassNS.properties file of your NetServer.
 +
 +
 +When you have finished editing proxy.conf, save and exit the file.
 +
 +
 +**6.** When complete, restart your FreeRADIUS to allow these changes to take effect.
 +
 +===== DTC RADIUS =====
 +
 +
 +iPass providers using the DTC RADIUS software will need to add the an entry to their users (/etc/raddb/users) file to allow iPass traffic to travel through their network. In addition, the DTC RADIUS and the NetServer must be installed on different hosts, and they must use the same port number for routing requests (that is, if the DTC is sending requests on port 1812, the NetServer must run on 1812 on another host).
 +
 +
 +**1.** To allow the DTC RADIUS to recognize iPass users based on the IPASS/ prefix, and proxy these requests to the NetServer, add the following entry to your users file (/etc/raddb/users):
 +
 +
 +<code>
 +
 +
 +DEFAULT Password = "PROXY", Prefix = "IPASS/", DTC-Trunc-PreSuffix = Trunc-No,
 +
 +
 +DTC-Limit-Login = Limit-No
 +
 +
 +DTC-Auth-Server = IP.Address.of.NetServer,
 +
 +
 +DTC-Acct-Server = IP.Address.of.NetServer,
 +
 +
 +DTC-Auth-Secret = "sharedsecret",
 +
 +
 +DTC-Acct-Port = 1813
 +
 +
 +DTC-Acct-Secret = "sharedsecret"
 +
 +
 +</code>
 +
 +
 +The shared secret listed must be the same value as the secret of the NetServer found in the ipassNS.properties file of your NetServer.
 +
 +
 +When you have finished editing the users file, save and exit the file.
 +
 +
 +**2.** When complete, restart your DTC RADIUS to allow these changes to take effect.
 +
 +===== Cistron RADIUS =====
 +
 +
 +iPass providers using Cistron RADIUS will need to edit the clients, realms, and users configuration files to allow iPass traffic to travel through their network.
 +
 +
 +**1.** Edit the clients file. 
 +
 +
 +The clients file (/etc/raddb/clients) contains a separate entry for each software application that acts as a client of Cistron RADIUS. To add the NetServer as a client of your RADIUS, add this entry to this file:
 +
 +
 +<code>
 +
 +
 +<IP.Address.of.NetServer> <SharedSecret>
 +
 +
 +</code>
 +
 +
 +The shared secret must be the same value as the secret of the NetServer found in the ipassNS.properties file of your NetServer.
 +
 +
 +When you have finished editing, save and exit the file.
 +
 +
 +**2.** Edit the realms file. 
 +
 +
 +The realms file (/etc/raddb/realms) lists all of the realms known to Cistron RADIUS, and defines how they are handled. To enable the Cistron RADIUS to route iPass traffic using the DEFAULT realm, add these two lines to anywhere in this file.
 +
 +
 +<code>
 +
 +
 +NULL LOCAL
 +
 +
 +DEFAULT <IP.Address.of.NetServer>:11812 NOSTRIP
 +
 +
 +</code>
 +
 +
 +When you have finished editing, save and exit the file.
 +
 +
 +**3.** Edit the users file.
 +
 +
 +The users file (/etc/raddb/users) dictates how Cistron RADIUS authenticates users. You will need to ensure that there is a DEFAULT entry in the users file similar to the one shown below. Please note that this is only an example of the type of entry needed. If you already have a default entry, please let your iPass technician know what it is before modification:
 +
 +
 +<code>
 +
 +
 +DEFAULT Auth-Type = Local
 +
 +
 +</code>
 +
 +
 +When you have finished editing, save and exit the file.
 +
 +
 +**4.** Restart your Cistron RADIUS to allow these changes to take effect.
 +
 +Go to: **[[dokuwiki_other|Other Product Documents]] > [[netserver_help_6.0.0|NetServer Admin Guide]]** 
 +
 +{{tag>netserver}}
 

©2015 iPass Inc. All rights reserved. Terms of Use