RSA Security 6.1 User's Manual
Contents
1. Figure 11 RADIUS Clients Panel RSA RADIUS Server 6 1 Administrator s Guide Administering RADIUS Clients 45 Adding a RADIUS Client To add a RADIUS client 1 Open the RADIUS Clients panel 2 Click the Add button The Add RADIUS Client window Figure 12 opens Add RADIUS Client Name Description IP Address Shared secret Unmask Make model Standard Radius v Web Info Advanced oO Use different shared secret for Accounting C Assume down if no keepalive packets after seconds Figure 12 Add RADIUS Client Window 3 Enter the name of the RADIUS client in the Name field Although you can assign any name to a RADIUS client entry you should use the device s hostname to avoid confusion You can create a special RADIUS client entry called lt ANY gt by clicking the Any RADIUS Client checkbox Figure 13 The lt ANY gt RADIUS client enables RSA RADIUS Server to accept requests from any RAS as long as the shared secret is correct Add RADIUS Client Name Description IP Address AEE ERER a Ds Figure 13 Creating an lt ANY gt RADIUS Client Note that the IP Address field for an lt ANY gt RADIUS client cannot be edited lt ANY gt implies that the server accepts requests from any IP address provided that the shared secret is correct 46 Administering RADIUS Clients September 2005 See Shared Secrets on page 6 Enter the IP address or DNS name of the RADIUS2. This library is free software you can redistribute it and or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation either version 2 of the License or at your option any later version This library is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU Lesser General Public License for more details For a copy of the GNU Lesser General Public License write to the Free Software Foundation Inc 59 Temple Place Suite 330 Boston MA 02111 1307 USA StrutLayout Java AWT layout manager copyright 1998 Matthew Phillips mpp ozemail com au This library is free software you can redistribute it and or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation either version 2 of the License or at your option any later version This library is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU Library General Public License for more details For a copy of the GNU Lesser General Public License write to the Free Software Foundation Inc 59 Temple Place Suite 330 Boston MA 02111 1307 USA Trademarks ACE Agent ACE Server Because Knowledge is Security BSAFE ClearTrust Confide
3. Running RSA RADIUS Administrator NOTE The RSA RADIUS Administrator will not start unless the Administrator user in the RSA Authentication Manager application has been configured with a token or password For information on how to configure the Administrator user with a token or password refer to the RSA Authentication Manager 6 1 Administrator s Guide To run the RSA RADIUS Administrator 1 Choose Start gt All Programs gt RSA Security gt RSA Authentication Manager Host Mode cei When the RSA Authentication Manager 6 1 Administration window opens Edit Profle choose RADIUS gt Manage RADIUS Server List Profiles Delete Profiles Manage RADIUS Server RSA RADIUS Server 6 1 Administrator s Guide Using RSA RADIUS Administrator 35 Navigating in RSA RADIUS Administrator Menu Bar Toolbar Navigation Frame Content Frame Figure 4 illustrates the RSA RADIUS Administrator user interface This section describes how to use the RSA RADIUS Administrator menus and toolbar ZF RSA RADIUS Powered by Steel Belted Radius ile Panel Web Help rint Reset RSA RADIUS Server Administration r RADIUS Clients Server rsamecoy Profiles System i Replication Sy RADIUS Clients View Authentication Transactions Accepts Current Average Peak Total Rejects Current Server up time 0 Days 00 35 26 Figure 4 RSA RADIUS Administrator User Inter
4. The number of requests that were authenticated but failed to meet the checklist requirements The number of rejects due to a server resource problem Retries Received Transactions Retried Total Retry Packets The number of requests for which one or more duplicates was received The number of duplicate packets received Challenges The number of challenges received RSA RADIUS Server 6 1 Administrator s Guide Displaying Statistics 59 Displaying Server Accounting Statistics 60 Accounting statistics provide information such as the number of transaction starts and stops and the reasons for rejecting attempted transactions The transaction start and stop numbers rarely match as many transactions can be in progress at any given time To display accounting statistics for the RSA RADIUS server 1 Open the Statistics panel Select the server for which you want to display statistics in the Server list 2 3 Click the System tab 4 Click the View list and choose Accounting ZF RSA RADIUS Powered by Steel Belted Radius File Panel Web Help DoK Prit Reset E RSA RADIUS Server Adm RADIUS Clients Profiles Replication o ZES Server rsamecoy System RADIUS Clients N primary Figure 19 Statistics Panel System Accounting Statistics Displaying Statistics vew i Transactions Starts Current Average Peak Total Stops Current Average Peak
5. dir Specifies the top level directory for installation of the RSA RADIUS Server files Default value is opt RSA RADIUS Server 6 1 Administrator s Guide Installing the RSA RADIUS Server 23 Table 5 Command Options for the install_rsa sh Command Continued Option Function identity Specifies whether you are installing a Primary or Replica RADIUS Server Valid values are PRIMARY and REPLICA Default value is PRIMARY migrate Indicates you want to run the RSA RADIUS Server migration utility rsainstalltool1 which transfers RADIUS settings from an older version of RSA Authentication Manager and registers the RSA RADIUS Server as a host agent For information on the migration utility refer to Data Migration Registration on page 19 overwrite Specifies that the torsMigReg log installation log file from a previous installation of RSA RADIUS Server can be overwritten path Specifies the path to the radius cer server cer radius key and sdconf rec files Default value is opt port Specifies the TCP port used for administration of the RSA RADIUS Server Default value is 1813 primary Specifies the name of the Primary RADIUS Server Use only when installing a Replica RADIUS Server Do not use the primary option if you are specifying the reppkg option primary ips Specifies the IPv4 address or addresses of the Primary RADIUS Server If your Primary RADIU
6. One message contains the final value of every statistic that this RAS is capable of recording about this type of connection At intervals of approximately every six minutes the RAS sends an Interim Acct message to the server Record a snapshot of statistics regarding the connection One message contains the current value of every statistic that this RAS is capable of recording about this type of connection Every time a client device comes online whether after a failure or after an orderly shutdown it sends an Accounting On message to the server Identify the device that is going online and clear all session information Every time a client device experiences an orderly shutdown before completing its shutdown sequence it sends an Accounting Off message to the server Identify the device that is going offline and clear all session information Upon receipt of an Accounting Request message the server sends an Accounting Response Complete the request response cycle Accounting Sequence A RAS can issue an Accounting Request whenever it chooses for example upon establishing a successful connection Each time an Accounting Request message arrives at the RSA RADIUS Server an accounting transaction begins During this transaction the server handles the message by examining the Acct Status Type and other attributes within the message and taking the appropriate action Comma Delimited Log Files Whe
7. LogReject 76 make of RAS 5 Make model field 12 model of RAS 5 multi valued attributes 14 N network access server NAS see RAS 0 orderable attributes 15 P passcode 3 personal identification number 3 POTP profiles 51 Index 105 Protected Extensible Authentication Protocol PEAP 1 Protected One Time Password POTP 1 Protected One Time Password see POTP R RADIUS daemon starting and stopping 27 33 radius dct 12 radiusdir x RAS 3 remote access server see RAS Replication panel 66 return list attributes 14 RSA Authentication Manager 2 3 4 21 22 35 53 RSA Security EAP 1 2 rsaconfiguretool 18 70 71 72 rsainstalltool 18 28 30 70 71 72 S shared secret 5 7 Silent Discards 59 Statistics panel 57 system assigned values 15 T tokencode 3 Total Retry Packets 59 TraceLevel 76 Transactions Retried 59 TTLS PAP 2 tunnel 2 Tunneled Transport Layer Security T TLS 1 V vendor specific attributes 12 106 Index September 2005
8. This section describes how to install the RSA RADIUS Server softwate on a Windows server System Requirements Table 3 lists the hardware and software requirements of the RSA RADIUS Server software Table 3 Windows Server System Requirements Operating system e Windows 2000 with Service Pack 4 e Windows Server 2003 STD edition with Service Pack 1 Networking TCP IP must be configured on the Windows host for the RSA RADIUS Server to function properly Memory The RSA RADIUS Server software requires a host with at least 256 megabytes of working memory 512 megabytes for servers with more than 10 000 RADIUS users Disk space Installing the RSA RADIUS Server software requires 26 megabytes of space on the hard disk hard disk requirements for running RSA RADIUS Server depend on your system s product configuration 20 Installing the RSA RADIUS Server September 2005 Installing the RSA RADIUS Server To install the RSA RADIUS Server software on a Windows host 1 Log on to the Windows server 2 Run the RSA RADIUS Server software installation from a CD or from a network server gt Using the CD ROM installer If you want to install the RSA RADIUS Server software from a CD insert the RSA RADIUS Server installation CD ROM choose Start gt Run and enter the drive letter and setup command D setup gt Using the msi file Run the RSA RADIUS Server msi file from the network server or CD ROM or copy the file
9. open the appropriate panel and double click the item you want to change or choose the item and click the Edit button on the RSA RADIUS Administrator toolbar The RSA RADIUS Administrator displays the settings for the item you selected in an Edit window A sample Edit window appears in Figure 7 The Save button is disabled until the contents of a field in the Edit window changes NOTE You cannot change the name associated with an item in the Edit window To change an item s name you must cut and paste the item and assign the cut copied item its new name 40 Using RSA RADIUS Administrator September 2005 Edit Profile Name GROTON_ENG Description Attributes Checklist Return list Attribute Value Echo Funk Full User Name Echo recieved or default value v Login IP Host 192 168 112 145 Figure 7 Sample Edit Window Cutting Copying Pasting Records Panels displaying tables of items have Cut Copy and Paste buttons in the toolbar You can choose an item from the display and cut or copy it to the Clipboard and then add a new record to the display by pasting it from the Clipboard The Clipboard can contain one item of each type such as one RADIUS client or one user If you copy an item to the Clipboard and then copy another item of the same type the information for the second item overwrites the information for the first item Clipboard contents are preserved until you exit the RSA RADIUS Administra
10. radiusstatus sessions_by_ipaddress calling station id lt dialing number gt called station id lt dialed number gt username lt user name gt framed ip address lt aaa bbb ccc ddd gt Figure 27 LDAP Schema Slide 2 of 4 client NASCLIENT acct session id lt sessionid gt Available Attributes client lt string gt acct session id lt number gt nas ip address lt string gt nas port lt string gt nas port type lt string gt acct multi session id lt number gt framed ip address lt string gt session start time lt time gt fullname lt string gt username lt string gt called station id lt string gt calling station id lt string gt elapsed lt number gt 86 Using the LDAP Configuration Interface September 2005 radiusstatus statistics E stattype server stattype authentication stattype accounting stattype rate Available Attributes start time lt yyyy mm dd hh mm ss gt up time lt seconds gt ip address lt aaa bbb ccc ddd gt version lt major minor rev gt authentication threads lt number gt accounting threads lt number gt total threads lt number gt max acct threads lt number gt max auth threads lt number gt max total threads lt number gt high acct threads lt number gt high auth threads lt number
11. s credentials through the TTLS tunnel The access client sends a user ID and passcode tokencode and personal identification number to the RSA RADIUS server The RSA RADIUS server forwards the user s user ID and passcode to the RSA Authentication Manager which verifies that the user ID exists and that the passcode is correct for that user at that specific time If the user s information is accepted the RSA Authentication Manager returns a message indicating that the passcode is accepted 6a The RSA Authentication Manager may also return the name of the profile associated with this user in the Access Accept message RSA RADIUS Server 6 1 Administrator s Guide About RSA RADIUS Server If the user ID is not found or if the passcode is not appropriate for the specified user the RSA Authentication Manager returns a message indicating the passcode is not accepted 6b 7 Ifthe RSA RADIUS server receives a message indicating the passcode is accepted it forwards a RADIUS Access Accept message to the RAS 7a gt Ifthe RSA Authentication Manager specified a profile name with the accept message the RSA RADIUS server sends the return list attributes associated with that profile to the RAS gt Ifthe RSA Authentication Manager did not specify a profile name with the accept message the RSA RADIUS server sends the return list attributes associated with the default profile to the RAS Por example the Access Accept message might sp
12. About RSA RADIUS Server RSA RADIUS Server is a complete implementation of the industry standard RADIUS Remote Authentication Dial In User Service protocols RSA RADIUS Server is designed to meet the access control and policy management requirements of enterprises It interfaces with a wide variety of network access servers including virtual private networks VPNs dial in servers and wireless LAN WLAN access points APs and authenticates remote and WLAN users against your existing security infrastructure This lets you control who can access your network and what resources are available to them and requires little administration beyond your current management of LAN users RSA RADIUS Server then logs all access usage so you can track and document usage statistics RSA RADIUS Server Features gt Centralized management of user access control and security gt Support for a wide variety of 802 1X compliant access points and other network access servers ensures compatibility in your network environment gt Support for a variety of authentication methods including Tunneled Transport Layer Security TTLS Protected Extensible Authentication Protocol PEAP Generic Token Card RSA Security EAP EAP 15 and Protected One Time Password EAP 32 gt Use of encryption keys eliminates the possibility of spoofing or masquerading as an imposter agent RSA RADIUS Server 6 1 Administrator s Guide About RSA RADIUS Server 1
13. Accounting Shared Secret Window For privacy asterisks are echoed as you type You can click the Unmask checkbox to display the characters in the shared secret RSA RADIUS Server 6 1 Administrator s Guide Administering RADIUS Clients 47 d Click OK You must enter the same accounting shared secret when you configure the RADIUS client Optionally indicate whether you want to enable keepalive processing and specify how long the server waits for RADIUS packets from the client before assuming connectivity has been lost If you click the Assume down if no keepalive packets after checkbox you can enter a value in the seconds field If the server does not receive any RADIUS packets from this client after the specified number of seconds the server assumes that the connection to the client is lost or that the client device has failed When this happens RSA RADIUS Server gracefully closes any user it has authenticated for the client RSA RADIUS Server adjusts the counts of concurrent user connections appropriately NOTE If the value you enter in the seconds field is too low valid user or tunnel connections can be lost For example during low usage periods a RAS device might not send any RADIUS packets to the RSA RADIUS Server even though the device is still functioning Verifying a Shared Secret To verify a shared secret on the RSA RADIUS Server 1 2 4 Open the RADIUS Clients panel Select the RADIUS client whose share
14. Installing the RSA RADIUS Server Software The following procedure describes how to install the RSA RADIUS Server software on a Linux server Some of the steps in the procedure are omitted if you specify the silent option for the install_rsa sh command 1 2 Log into the Linux server as root Copy the RSA RADIUS Server installation files sbr rsa 1 0 1 1386 rpmand install_rsa sh to the Linux server The sbr rsa 1 0 1 1386 rpmand install_rsa sh files must reside in the same directory on the server Change your current working directory to the location of the installation files you copied in Step 2 Execute the following command to run the installation script install_rsa sh options See Table 7 on page 29 for an explanation of the install_rsa sh command options RSA RADIUS Server 6 1 Administrator s Guide Installing the RSA RADIUS Server 31 5 Specify the directory where you want to install the RSA RADIUS Server files By default the installation script puts the rsa radius directory files in the opt directory that is opt rsa radius Enter install path opt 6 If you are installing the RSA RADIUS Server software on a host that is not running the RSA Authentication Manager software remote installation specify the location of the radius cer server cer radius key and sdconf rec files Enter path to RSA files export home opt rsa If you are installing the RSA RADIUS Server software on a host th
15. Publishing Server Configuration Information If you change the configuration of your Primary RADIUS Server you must publish the modified configuration so that your Replica RADIUS Servers can download the modified settings To publish server configuration information 1 Open the Replication panel 2 Click the Publish button on the toolbar This creates a file called rsa radius packages timestamp_RSA ccmpkg Solaris Linux ot RSA Radius Service packages timestamp_ RSA ccmpkg Windows where timestamp reflects the date and time the package was created Notifying Replica RADIUS Servers A network administrator can manually notify a Replica RADIUS Server to download and install the current configuration package from the Primary RADIUS Server Manual notification is useful when network issues prevent the automatic download and installation of a configuration package when it is first published and the configuration on the Replica no longer matches the configuration on the Primary RADIUS Server To notify Replica RADIUS Servers that new configuration information has been published 1 Open the Replication panel 2 Select the Replica RADIUS Server you want to notify 3 Click the Notify button on the toolbar The Replica RADIUS Server downloads and installs its configuration package from the Primary RADIUS Server After the package is installed the Replica RADIUS Server is resynchronized with the Primary RADIUS Server RSA RADIUS S
16. RADIUS Server 6 1 Administrator s Guide Administering RADIUS Servers 73 74 Administering RADIUS Servers September 2005 Chapter 8 Logging This chapter describes how to set up and use logging functions in RSA RADIUS Server Logging Files The following files establish settings for logging and reporting Table 15 Logging and Reporting Files File Name Function radius ini Controls the types of messages RSA RADIUS Server records in the RADIUS system log file and the location of the log directory Using the RADIUS System Log The RADIUS system log records RADIUS events such as server startup or shutdown or user authentication or rejection as a series of messages in an ASCII text file Each line of the system log file identifies the date and time of the RADIUS event followed by event details You can open the current RADIUS system log file while RSA RADIUS Server is running RSA RADIUS Server 6 1 Administrator s Guide Logging 1S Level of Logging Detail You can control the level of detail recorded in the system log files with LogLevel LogAccept and LogReject settings gt The LogLevel setting determines the level of detail given in the RADIUS system log file The LogLevel can be 0 1 or 2 where 0 is the least amount of information 1 is intermediate and 2 is the most verbose It is specified in the Configuration section of radius ini file gt The LogAccept and LogReject flags allow you to turn on or off the logging
17. RADIUS Server software from a Windows host run the Add or Remove Programs Control Panel choose RSA RADIUS Server and click Remove 22 Installing the RSA RADIUS Server September 2005 Installing on Solaris This section describes how to install and uninstall the RSA RADIUS Server on a Solaris server System Requirements The RSA RADIUS Server software package includes the server daemon and various dictionary and database files to support user authentication Table 4 Solaris Server System Requirements Hardware Sun UltraSPARC workstation Operating system Solaris 9 Memory At least 256 megabytes of working memory Disk space Installing the RSA RADIUS Server software requires at least 234 megabytes of space on the hard disk hard disk requirements for running RSA RADIUS Server depend on your system s product configuration Networking TCP IP must be configured on the Solaris host for the RSA RADIUS Server to function properly Installer Syntax To run the Solaris version of the RSA RADIUS Server installer you execute the following command install rsa sh dir directory identity PRIMARY REPLICA port port num path path reppkg path primary hostname primary ips ips primary secret secret overwrite migrate silent start_sbr usage help h Table 5 explains the function of each command option Table 5 Command Options for the install_rsa sh Command Option Function
18. Server list Click the System tab Click the View list and choose the type of statistics you want to display gt Accounting Request Diagnostics Displays the number of duplicate messages messages with invalid secrets malformed messages messages with incorrect types ignored messages and dropped requests for each RADIUS client gt Accounting Request Types Displays the number of accounting start messages accounting stop messages interim messages Accounting On messages Accounting Off messages and acknowledgement messages sent for each RADIUS client gt Authentication Request Details Displays the number of duplicate messages challenges messages containing invalid authentication information bad authentication requests bad types and dropped requests for each RADIUS client gt Summary Displays the number of authentication requests accepts and reject messages and the total number of accounting requests starts and stops for each RADIUS client 62 Displaying Statistics September 2005 5 Optionally sort the messages by clicking a column header NOTE The RADIUS client statistics are not displayed dynamically To see the most recent statistics for a RADIUS client click the Refresh button in the toolbar ZF RSA RADIUS Powered by Steel Belted Radius RSA RADIUS Server Administration RADIUS Clients Server rsamecoy D4 pien System RADIUS Clients Stati lication atistic
19. Solaris Linux and Windows 6 When the download is completed extract the following files from the compressed image to a directory on your computer gt ldapsearch exe gt ldapmodify exe gt ldapdelete exe RSA RADIUS Server 6 1 Administrator s Guide Using the LDAP Configuration Interface 83 gt nsldapss132v30 d11 if you are on a Windows host gt libldap30 so if you are ona Solaris host To run the LDAP utilities execute them from this directory If you set the path environment variable to point to this directory you can run them any location on the system NOTE The examples that follow assume you are using the LDAP utilities provided as part of the Sun ONE Directory SDK If you are using LDAP utilities from another source the command options you use may be different Consult the documentation for your LDAP utilities for more information LDAP Version Compliance The LDAP server software that has been incorporated into RSA RADIUS Server is compliant with version 2 of the LDAP specification Therefore we suggest using the V 2 command line option to direct the utilities to use version 2 features For example ldapmodify c V 2 p 354 D cn admin o radius w radius f filename Configuring the LDAP TCP Port To avoid conflicts with LDAP services that may already be installed the default TCP port number for communication between RSA RADIUS Server and the LDAP client is 667 If you are certain that there will not be a
20. Total Ons offs Total Transactions Failure Details Dropped Packet Invalid Request Failed Accounting Insufficient Resources Retries Sent Transactions Retried Total Retry Packets Interim Requests Server up time 0 Days 08 05 03 September 2005 Table 14 describes the accounting statistics and suggested actions in italics if appropriate Table 14 Accounting Statistics Accounting Statistic Meaning Transactions Starts Stops Ons Offs Total The current average and peak number of transactions in which a connection was started following a successful authentication since the last time accounting statistics were reset The current average and peak number of transactions in which a connection was terminated since the last time authentication statistics were reset The number of Accounting On messages received indicating that a RADIUS client has started since the last time authentication statistics were reset The number of Accounting Off messages received indicating that a RADIUS client has shut down gracefully since the last time authentication statistics were reset The sum of the start stop on and off totals since the last time authentication statistics were reset Failure Details Dropped Packet Invalid Request Failed Accounting Insufficient Resources The number of RADIUS accounting packets dropped by RSA RADIUS Server because the server was flooded with
21. a substring it can be escaped by placing a backslash character before it gt Hexadecimal values Hexadecimal numbers for attributes of syntax type hex1 hex2 or hex4 require a 0x prefix in front of the hexadecimal digits for example 0x0000149a gt Profiles checklists and return lists Checklists associated with profiles can include default attributes which allows you to mark a checklist attribute as optional To signal that a checklist attribute is a default attribute preface the attribute value with the string sdefaults Return lists associated with profiles can include attributes whose contents are the value of received attribute This feature is referred to as echoing the attribute To signal that a return list attribute must be treated as an echo attribute specify the attribute value as the string secho gt Unspecified or 0 0 0 0 RAS IP address When you display acct stats by nasipaddr information any RAS entries with an unspecified IP address or an IP address of 0 0 0 0 are omitted Similarly when you display acct_stats_by_nas information RAS entries with an unspecified IP address or an IP address of 0 0 0 0 have nasipaddr attribute omitted gt Duplicate RAS IP addresses When displaying acct stats by nasipaddr information two RAS entries that contain the same non zero IP address cause information about one of the entries to be displayed twice This is the result of the ambiguity of the query
22. cer to communicate with RSA Authentication Manager If you install the RSA RADIUS Server software on the host running RSA Authentication Manager local installation the installer obtains the path to these files automatically If you install the RSA RADIUS Server software on a different host remote installation the installer asks you for the path to these files Data Migration Registration When you install a Primary RADIUS Server on a host that previously ran an older version of RSA Authentication Manager configured to use RSA RADIUS Server the installer provides an option to migrate your RADIUS data to the new RSA RADIUS Server Information transferred during data migration includes RADIUS client names IP addresses and shared secrets profile names checklist RSA RADIUS Server 6 1 Administrator s Guide Installing the RSA RADIUS Server 19 Installing attributes and return list attributes and RSA SecurlD prompts used to format messages to users Data migration also registers the RSA RADIUS Server as an agent host with RSA Authentication Manager Registration information includes the server type Primary or Replica fully qualified name administrative port number and IP address NOTE If aliases are required to support network address translation NAT they must be configured manually on the RSA Authentication Manager host Data migration is not available for new RSA Authentication Manager installations on Windows
23. eS ae j O Installing the RSA RADIUS Server September 2005 Installing on Linux This section describes how to install and uninstall the RSA RADIUS Server software on a Linux server System Requirements The RSA RADIUS Server software package includes the server daemon and various dictionary and database files to support authentication Table 6 Linux Server System Requirements Hardware X86 workstation Operating system RedHat Enterprise 3 0 Memory At least 256 megabytes of working memory 512 megabytes for servers with more than 10 000 RADIUS users Disk space Installing the RSA RADIUS Server software requires at least 234 megabytes of space on the hard disk hard disk requirements for running RSA RADIUS Server depend on your system s product configuration Networking TCP IP must be configured on the Linux host for the RSA RADIUS Server to function properly Installer Syntax To run the Linux version of the RSA RADIUS Server installer you execute the following command install rsa sh dir directory identity PRIMARY REPLICA port port num path path reppkg path primary hostname primary ips ips primary secret secret overwrite migrate silent start_sbr usage help h Table 7 explains the function of each command option Table 7 Command Options for the install_rsa sh Command Option Function dir Specifies the top level directory for installation of
24. gt Centralized configuration management CCM provides simplified configuration management and automatic data distribution for multi server environments gt Authentication logs provide a complete audit trail of user authentication activity and administrative transactions gt Encryption of communication between the RSA RADIUS Server and the RSA Authentication Manager prevents electronic eavesdropping RSA RADIUS Server Overview RADIUS is an industry standard protocol for providing authentication authorization and accounting services gt Authentication is the process of verifying a user s identity and determining whether the user is allowed on the network gt Authorization is the process of controlling the network resources that the user can access on the protected network such as privileges and time limits gt Accounting is the process of generating log files that record statistics describing each connection session used for billing system diagnosis and usage planning Figure 1 illustrates a simple RSA RADIUS authentication and authorization sequence using a TTLS PAP tunnel to facilitate communication between the access client and the RSA RADIUS server Note that some access clients may be configured to use RSA Security EAP or Protected One Time Password POTP instead of a TTLS PAP tunnel In such cases the sequence of transactions is similar though the communication mechanics are different Note also that the
25. indicates whether the configuration of each server is current ZF RSA RADIUS Powered by Steel Belted Radius File Panel Web Help Retresh Print Publish Add Notity BEd Gdelete RSA RADIUS Server Administration RADIUS Clients rsamecoy Primary modified Profiles JReplication Statistics Figure 21 Replication Panel Adding a RADIUS Server Manually Under most circumstances Replica RADIUS Servers register themselves automatically after you install the RSA RADIUS Server software and configuration package file replica ccmpkg and restart the server Thereafter each Replica RADIUS Server automatically connects to its Primary RADIUS Server once an hour to check whether an updated configuration package is available In some circumstances however you may want to add a Replica RADIUS Server to the server list so that it shows up immediately To add a RADIUS server manually 1 Open the Replication panel 2 Click the Add button The Add Server window Figure 22 opens 66 Administering RADIUS Servers September 2005 Add Server Name Secret Address Figure 22 Add Server Window 3 Enter the name of the RADIUS server in the Name field Although you can assign any name to a RADIUS server you should use the device s hostname to avoid confusion 4 Enter the replication secret for the RADIUS server in the Secret field For privacy asterisks are echoed as you type You can c
26. it improves the performance of the transaction h hostname The name of the host to which this command applies If none is given the command is applied to the local database p 354 TCP port 354 is to be used to communicate with the LDAP interface of the server The p value must match the TCPPort setting in the LDAP section of radius ini Ifthe p option is not specified the default port number for the RSA RADIUS Server and the LDAP utilities is used port 389 D cn oper o radius The command is authenticated using an administrative account called oper NOTE Any administrative account name may be used in place of oper in the preceding example o radius may not be changed RSA RADIUS Server 6 1 Administrator s Guide Using the LDAP Configuration Interface 91 Table 18 Modifying Records Using the Idapmodify Command Continued ldapmodify Option Meaning w radadmin The command is providing an authentication password of radadmin NOTE The w parameter value in this case radadmin must match the password of the account named by the D parameter f filename This is the input LDIF file to process NOTE You can also use the h option with ldapmodify to specify the name of a remote host on which the LDAP interface is available Run the LDAP utilities remotely only if you are convinced that unauthorized snooping on the network between the LDAP client and server is not an issue The difference in syntax bet
27. not be provided or otherwise made available to any other person Neither this software nor any copies thereof may be provided to or otherwise made available to any third party No title to or ownership of the software or any intellectual property rights thereto is hereby transferred Any unauthorized use or reproduction of this software may be subject to civil and or criminal liability This software is subject to change without notice and should not be construed as a commitment by RSA Security Note on encryption technologies This product may contain encryption technology Many countries prohibit or restrict the use import or export of encryption technologies and current use import and export regulations should be followed when exporting this product Distribution Limit distribution of this document to trusted personnel RSA notice The RC5 Block Encryption Algorithm With Data Dependent Rotations is protected by U S Patent 5 724 428 and 5 835 600 First Printing September 2005 Part Number M05917ADM Chapter 1 Contents About This Guide PESTO NS no EEEE EET ERE ix What s Ta This Manual sssesissisiiseirasereritasiterisesiitt sitiota istipsoesessvsvsuvstccestundstnevestaxssseesvs ix Related Docuimentatonacssseiscccucssesscucsdssssscececsots duvsiaussoevdeansovodaussesnsecscachseascusedecssbascacestt xi About RSA RADIUS Server RSA RADIUS Server Features scsssssssssssossssessessssessscessssessscasssesssoesseseseesess
28. s Guide Administering Profiles 53 Optionally enter a description for the profile in the Description field 5 Add checklist and return list attributes to the profile a Click the Checklist tab or the Return list tab b Click Add The Add Checklist Attribute window or the Add Return List Attribute window Figure 17 opens Add Checklist Attribute Attributes IP Address 3GPP CG Address 3GPP CG IPv6 Address 3GPP Charging Characteristics SGPP Charging ld 3GPP GGSN Address Default Value Add Return List Attribute Attributes Value Framed Routing a Over Concurrency Limit cose lose Funk Full User Name Funk Reject Reason Code Funk Round Robin Group Figure 17 Add Checklist Attribute and Add Return List Attribute Windows c Select the attribute you want to add from the Attributes list d Select or enter a value for the attribute The window changes according to the attribute you choose Some attributes require that you enter a value string or IP address Other attributes require that you choose from a predefined list of values If the Multivalued indicator is dimmed an attribute can have only one value If the Multivalued attribute is not dimmed you can add multiple values for the attribute Checklist attributes only To set this value to the default value for the attribute which is useful in situations where the attribute is not included in the RADIUS request click the Default value checkbox Ret
29. to your computer and run it locally 3 When the installer wizard window opens click Next to continue When the Welcome window opens click Next to continue When the Place of Purchase window opens click the appropriate radio button and click Next to continue 6 When the License Agreement window opens click the I accept the terms in the license agreement radio button Click Next to continue 7 When the Setup Type window opens click the Complete radio button if you want to install the RSA RADIUS Server files in the C Program Files RSA Security RSA RADIUS directory If you want to install RSA RADIUS Server software in a directory other than the default C Program Files RSA Security RSA RADIUS directory click the Custom radio button then click the Change button Select the directory in which you want to install the RSA RADIUS Server software Click OK Click Next to continue 8 Ifyou are installing a Primary RADIUS Server click the Install as Primary RSA RADIUS Server button If you are installing a Replica RSA RADIUS Server click the Install as Replica RSA RADIUS Server button If the RSA Authentication Manager application is not running on the server you are prompted to specify the location of the Primary RSA RADIUS Server You can specify the name IP address es and replication secret of the Primary RADIUS Server or you can RSA RADIUS Server 6 1 Administrator s Guide Installing the RSA RADIUS Server 2i click the Brows
30. ADIUS authentication message is issued and the purpose of any RADIUS attributes the message contains Table 1 RADIUS Authentication Messages and Attributes Message Conditions Purpose of Message Attributes When a RAS receives a connection Identify the user request from a user the RAS Describe the type of connection the user is authenticates the request by sending an trying to establish Access Request to its RADIUS server 8 About RSA RADIUS Server September 2005 Table 1 RADIUS Authentication Messages and Attributes Continued Message Conditions Purpose of Message Attributes When a RADIUS server authenticates a connection request it returns a RADIUS Access Accept to the RAS Allow the RAS to complete access negotiations Configure connection details such as providing the RAS with an IP address it can assign to the user Enforce time limits and other class of service restrictions on the connection When a RADIUS server is unable to authenticate a connection request it returns an Access Reject to the RAS Terminate access negotiations Identify the reason for the authorization failure If initial authentication conditions are met but additional input is needed from the user the RADIUS server returns an Access Challenge to the RAS Accounting Enable the RAS to prompt the user for more authentication data Complete the current Access Request so the RAS can issue a new one To un
31. ADIUS Server and Replica RADIUS Servers Enter primary host secret 13 If you are installing a Primary RADIUS Server on a host running an earlier version of the RSA Authentication Manager software specify whether you want to migrate data to the current installation Do you want to migrate data from RSA Server y n n If the installation succeeds the installer displays the following message Configuring for use with generic database RSA RADIUS installation succeeded If the installation fails the installer displays the following message and asks you whether you want to roll back the installation Installation failed Please s opt rsa radius tprsMigReg log for details Configuration of RSA Radius failed The installation has failed would you like it cleaned up y n y y Cleaning up installation Removing etc init d sbrd script Stopping and Starting the RADIUS Daemon After the RADIUS daemon is installed on the server it stops and starts automatically each time you shut down or restart the server You can stop the RADIUS daemon on a Linux server at any time by issuing the following command etc init d sbrd stop When you execute the sord stop command RSA RADIUS Server allows its subsystems to complete outstanding work release resources and then stops the mkded btrieve daemon and the radius service gracefully If the RADIUS daemon fails to stop after you issue an sord stop command you can use the
32. ADIUS Server and Replica RADIUS Servers 26 Installing the RSA RADIUS Server September 2005 Enter primary host secret 13 If you are installing a Primary RADIUS Server on a host running an earlier version of the RSA Authentication Manager software specify whether you want to migrate data to the current installation Do you want to migrate data from RSA Server y n n If the installation succeeds the installer displays the following message Configuring for use with generic database RSA RADIUS installation succeeded If the installation fails the installer displays the following message and asks you whether you want to roll back the files that were installed Installation failed Please s opt rsa radius tprsMigReg log for details Configuration of RSA Radius failed The installation has failed would you like it cleaned up y n y y Cleaning up installation Removing etc rc2 d S90radius script Removing etc rc2 d K90radius script Stopping and Starting the RADIUS Daemon After the RADIUS daemon is installed on the server it stops and starts automatically each time you shut down or restart the server You can stop the RADIUS daemon at any time by issuing the following command etc rc2 d S90radius stop Use the following command to start the RADIUS daemon etc rc2 d S9 90radius start Uninstalling the RSA RADIUS Server Software To uninstall the RSA RADIUS Server software 1 Stop the RADIUS daemon c
33. DIUS request to be echoed in the RADIUS response For example you might add Callback Number to the return list and click the echo checkbox RSA RADIUS Server takes the value of the Callback Number it receives in the RADIUS request and echoes it back to the client in the RADIUS response if it receives no Callback Number it echoes nothing You enter Callback Number one or mote times into the checklist This indicates that one of the callback numbers you supplied must be present in the RADIUS request and that number should be echoed in the RADIUS response Default Values Choosing default for a checklist attribute specifies that if the RADIUS request does not include this attribute the request should not be rejected Instead the value supplied as the default should be used as if it were received as part of the request One use for default values is to require that an attribute in a RADIUS request must have one of several values or must not be present at all Another use is to provide a default value for an attribute in conjunction with the echo property in the return list RSA RADIUS Server 6 1 Administrator s Guide About RSA RADIUS Server 15 If an attribute appears once in the checklist marked as default and the same attribute appears in the return list marked as echo the server echoes the actual value of the attribute in the RADIUS response if the attribute appears in the RADIUS request If the attribute does not appear in the RADIUS re
34. E DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Portions of this software are copyright 2001 2002 Cambridge Broadband Ltd All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met e Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer e Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution e The name of Cambridge Broadband Ltd may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE A
35. ES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL CMU OR THE REGENTS OF THE UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM THE LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Portions of this software copyright 2001 2002 Networks Associates Technology Inc All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met e Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer e Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution e Neither the name of the Networks Associates Technology Inc nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AR
36. F update statements ldapmodify can do everything 1dapdelete can do gt Ildapdelete The ldapdelete utility deletes entries from an existing LDAP directory ldapdelete opens a connection to the specified server using the distinguished name and password you provide binds and deletes the entry or entries LDAP Requests LDAP requests are submitted in two ways gt By specifying options on the LDAP command line gt By placing instructions and data into an LDAP Data Interchange Format LDIF file which you then invoke on the command line by using the f option Because communication between the LDAP client and server must occur in the clear unencrypted run the LDAP utilities on the same computer as RSA RADIUS Server Downloading the LDAP Utilities To use the LCI you need the freeware ldapsearch ldapmodify and ldapdelete utilities You can download the free LDAP utilities as follows 1 Use a browser to navigate to http www sun com download products xml id 3ec28dbd 2 When the Sun ONE Directory SDK software development kit download page appears click the Download link at the bottom of the page If you are prompted to register yourself complete the registration form When you are prompted to accept the license agreement click the Accept button and then click Continue 5 Download the SDK by clicking the link for the version of the SDK that is appropriate for your computer Versions of the SDK are available for
37. P Bind request that authenticates the administrator to the RSA RADIUS Server The Bind request must reference an RSA RADIUS Server administrative account and must provide the password that authenticates that account This translates into the following command line options for each invocation of the LDAP utilities D cn username o radius w passcode cachedPW where username is the user account name passcode is the RSA passcode associated with the user and cachedPw is the uset s cached password gt Uppercase and lowercase The uppercase lowercase rules for object names are the same as in the RSA RADIUS Administrator application almost all object names are stored in the database in uppercase format gt Attributes The LDAP virtual schema diagram does not explicitly list all the dictionary attributes that are available in the latest version of RSA RADIUS Server The rules for entering dictionary attributes are that the attribute name must match the name found in the dictionary and the syntax type determines what is allowed for the attribute s value 88 Using the LDAP Configuration Interface September 2005 gt Substrings There are several places where a list of strings is the value of an attribute The rule for specifying the data portion for these lists is that semicolons must delimit the substrings For example a DNIS list for a tunnel entry might be specified as 555 1212 5551212 If a semicolon needs to appear inside
38. Primary RADIUS Server Designating a New Primary RADIUS Server You can change which server within a realm is designated as the Primary RADIUS Server for that realm For more information see Designating a New Primary RADIUS Server on page 70 RSA RADIUS Server 6 1 Administrator s Guide About RSA RADIUS Server 17 Recovering a Replica After a Failed Download If a Replica RADIUS Server fails during the download of a configuration package its configuration may be corrupted or it may have a stale secret For information on how to recover a Replica after a failed download refer to Recovering a Replica After a Failed Download on page 70 Changing the Name or IP Address of a Server To change the DNS name or IP address of a Primary or Replica RADIUS Server you tun the rsainstalltool Windows or the rsaconfiguretool Solaris Linux utility For more information refer to Changing the Name or IP Address of a Server on page 71 18 About RSA RADIUS Server September 2005 Chapter 2 Installing the RSA RADIUS Server The RSA RADIUS Server software package includes the server software and various dictionary and configuration files to support authentication and accounting This chapter describes how to install the RSA RADIUS Server software on a Windows Solaris or Linux host Before You Begin Required Files The RSA RADIUS Server software requires the path to four files sdconf rec radius cer radius key and server
39. RADIUS Accounting C Rigney June 2000 RFC 2869 RADIUS Extensions C Rigney W Willats P Calhoun June 2000 RFC 2882 Network Access Servers Requirements Extended RADIUS Practices D Mitton July 2000 RSA RADIUS Server 6 1 Administrator s Guide About This Guide xi gt Internet Draft The Protected One Time Password Protocol EAP POTP M Nystrom June 2005 ftp ftp rsasecurity com pub otps eap draft nystrom eap potp 02 html Third Party Products For more information about configuring your access servers and firewalls consult the manufacturer s documentation provided with each device Getting Support and Service RSA SecurCare Online https knowledge rsasecurity com Customer Support Information www rsasecurity com support Before You Call for Customer Support Make sure you have direct access to the computer running the RSA Authentication Manager software Have the following information available when you call gt Your RSA Security Customer License ID You can find this number on the license distribution medium or by running the Configuration Management application on Windows servers or by issuing an sdinfo command on Linux or Solaris servers gt RSA Authentication Manager software version number gt The make and model of the machine on which the problem occurs gt The name and version of the operating system under which the problem occurs xii About This Guide September 2005 Chapter 1
40. RE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Portions of this software copyright 1995 2002 Jean loup Gailly and Mark Adler This software is provided as is without any express or implied warranty In no event will the authors be held liable for any damages arising from the use of this software Permission is granted to anyone to use this software for any purpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions e The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this software in a product an acknowledgment in the product documentation would be appreciated but is not required e Altered source versions must be plainly marked as such and must not be misrepresented as being the original software e This notice may not be removed or altered from any source distribution HTTPClient package copyright 1996 2001 Ronald Tschalar ronald innovation ch
41. RSA RADIUS Server 6 1 Administrator s Guide Powered by Steel Belted Radius SECURITY Contact Information See our web site for regional Customer Support telephone and fax numbers RSA Security Inc RSA Security Ireland Limited www rsasecurity com www rsasecurity ie Copyright Copyright 2005 RSA Security Inc All rights reserved No part of this document may be reproduced modified distributed sold leased transferred or transmitted in any form or by any means without the written permission of RSA Security Inc Information in this document is subject to change without notice Portions of this software copyright 1995 2005 Funk Software Inc All rights reserved Portions of this software copyright 1989 1991 1992 by Carnegie Mellon University Derivative Work 1996 1998 2000 Copyright 1996 1998 2000 The Regents of the University of California All Rights Reserved Permission to use copy modify and distribute this software and its documentation for any purpose and without fee is hereby granted provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation and that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertaining to distribution of the software without specific written permission CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTI
42. RSA RADIUS Server and an LDAP virtual schema The LDAP virtual schema enables the LDAP interface to translate LDAP requests into a format that can be understood by the RSA RADIUS Server database Figures 25 illustrates the relationship between LDAP components RADIUS Server Core RADIUS Modules LDAP Interface LDAP Command Line Utility Embedded RADIUS Java Database Administration Program Proprietary HTTPS Figure 25 LDAP Components LDAP Utilities Freeware LDAP utilities such as ldapsearch ldapmodify and ldapdelete act as clients of the LDAP interface LDAP utilities let you read and modify an LDAP database gt ldapsearch The ldapsearch utility locates and retrieves LDAP directory entries The ldapsearch utility opens a connection to an LDAP interface using the specified distinguished name and password binds and locates entries based on the specified search filter A search can return a single entry an entry s immediate subentries or an entire tree or subtree Search results are returned in LDIF format gt ldapmodify The ldapmodify utility adds or modifies entries in an existing LDAP directory ldapmodify opens a connection to an LDAP interface using the distinguished name and password you supply binds and adds or modifies the entries based on the LDIF update statements contained 82 Using the LDAP Configuration Interface September 2005 in a specified file Because ldapmodify uses LDI
43. RSA RADIUS Server writes accounting events to the accounting log file If an event recorded in the accounting log file does not have data for every attribute a comma placeholder marks the empty entry so that all entries remain correctly 78 Logging September 2005 aligned with their headings For example based on the first line of headings described above the following is a valid accounting log entry in which the value of the Acct Status Type attribute is 7 12 23 1997 12 11 55 RRAS Accounting On PRGA LLEBIAR IPD DAD ADELA DPE IAPEDAIDIALEDADEPALEP ED fe fe fae fae fae ee fae fe fe fee fe fe ee ee ee a ee Standard RADIUS Accounting Attributes Table 16 lists the standard RADIUS accounting attributes defined in RFC 2866 RADIUS Accounting Table 16 Standard RADIUS Accounting Attributes User Name The name of the user as received by the client NAS Port The port number on the client device Acct Status Type A number that indicates the beginning or ending of the user service 1 Start 2 Stop 3 Interim Acct 7 Accounting On 8 Accounting Off Acct Delay Time Indicates how many seconds the client has been trying to send this record which can be subtracted from the time of arrival on the server to find the approximate time of the event generating this request Acc t Input Octets Number of octets bytes received by the port over the connection presen
44. RSA RADIUS server and the RSA Authentication Manager can reside on the same network host or on different network hosts 2 About RSA RADIUS Server September 2005 Access nt a RSA Authentication Manager 1 Connection Request Connection Notification 2 TTLS PAP Tunnel Negotiation y 0 TTLS PAP Tunnel 3 User ID Passcode 4 User ID Passcode 5 User ID Passcode gt 8a Connection Accepted 7a Access Accept Attributes lt 6a Passcode Accepted Profile Name 8b Connection Refused 7b Access Reject 6b Passcode Rejected Figure 1 RSA RADIUS Authentication 1 A RADIUS access client who could be a dial in user a mobile user with wireless network access or someone working at a remote office sends an authentication request to a remote access server RAS which might be a wireless Access Point an ISDN bridge or a modem pool NOTE The terms remote access server RAS and network access server NAS are interchangeable This manual uses RAS though some attribute names and parameters retain the older NAS in their names 2 When the RAS receives a user s connection request it performs an initial access negotiation with the user to establish connection information It forwards this information to the RSA RADIUS server which uses the information to create a tunnel between itself and the access client The RSA RADIUS server sends a request for the user
45. S Server has more than one network interface you can enter as many as four IP addresses separated by commas Use only when installing a Replica RADIUS Server Do not use the primary ips option if you are specifying the reppkg option primary secret 24 Installing the RSA RADIUS Server Specifies the CCM shared secret used to authenticate communications between the Primary RADIUS Server and Replica RADIUS Servers Do not use the primary secret option if you are specifying the reppkg option September 2005 Table 5 Command Options for the install_rsa sh Command Continued Option Function reppkg Specifies the path to the replica ccmpkg configuration file Use only when installing a Replica RADIUS Server Do not use the reppkg option if you are specifying the primary primary ips and primary secret options Default value is opt silent Specifies that if all required information is supplied through command options the installer does not display user prompts If you use the silent option and a required setting is missing the installer prompts you for the missing setting If you specify other command options and values and you do not specify the silent option the installer uses the values you specified as defaults and prompts you to confirm or override them start _sbr Specifies that the installer should start the RADIUS daemon at the conclusion of the installation process usa
46. Servet cecceceeessesessesesescsssestssesnene 18 RSA RADIUS Server 6 1 Administrator s Guide Contents v Chapter 2 Chapter 3 Chapter 4 vi Contents Installing the RSA RADIUS Server Before YOU BeGiticssisseressssissersesovasececusscevecusessdesetecessoaveverersvavesavarssavessecesesetecvereeveveteseais 19 Required Biles sssscsicsssssdssnstsstaestcassndtdnsosuhs cuatacersoase voters e ANEN 19 Data Misration Repistiatieticadnnlialidunlcnonannnananneudalinliniin 19 Tnistalliine on WAN OWS ssi csscsscssesecasscelccodesvecencescssteesebedsesdboessosdonssissbdusnddioncesstenncondvevenss 20 System Requirements 2 02522253 sicse cucass sass sasvssesessvadedeearacesazssasscasasascansvenpeeussalavansles 20 Installing the RSA RADIUS Servet cesssseesesesssssesssssensssescenseseesssssnsessensens 21 Uninstalling the RSA RADIUS Server Software cece ssesesssesteseetens 22 Tostallinp or SolafiSeanrananicsnsaiaiaiannnannananai aa 23 System Requitements reses go o E RE TEE TE TIERRA 23 Installer Syta eeneioe irirna anner EEEE EEEE 23 Installing the RSA RADIUS Server Software ss sssssssrsessreesrriesiesriesrieserresrrene 25 Stopping and Starting the RADIUS Daemon cesses 27 Uninstalling the RSA RADIUS Server Software wo ceeseseseseeseseeteseeteee 27 Migration Log File x ciu s c ccssatssnescasesscncncnessgonesaaotorssnurapdorsvenseseay aE 28 Tristalline on ANUE sssssssssscsesosesssussezscestacnsseateriovesegessstdesstosaseastesasestd osotosus
47. TER without entering anything at the following prompt the system uses the indicated default value opt Enter install path opt About This Guide September 2005 Angle brackets lt gt enclose a list from which you must choose an item in format and syntax descriptions A vertical bar separates items in a list of choices In the following example you must specify add or replace but not both AttributeName lt add replace gt Attribute Attribute Related Documentation The following documents supplement the information in this manual RSA RADIUS Server Documentation The RSA RADIUS Server 6 1 Reference Guide describes configuration options for the RSA RADIUS Server software Vendor Information You can consult the online Vendor Information file for information about using RSA RADIUS Server with different remote access servers and firewalls To access this file 1 2 Start the RSA RADIUS Administrator application Choose Web gt NAS Vendor Information You can access the same information by clicking the Web Info button on the Add RADIUS Client or Edit RADIUS Client window Requests for Comments RFCs The Internet Engineering Task Force IETF maintains an online repository of Request for Comments RFC s online at http www ietf org rfc html gt gt RFC 2865 Remote Authentication Dial In User Service RADIUS C Rigney S Willens A Rubens W Simpson June 2000 RFC 2866
48. and is not a bug gt RADIUS client information displayed after deletion If you define a RADIUS client entry send some accounting traffic to it and then delete the entry the output of ldapsearch queries continues to list the deleted RADIUS client so that the per RAS statistics add up to the total RAS statistics RSA RADIUS Server 6 1 Administrator s Guide Using the LDAP Configuration Interface 89 LDAP Command Examples This section explains how to use the LDAP commands ldapdelete ldapmodify and ldapsearch to configure the server Each example describes the LDAP command line options in detail Note that a space must appear between each LDAP command option for example p and its value for example 354 Command syntax is case sensitive Searching for Records 90 You can use the ldapsearch command to dump information out of the LDAP tree The following ldapsearch command dumps out information about all RADIUS clients ldapsearch V 2 p 354 D cn oper o radius w radadmin s sub T b radiusclass Client o radius radiusname Table 17 Searching for Records Using the Idapsearch Command ldapsearch Option Meaning V2 LDAP Version 2 is used to communicate with the server NOTE This option is not required but specifying it improves the performance of the transaction p 354 TCP port 354 is used to communicate with the LDAP interface of the server NOTE This option is not required but specifying it i
49. ansport Layer Security Institute of Electrical and Electronics Engineers Inc September 2005 IETF MIB NAS New Pin mode Next Tokencode mode node secret PAP passcode PEAP PIN Primary RADIUS Server profile RADIUS RSA RADIUS Server 6 1 Administrator s Guide Internet Engineering Task Force Technical subdivision of the Internet Architecture Board that coordinates the development of Internet standards Management Information Base Network Access Server Network device that accepts connection requests from remote users authenticates users through RADIUS and routes users onto the network Identical in meaning to RAS Status assigned to a uset s token when its PIN has been compromised or when the authorized user has forgotten the PIN If the administrator clears the PIN the old PIN can no longer be used for authentication and the next authentication attempt with the token initiates the New PIN procedure If the administrator does not clear the PIN the old PIN can be used one more time Status assigned to a user s token if the token has drifted out of synch with the RSA Authentication Manager s system clock or if there has been a series of unsuccessful authentication attempts Requiring that the user enter two consecutive tokencodes ensures that the user has possession of the token Symmetric key used to encrypt communication between RSA RADIUS Server and RSA Authentication Manager Password A
50. at is running the RSA Authentication Manager software local installation the installer copies the radius cer server cer radius key and sdconf rec files automatically 7 Specify number of the TCP port used to administer RSA RADIUS Server The default port number is 1813 Enter RSA administration port 1813 8 Specify whether you are installing a Primary or Replica RADIUS Servet Enter RADIUS identity REPLICA or PRIMARY PRIMARY 9 Ifyou are installing a Replica RADIUS Server specify whether a configuration package generated by the Primary RADIUS Server is available Is replica ccmpkg file present y n n If you enter y you ate prompted to specify the path to the replica ccmpkg file Enter path to replica ccmpkg opt rsa 10 If you are installing a Replica RADIUS Server and a configuration package is not available specify the name of the Primary RADIUS Server Enter primary host name 11 If you are installing a Replica RADIUS Server and a configuration package is not available specify the IP address or addresses of the Primary RADIUS Server If the Primary RADIUS Server has more than one network interface multi homed you can enter as many as four IP addresses separating addresses with commas Enter primary host IP address list max 4 comma separated 32 Installing the RSA RADIUS Server September 2005 12 Specify the host secret used to authenticate communication between the Primary R
51. client in the IP Address field If you enter a DNS name the RSA RADIUS Administrator resolves the name you enter to its corresponding IP address and displays the result in the IP Address field Enter the RADIUS authentication shared secret for the RADIUS client in the Shared secret field For privacy asterisks are echoed as you type You can choose Unmask shared secret to display the characters in the shared secret After you complete configuration of the RADIUS authentication secret on the server side you must enter the same RADIUS authentication secret when you configure the RADIUS client Use the Make model list to choose the make and model of your RADIUS client device The Make model selection tells RSA RADIUS Server which dictionary of RADIUS attributes to use when communicating with this client If you are not sure which make and model you are using or if your device is not in the list choose Standard Radius NOTE For information about the various brands of RAS device supported by RSA RADIUS Server click the Web Info button If you want the RADIUS client to use different RADIUS secrets for authentication and accounting a Click the Use different shared secret for accounting checkbox b Click the Edit button c When the Accounting Shared Secret window Figure 14 opens enter the RADIUS secret you want the RADIUS client to use for accounting Accounting Shared Secret Shared Secret Unmask Figure 14
52. culated for each of these counter statistics gt Current rate statistics identify the rate measured over the most recent rate interval The seconds per interval value identifies the number of seconds in the interval over which the rate statistics are gathered gt Average rate statistics identify the rate measured since startup or the most recent statistics reset command gt Peak rate statistics identify the highest rate observed since startup or the most recent statistics reset command To read rate statistics from the LCI you must set stattype rate This results in output such as the following rate statistics seconds per interval 1 uth request current rate 0 uth request average rate 0 uth request peak rate 7 uth accept current rate 0 th accept average rate 0 uth accept peak rate 1 uth reject current rate 0 uth reject average rate 0 uth reject peak rate 0 acct start current rate 0 acct start average rate 0 acct start peak rate 0 acct stop current rate 0 acct stop average rate 0 acct stop peak rate 0 ooonoowoowe a w RSA RADIUS Server 6 1 Administrators Guide Using the LDAP Configuration Interface 97 98 Using the LDAP Configuration Interface September 2005 802 1X AAA accounting AP attribute authentication authentication server authorization AVP Glossary The IEEE 802 1X standard defines a mechanism that allows a supplicant client to connect to a w
53. d by RSA Authentication Manager identifies a profile configured on RSA RADIUS Server that profile specifies the return list attributes to send back to the RADIUS client as part of the Access Accept message for that user If RSA Authentication Manager does not return a profile name for a user RSA RADIUS Server returns the attributes specified in the Default profile You can use the Default profile to create a default set of return list attributes for users 2 Administering Profiles September 2005 Setting Up Profiles The Profiles panel Figure 15 lets you define standard sets of checklist and return list attributes You can then associate these profiles with users in the RSA Authentication Manager to simplify user administration ZF RSA RADIUS Powered by Steel Belted Radius File Panel Web Help Q Retesh Print O Add Et cut copy Paste Delete E RSA RADIUS Server Administration Name RADIUS Clients Replication Statistics ADMINISTRATORS HR Figure 15 Profiles Panel Adding a Profile To add a profile 1 Open the Profiles panel 2 Click the Add button on the RSA RADIUS Administrator toolbar The Add Profile window Figure 16 opens Add Profile Name Description p rAttributes Checklist Return list Attribute Delete Figure 16 Add Profile Window 3 Enter a name for the new profile in the Name field RSA RADIUS Server 6 1 Administrator
54. d secret you want to verify and click the Edit button or double click the RADIUS client entry The Edit RADIUS Client window opens Enter the shared secret you think is assigned to the RADIUS client in the Shared secret field Click the Validate button If you entered the correct shared secret the Validation Successful window opens Click OK Deleting a RADIUS Client To delete a RADIUS client 1 Open the RADIUS Clients panel 48 Administering RADIUS Clients September 2005 2 Select the RADIUS client entry you want to delete 3 Click the Delete button on the RSA RADIUS Administrator toolbar 4 When you are prompted to confirm the deletion request click Yes RSA RADIUS Server 6 1 Administrator s Guide Administering RADIUS Clients 49 50 Administering RADIUS Clients September 2005 Chapter 5 Administering Profiles This chapter describes how to set up and administer user profiles About Profiles RSA RADIUS Server lets you define default templates of checklist and return list attributes called profiles A profile provides specific attributes for one or both lists You can define as many profiles as you require Profiles provide a powerful means of managing and configuring accounts To change attributes settings across many users immediately edit the profile that you have assigned to these users Adding a Checklist or Return List Attribute for a Profile A checklist attribute is an item of information that must acco
55. derstand the RSA RADIUS Server accounting sequence you need an overview of RADIUS accounting messages Table 2 describes the conditions under which each type of message is issued and the purpose of any RADIUS attributes that a message contains Table 2 Message Conditions and Attributes Message Conditions Purpose of Message Attributes Accounting data is sent from client to server using an Accounting Request message The client manufacturer decides which types of accounting requests are sent and under which conditions This table describes the most typical conditions The client ensures that the server receives accounting requests Most clients retry periodically until the server responds RSA RADIUS Server 6 1 Administrator s Guide Depending on the value of the Acct Status Type attribute the message type is considered to be Start Stop Interim Acct Accounting On or Accounting Off About RSA RADIUS Server Table 2 Message Conditions and Attributes Continued Message Conditions Purpose of Message Attributes After receiving an Access Accept from the server the RAS completes its access negotiation with the user The RAS then sends a Start message to the server Record connection data such as user ID RAS identifier RAS port identifier port type and connection start time After a connection is terminated the RAS sends a Stop message to the server Record statistics regarding the connection
56. dius objectclass top objectclass radiusstatus radiusstatus statistics stattype server start time 2002 05 08 13 29 08 up time 26188 ip address 192 168 21 142 version v 2 20 33 authentication threads 0 accounting threads 0 total threads 0 max auth threads 100 max acct threads 100 max total threads 200 RSA RADIUS Server 6 1 Administrator s Guide Using the LDAP Configuration Interface 95 96 Using the LDAP Configuration Interface high auth threads 2 high acct threads 0 high total threads 2 stattype authentication dn stattype authentication radiusstatus statistics o radius objectclass top objectclass radiusstatus radiusstatus statistics stattype authentication accept 1 reject 0 silent discard 0 total transactions 8 invalid request 0 failed authentication 0 failed on check list 0 insufficient resources 0 transactions retried 0 total retry packets 0 stattype accounting dn stattype accounting radiusstatus statistics o radius objectclass top objectclass radiusstatus radiusstatus statistics stattype accounting start 0 stop 0 on 0 off 0 total transactions 0 invalid request 0 invalid client 0 invalid shared secret 0 insufficient resources 0 transactions retried 0 total retry packets 0 September 2005 Rate Statistics Rate statistics are derived from other statistics by taking time into consideration Three types of rate values are cal
57. e button to locate the directory containing the sdconf rec radius cer server cer and radius key files on your network 9 When the Primary RSA RADIUS Server window opens specify the replication secret used to authenticate communications between the Primary RADIUS Server and Replica RADIUS Servers in the Primary Shared Secret field If you are upgrading from a previous release of the RSA Authentication Manager software and you want to import your profile information into RSA RADIUS Server click the Migrate RSA RADIUS database checkbox 10 When the Start Service window opens click the Yes start the RSA RADIUS service checkbox if you want your computer to run the RADIUS service at the end of the installation sequence Click Next to continue 11 When the Ready to Install the Program window opens click Install to begin the installation of the RSA RADIUS Server software 12 When installation is completed the InstallShield Wizard Completed window opens Click Finish After you finish installing the RSA RADIUS Server software run the RSA Authentication Manager application and launch the RSA RADIUS Administrator application to verify that it can communicate with the RADIUS server NOTE After you install the RSA RADIUS Server software you may need to modify the server configuration files For more information refer to the RSA RADIUS Server 6 1 Reference Guide Uninstalling the RSA RADIUS Server Software To uninstall the RSA
58. e of a first line shows required headings in bold italic standard RADIUS headings in bold and vendor specific headings in regular text Date Time RAS Client Record Type Full Name Auth Type User Name NAS Port Acct Status Type Acct Delay Time Acct Input Octets Acct Output Octets Acct Session Id Acct Authentic Acct Session Time Acct Input Packets Acct Output Packets Acct Termination Cause Acct Multi Session Id Acct Link Count Acc Err Message Nautica Acct SessionId Nautica Acct Direction Nautica Acct CauseProtocol Nautica Acct CauseSource Telebit Accounting Info Last Number Dialed Out Last Number Dialed In DNIS Last Callers Number ANI Channel Event Id Event Date Time Call Start Date Time Call End Date Time Default DTE Data Rate Initial Rx Link Data Rate Final Rx Link Data Rate Initial Tx Link Data Rate Pinal Tx Link Data Rate Sync Async Mode Originate Answer Mode Modulation Type Equalization Type Fallback Enabled Characters Sent Characters Received Blocks Sent Blocks Received Blocks Resent Retrains Requested Retrains Granted Line Reversals Number Of Characters Lost Number of Blers Number of Link Timeouts Number of Fallbacks Number of Upshifts Number of Link NAKs Back Channel Data Rate Simplified MNP Levels Simplified V42bis Usage PW VPN ID Comma Placeholders
59. ecify that the access client must use a specific IP address or be connected to a specific VLAN on the network If the RSA RADIUS server receives a message indicating the passcode is rejected it forwards a RADIUS Access Reject message to the RAS 7b NOTE If the user requesting the network connection is in New Pin mode or New Token mode not shown the RSA Authentication Manager sends a message asking for more information which the RSA RADIUS server forwards to the user When the user responds with values the RSA RADIUS server can accept the authentication sequence continues 8 Depending on what information the RAS receives from the RSA RADIUS server the RAS accepts and configures the user connection or rejects the user connection 9 Based on the information it receives from the RSA RADIUS server the RAS grants or denies the connection request After the user is authenticated and the connection established the RAS might forward accounting data to the RSA RADIUS server to document the transaction the RSA RADIUS server can store or forward this data to support billing for services provided during the network connection RADIUS Packets A RADIUS client and a RADIUS server communicate by means of RADIUS packets RADIUS packets carry messages between the RADIUS client and RADIUS server in a series of request and response transactions the client sends a request and expects a response from the server If the response does not artive t
60. ed between a Primary RADIUS server and one or more Replica RADIUS servers in a multi server environment A digital file signed by a CA that guarantees the binding between an identity and the contents of the certificate Challenge Handshake Authentication Protocol An attribute that must be sent from a RAS to a RADIUS server as part of an authentication request If a required checklist attribute is not present the RADIUS server returns an Access Reject message to the RAS Data that is verified when presented to an authenticator such as a password or a digital certificate Certificate Revocation List A data structure that identifies the digital certificates that have been invalidated by the certificates issuing CA prior to their expiration date Text file that stores the lists of RADIUS attributes used to parse authentication accounting requests and generate responses Dynamic Host Configuration Protocol Protocol by which a server automatically assigns leases a network address to a client temporarily or permanently Dialed number identification service A telephone service that identifies what number was dialed by a caller Domain Name Service Extensible Authentication Protocol An ETT standard authentication protocol for network access that acts as a transport for multiple authentication methods or types Defined by RFC 2284 Authentication method that uses EAP Extensible Authentication Protocol and TTLS Tunneled Tr
61. ed in an Access Reject response since the last time authentication statistics were reset These are detailed in the Reject Details fields September 2005 Table 13 Authentication Statistics Continued Authentication Statistic Silent Discards Total Transactions Meaning The number of requests in which the client could not be identified since the last time authentication statistics were reset This might occur if a RADIUS client entry cannot be found for a device with the name and or IP address of a device requesting authentication services The sum of the accept reject and silent discard totals since the last time authentication statistics were reset Reject Details Dropped Packet Invalid Request Failed Authentication Failed on Checklist Insufficient Resources The number of RADIUS authentication packets dropped by RSA RADIUS Server because the server was flooded with more packets than it could handle The number of invalid RADIUS requests made A RADIUS client is sending incorrectly formed packets to RSA RADIUS Server Either the RADIUS client is misconfigured or the RADIUS client does not conform to the RADIUS standard The number of failed authentication requests where the failure is due to invalid user ID or password If all transactions are failing authentication the shared secret configured on the RSA RADIUS Server does not match the shared secret configured on the RADIUS client
62. erver service as a host agent Communication between RSA RADIUS Server and RSA Authentication Manager uses specific UDP ports which are configured during installation To prevent masquerading by unauthorized hosts you configure RSA Authentication Manager with the IP addresses of each RSA RADIUS Server host Before RSA Authentication Manager accepts an authentication request it verifies that the source address contained in the request matches an authorized host agent RADIUS Ports The RADIUS standard initially used UDP ports 1645 and 1646 for RADIUS authentication and accounting packets The RADIUS standards group later changed the port assignments to 1812 and 1813 but many organizations continue using the old 1645 and 1646 port numbers for RADIUS Any two devices that exchange RADIUS packets must use compatible UDP port numbers If you are configuring a RAS to exchange authentication packets with a RADIUS server you must find out which port the server uses to receive authentication packets from its clients 1812 for example You must then configure the RAS to send authentication packets on the same port 1812 The same is true for RADIUS accounting RSA RADIUS Server can listen on multiple ports For compatibility the server listens to the old and new default RADIUS ports ports 1645 and 1812 for authentication and ports 1646 and 1813 for accounting Authentication Table 1 describes the conditions under which each type of R
63. erver 6 1 Administrator s Guide Administering RADIUS Servers 69 Designating a New Primary RADIUS Server You can change which server within a realm is designated as the Primary RADIUS Server for that realm To designate a new Primary RADIUS Server 1 Stop the RADIUS service daemon on the Replica RADIUS Server 2 Log into the Replica RADIUS Server as root Solaris Linux or administrator Windows 3 Navigate to the RSA Radius Service Windows or opt rsa radius Solaris Linux directory 4 Runthe rsainstalltool Windows or rsaconfiguretool Solaris Linux utility with the promote option rsaconfiguretool promote The utility creates a configuration package to change this server to the Primary server 5 Restart the updated Replica RADIUS Server to make it the new Primary RADIUS Server 6 Publish a new configuration package administratively to configure all Replica RADIUS Servers to use the new Primary RADIUS Server After you designate a new Primary RADIUS Server for a realm you can configure the old Primary RADIUS Server as a Replica RADIUS Server by downloading a configuration package published by the new Primary RADIUS Server NOTE If your old Primary RADIUS Server used aliases to handle authentication requests you must configure aliases on the new Primary RADIUS Server after you promote it and you must define an alias on the corresponding Agent Host record in the RSA Authentication Manager Agent Host gt Edit A
64. eseseesees 1 RSA RADIUS S tver OVerviewsiiecissssssccscessessecesesseevesenerssavasetersesosesesssesecetecesesetanensnts 2 RADIUS Packets sisicsssctsscstissacegotedsstiesstestsvsedetstaeabasdbacaraqasssatarasdsiedsdeatoastsseansetniogeates 4 RADIUS Configuratio cic cccscscsccsiecssecssecssecessasaesosssteavetonsinsadavetavsevsdecesvendossesateys 5 Shared SSCrets sisii cisssesucsistehicehescnecvancescvensedcndespighactsessbetdonerooeddcauetshactbeugaccvnndsaecgrecdhdo 6 RADIUS T KOT iE E E E storaoastaouss 8 PAIN EME CATON NE aun ann ANE ANEA RARR ETERON TAi 8 PS CCOUIMUAG cz E TE 9 Accounting SEQUENCE scicsrsccssssriscscessvetaderervoravetonssauatoedsouesocadvestevednescontsocutensanetonets 10 ADUTE ss cancannsaciouninianciimnami cae E E OTOMaCRRaTONIOS 12 JDO s 238 2s E E 12 Pitti te iSto EER E ATRE 13 Attrib te Values sivetivccsassoracserenssdutscesssscssecs suoressstussornsvetsnsesecedscneasdnescaassesnevasovaeonesn 14 Default Valttes euiticscdscst3 saiesseecaseet cvasudsessnedcsnsdsnapeaidsescnssatestecescebadghacasnctuesasuedensdoeeds 15 Centralized Configuration Management oo ccccscssescesseseseesssesssseenssesesnsseensseensseanens 16 Replacing a Replica RADIUS Servet woo ceseseeneseeeseeesssssseseseseeseeeneess 17 Designating a New Primary RADIUS Servet sss ssesessesesrisesrreeriessriesrrressrressee 17 Recovering a Replica After a Failed Download ss ssssessessssisssrsssrreesrrssreessreesee 18 Changing the Name or IP Address of a
65. ess of the client device gt The authentication shared secret used by RSA RADIUS Server and the client device For information on RADIUS shared secrets see Shared Secrets on page 6 gt The make and model of the client device selected from a list of devices that RSA RADIUS Server supports If a specific make and model is not listed choose Standard Radius RADIUS Client Configuration You must configure each RADIUS client to contact its RADIUS server To configure a client to work with an RSA RADIUS Server log on to the client device run its administration program and enter the following information gt The IP address of the RSA RADIUS Server RSA RADIUS Server 6 1 Administrator s Guide About RSA RADIUS Server 5 gt The RADIUS shared secret to be used by the RSA RADIUS Server and the client device For information on RADIUS shared secrets see Shared Secrets on page 6 gt The UDP ports on which to send and receive RADIUS authentication and accounting packets RSA RADIUS Server uses UDP ports 1645 and 1812 for authentication and UDP ports 1646 and 1813 for accounting For more information see RADIUS Ports on page 8 Shared Secrets A shared secret is a text string that serves as a password between hosts RSA RADIUS Server uses three types of shared secrets gt RADIUS secret Used to authenticate communication between a RADIUS setvet and a RADIUS client gt Replication secret Used to aut
66. eturn to the RAS after authentication succeeds The return list usually provides additional parameters that the RAS needs to complete the connection typically as part of PPP negotiations Return list attributes can be authorization configuration parameters By including appropriate attributes in the return list you can create a variety of connection policies Specific users can be assigned particular IP addresses or IPX network numbers IP header compression can be turned on or off or a time limit can be assigned to the connection You create a return list by choosing attributes from a list of all RADIUS attributes known to the RSA RADIUS Server This list can include a variety of vendor specific attributes During authentication RSA RADIUS Server filters the return list based on the dictionary for the specific RADIUS client that sent the authentication request The server omits any return list attribute that is not valid for this device Attribute Values The value of each RADIUS attribute has a well defined data type numeric string IP or IPX address time or hexadecimal For example Callback Number is of type string and contains a telephone number RAS Port Type is an item from a list and can be Sync Async and so forth Multi Valued Attributes Attributes can be single or multi valued Single valued attributes appear at most once in the checklist or return list multi valued attributes might appear several times If a
67. face RSA RADIUS Administrator Menus License Page Setup Print Exit The main RSA RADIUS Administrator window has four menus File Panel Web and Help File Menu Table 8 describes the functions of each entry in the File menu in the RSA RADIUS Administrator Table 8 File Menu Options Menu Entry Function License Opens the Add a License for Server window which lets you add a license string for your RSA RADIUS Server software For more information see Adding a License Key on page 43 Page Setup Opens the Page Setup window which lets you configure your printer settings 36 Using RSA RADIUS Administrator September 2005 Table 8 File Menu Options Continued Menu Entry Function Print Prints the information in the active window When you print the information in a panel RSA RADIUS Administrator preserves the column spacing used on screen If a table is wider than the printed page pages are printed in a matrix with pages numbered to indicate columns and rows 1 1 1 2 2 1 2 2 in the matrix Exit Exits the RSA RADIUS Server application Panel Menu RADIUS Clients see Table 9 describes the functions of each entry in the Panel menu in the Statistics RSA RADIUS Administrator Table 9 Panel Menu Options Menu Entry Function RADIUS Clients Displays the RADIUS Clients panel in the RSA RADIUS Administrator window For more information see Chapter 4 Administering RADIUS Clients
68. ge help h Displays help forthe install rsa sh command Installing the RSA RADIUS Server Software The following procedure describes how to install the RSA RADIUS Server software on a Solaris server Some of the steps in the procedure are omitted if you specify the silent option for the install_rsa sh command 1 2 Log into the Solaris server as root Copy the RSA RADIUS Server installation files RSARadius pkg and install_rsa sh to the Solaris server The RSARadius pkg and install_rsa sh files must reside in the same directory on the server Change your current working directory to the location of the installation files you copied in Step 2 Execute the following command to run the installation script install_rsa sh options See Table 5 on page 23 for an explanation of the install_rsa sh command options RSA RADIUS Server 6 1 Administrator s Guide Installing the RSA RADIUS Server 25 5 Specify the directory where you want to install the RSA RADIUS Server files By default the installation script puts the rsa radius directory files in the opt directory that is opt rsa radius Enter install path opt 6 If you are installing the RSA RADIUS Server software on a host that is not running the RSA Authentication Manager software remote installation specify the location of the radius cer server cer radius key and sdconf rec files Enter path to RSA files export home opt rsa If you are insta
69. gent Host gt RADIUS Configuration Recovering a Replica After a Failed Download If a Replica RADIUS Server fails during the download of a configuration package its configuration may be corrupted or it may have a stale secret To recover after a failed download 1 Stop the RSA RADIUS service daemon on the Replica RADIUS Server 70 Administering RADIUS Servers September 2005 Log into the Replica RADIUS Server as root Solaris Linux or administrator Windows Navigate to the RSA Radius Service Windows or opt rsa radius Solaris Linux directory Run the rsainstalltool Windows or rsaconfiguretool Solaris Linux utility with the identity option and information on where to download configuration information To obtain configuration from a configuration package issue the following command rsaconfiguretool identity REPLICA reppkg pathname where pathname specifies the path to a replica ccmpkg package To obtain configuration from the Primary RADIUS Server for the realm issue the following command rsaconfiguretool identity REPLICA primary name address secret where name specifies the DNS name of the Primary RADIUS Server address specifies the IP address of the Primary RADIUS Server and secret specifies the shared secret used to authenticate configuration downloads Restart the updated Replica RADIUS Server so that it can load its new configuration After the Replica RADIUS Server is restarted it
70. gt high total threads lt number gt high acct threads since reset lt number gt high auth threads since reset lt number gt high total threads since reset lt number gt Available Attributes start lt number gt stop lt number gt interim lt number gt on lt number gt off lt number gt total transactions lt number gt invalid request lt number gt invalid client lt number gt invalid shared secret lt number gt insufficient resources lt number gt transactions retried lt number gt total retry packets lt number gt Available Attributes rate statistics seconds per interval lt number gt auth request current rate lt number gt auth request average rate lt number gt auth request peak rate lt number gt auth accept current rate lt number gt auth accept average rate lt number gt auth accept peak rate lt number gt auth reject current rate lt number gt auth reject average rate lt number gt auth reject peak rate lt number gt acct start current rate lt number gt acct start average rate lt number gt acct start peak rate lt number gt acct stop current rate lt number gt acct stop average rate lt number gt acct stop peak rate lt number gt Available Attributes accept lt number gt reject lt number gt silent discard lt number gt total transactions lt number gt invalid request lt number gt failed authentication lt number gt failed on check list
71. he client can retry the request periodically 4 About RSA RADIUS Server September 2005 Each RADIUS packet supports a specific purpose authentication or accounting A packet can contain values called attributes The attributes found in each packet depend upon the type of packet authentication or accounting and the device that sent it for example the specific make and model of the RAS device acting as a RADIUS client Por information on RADIUS authentication packet structures and attributes see RFC 2865 Remote Authentication Dial In User Service RADIUS For information on RADIUS accounting packet structures and attributes see RFC 2866 RADIUS Accounting RADIUS Configuration You must configure a RADIUS client and a RADIUS server before they can communicate If the client and server are on the same network one administrator might be able to configure both sides of the RADIUS communication If the client and server are on different networks you might have to coordinate RADIUS configuration details with the administrators of other networks RADIUS Server Configuration You must configure how a RADIUS server responds to each of its clients To configure the RSA RADIUS Server run the RSA RADIUS Administrator described in Running RSA RADIUS Administrator on page 35 open the RADIUS Clients panel described in RADIUS Clients Panel on page 45 and enter the following information for each RADIUS client gt The IP addr
72. henticate communication between a primary RADIUS server and a replica RADIUS server gt Node secret Used to authenticate communication between a RADIUS server and an RSA Authentication Manager server Replica RADIUS Server t 2 5 Access Point Remote Access Server RAS RSA Authentication Primary Manager Server RADIUS lt F Server Replication 802 1X Compatible Secret Switch Replica RADIUS Server Virtual Private Network Figure 2 Shared Secrets 6 About RSA RADIUS Server September 2005 RADIUS Secret A RADIUS shared secret is a case sensitive password used to validate communications between a RADIUS server such as RSA RADIUS Server and a RADIUS client such as an Access Point AP or Remote Access Server RAS RSA RADIUS Server supports shared secrets of up to 127 alphanumeric characters including spaces and the following special characters 1 SS E 1 S 01277 lt gt Identical shared secrets must be configured on both sides of the RADIUS communication link NOTE Not all RAS devices support shared secrets of up to 127 alphanumeric special characters You should select shared secrets that are fully supported by RADIUS devices in your network Most RADIUS clients allow you to configure different secrets for authentication and accounting On the server side the configuration interface allows you to create a list of known RADIUS clients RAS devices You
73. icense key to an RSA RADIUS Server installation 1 Start the RSA RADIUS Administrator application 2 Choose File gt License RSA RADIUS Server 6 1 Administrator s Guide Using RSA RADIUS Administrator 43 3 When the Add a License for Server window Figure 10 opens enter the license key and click OK When the server displays a confirmation message click OK Add a License for Server License string OK Figure 10 Add a License for Server Window 4 Restart your RSA RADIUS Server Exiting the RSA RADIUS Administrator To close the RSA RADIUS Administrator choose File gt Exit Closing the RSA RADIUS Administrator has no impact on the RSA RADIUS Server service or daemon 44 Using RSA RADIUS Administrator September 2005 Chapter 4 Administering RADIUS Clients A RADIUS client is a network device or software application that interfaces with the RSA RADIUS Server when it needs to authenticate a user or to record accounting information about a network connection This chapter describes how to set up RADIUS clients RADIUS Clients Panel The RADIUS Clients panel Figure 11 lets you identify the devices that you want to define as clients of the RSA RADIUS Servet RSA RADIUS Powered by Steel Belted Radius File Panel Web Help Retresh Print Add WE cut copy GPaste EDelete E RSA RADIUS Server Administration Name o Profiles Replication Statistics WALPOLE 192 168 25 32 Standard Radius
74. iguration on the Primary RADIUS Server and the Primary RADIUS Server propagates the new configuration to its Replica RADIUS Servers For example after a network administrator configures a new RADIUS client or profile on the Primary RADIUS Server the network administrator tells the Primary RADIUS Server to publish a configuration package file replica ccmpkg that contains the updated configuration information After publication the Primary RADIUS Server notifies each Replica RADIUS Server that a new configuration package is ready Each Replica then downloads and installs the configuration package to update its settings 16 About RSA RADIUS Server September 2005 The Primary RADIUS Server maintains a list of the Replica RADIUS Servers that have registered with it The Primary RADIUS Server uses this list to track which servers to notify after it publishes an updated configuration package to resynchronize the configuration of Replica RADIUS Servers RADIUS gt i Replica 1 bg lt L G RADIUS Replica 2 a Primary e RADIUS e Server RADIUS Replica 10 Un Figure 3 Primary and Replica RADIUS Servers Replacing a Replica RADIUS Server To replace a failed Replica RADIUS Server a network administrator shuts down the failed server installs the RSA RADIUS Server software on a replacement server and enables the Replica RADIUS Server The Replica RADIUS Server then downloads and installs its configuration package from the
75. in PDF format About Displays the About RSA RADIUS Administrator window which lists version information for the RSA RADIUS Administrator For more information see Displaying Version Information on page 43 RSA RADIUS Administrator Toolbar After you log on to the RSA RADIUS Server you can use the toolbar Figure 5 to manipulate RSA RADIUS Administrator objects The buttons on the RSA RADIUS Administrator toolbar change when you change panels to provide buttons appropriate for the current context 38 Using RSA RADIUS Administrator September 2005 ZP RSA RADIUS Powered by Steel Belted Radius File Panel Web Help Retresh QO Print Add Edt cut E copy Paste E Delete Figure 5 RSA RADIUS Administrator Toolbar Table 12 RSA RADIUS Administrator Toolbar Toolbar Button Function Refresh Refreshes the displayed list of items in the RSA RADIUS Administrator window Print Prints the contents of the active panel Add Adds an object to the RSA RADIUS Server database Edit Edits an existing object in the RSA RADIUS Server database Active only when an object is selected in the active panel Cut Deletes an existing object from the RSA RADIUS Server database and copies its information to the Clipboard Active only when an object is selected in the active panel Copy Copies settings for the selected object from the RSA RADIUS Server database to the Clipboard Active only whe
76. in the server directory and use the filename extension dct Make Model Field During RSA RADIUS Server configuration when you make a selection in the RADIUS client Make model field you are telling the server which dictionary file contains the VSAs for this client device Thereafter whenever the server receives a RADIUS packet from this client device it can consult this dictionary file for any 12 About RSA RADIUS Server September 2005 nonstandard attributes that it encounters in the packet Standard RADIUS attributes are always defined by the radius dct file If you do not know the make model for a RADIUS client choose the default option Standard Radius For the most part the selections currently available in the Make model field are devices whose vendors have provided up to date attribute dictionaries Documentation for these vendors and their products is available online by clicking the Web info button on the RADIUS Clients panel described on page 45 Updating Attribute Information If your RAS vendor announces a new product a new attribute or a new value for an attribute you can add this information to your RSA RADIUS Server configuration You can edit the dictionary file for that vendor to add new attributes or attribute values or you can create a new vendor specific dictionary file that contains new attributes and values Por information on modifying vendor dictionary files refer to the RSA RADIUS Server 6 1 Refe
77. information to accounting processes without exposing user identities to a RAS or AP that should not see them When tunneled accounting is enabled RADIUS attributes are encrypted and encapsulated in a Class attribute If the information for a Class attribute exceeds the attribute payload size 253 octets RSA RADIUS Server returns more than one Class attribute for a user Tunneled accounting works as follows 1 The RSA RADIUS Server acting as the tunnel endpoint for EAP TTLS or EAP PEAP encrypts a uset s inner User Name and Class attributes when it authenticates the user 2 The server returns the encrypted information to the RAS or AP encapsulated in a Class attribute in the outer Access Accept message The RAS or AP associates this encapsulated identity attribute with the user and echoes the encapsulated identity attribute whenever it generates an accounting request for the user 3 When the RSA RADIUS Server receives an accounting request from a RAS or Access Point the server scans the request for an encapsulated identity attribute 4 Ifthe server finds an encapsulated identity attribute it decapsulates and decrypts the attributes to reconstitute the original inner User Name and Class attributes 5 The server substitutes the decrypted attributes for the ones returned from the RAS or AP RSA RADIUS Server 6 1 Administrator s Guide About RSA RADIUS Server 11 6 The server processes the accounting request locally To implement tu
78. inistrator s Guide Using the LDAP Configuration Interface 93 changetype add Once your editing is complete run an ldapmodify f command that references the new LDIF file When the ldapmodify command finishes processing your new database is populated with the records you extracted from the old database Deleting Records 94 You can use the ldapdelete command to remove records from the LDAP database For example to delete entries names PROFILE through PROFILES you would create a file called deletexample 1df radiusname PROFILE1 radiusclass Profile o radius radiusname PROFILE2 radiusclass Profile o radius radiusname PROFILE3 radiusclass Profile o radius radiusname PROFILE4 radiusclass Profile o radius radiusname PROFILES5 radiusclass Profile o radius You would then pass this file to the command as follows ldapdelete V2 h hostname p 667 D cn admin o radius w password f deletexample ldf Warning Verify that the dn values that usually appear in these entries are not a part of the entries in your file because this causes the command to fail You can use ldapdelete to remove records from the LDAP database without supplying a file For example to delete the profile record identified as PROFILE1 you would enter the following ldapdelete V2 h hostname p 667 D cn admin o radius w password radiusname PROFILE1 radiusclass profile o radius You can delete records w
79. ireless access point or wired switch authenticator so that the supplicant can provide authentication credentials that can be verified by an authentication server Authentication authorization and accounting The process of recording and aggregating resource use statistics and log files for a user connection session or function for billing system diagnosis and usage planning Access Point A device that serves as a communication hub to connect 802 1X wireless clients to a wired network RADIUS attributes carry the specific authentication authorization and accounting The process of verifying the identity of a person or file system and whether the petson is allowed on a protected network A back end database server that verifies from the credentials provided by an access client whether the access client is authorized to use network resources The process of controlling the network access such as privileges or time limits that the user can exercise on the protected network Attribute value pair An attribute and its corresponding value for example User Name admin RSA RADIUS Server 6 1 Administrator s Guide Glossary 99 Certificate authority A trusted entity that registers the digital identity of a site or individual and issues a digital certificate that guarantees the binding between the the identity and the data items in a certificate Centralized configuration management The process by which information is shar
80. irst six fields in every accounting log entry are provided by RSA RADIUS Server for your convenience in reading and sorting the file gt Date the date when the event occurred gt Time the time when the event occurred gt RAS Client the name or IP address of the RADIUS client sending the accounting record gt Record Type START STOP INTERIM ON or OFF the standard RADIUS accounting packet types gt Full Name the fully distinguished name of the user based on the authentication performed by the RADIUS server gt Auth Type a number that indicates the class of authentication performed By default the standard RADIUS attributes follow the Auth Type identifier See Standard RADIUS Accounting Attributes on page 79 You can include vendotr specific attributes if the device sending the accounting packet supports them For more information on using vendor specific attributes refer to the RSA RADIUS Server 6 1 Reference Guide RSA RADIUS Server 6 1 Administrator s Guide Logging FT You can edit the account ini initialization file to add remove or reorder the standard RADIUS or vendor specific attributes that are logged For more information on the account ini file refer to the RSA RADIUS Server 6 1 Reference Guide First Line Headings The first line of the accounting log file is a file header that lists the attributes that have been enabled for logging in the order in which they are logged The following exampl
81. ith the ldapmodify command if the entries in the text file contain the line changetype delete Consider the following sample LDIF file named deletemodify 1ldf dn radiusname PROFILE2 radiusclass Profile o radius changetype delet dn radiusname PROFI changetype delet dn radiusname PROFI changetype delet E3 radiusclass Profile o radius E4 radiusclass Profile o radius Using the LDAP Configuration Interface September 2005 This file can be passed to the ldapmodify command as follows ldapmodify V2 h hostname p 667 D cn admi o radius w password f deletemodify ldf Warning Use caution when deleting items An error could delete an entire container in some directory servers without any prompting for confirmation If that happens the directory server can fail Statistics Variables Server statistics record the number of certain types of events The LCI allows you to read these statistics to monitor the performance of your RSA RADIUS Server Counter Statistics The statistics counters can be accessed through the LCI by executing the following one line command ldapsearch V 2 h 127 0 0 1 p 667 D cn admin o radius w radius s sub T b radiusstatus statistics o radius stattype typeofstatus The following sections illustrate the variables displayed for each setting of the stattype parameter stattype server dn stattype server radiusstatus statistics o ra
82. lick the Unmask checkbox to display the characters in the shared secret 5 Enter one or more IP addresses for your server a Click the Add button b When the Add IP Address window Figure 23 opens enter an IP address you want to associate with the server in the Address field and click Add Add IP Address Address Figure 23 Add IP Address Window c Repeat Step 5b until you have finished adding IP addresses for the server d Click Close 6 Click OK RSA RADIUS Server 6 1 Administrator s Guide Administering RADIUS Servers 67 Enabling a RADIUS Server To enable a RADIUS server 1 Open the Replication panel 2 Select the RADIUS server you want to enable and click the Edit button or double click the RADIUS server entry The Edit Server window Figure 24 opens Edit Server Name Tripod Secret Unmask C Enabled Status Replica disabled Publication path packages 1115234943_RSA ccmpkg Last published 05 4 2005 15 29 03 Current publication Address 192 168 1 1 Figure 24 Edit Server Window 3 Click the Enabled checkbox 4 Click the Save button Deleting a RADIUS Server To delete a RADIUS server 1 Open the Replication panel 2 Select the RADIUS server entry you want to delete 3 Click the Delete button on the RSA RADIUS Administrator toolbar 4 When you are prompted to confirm the deletion request click Yes 68 Administering RADIUS Servers September 2005
83. lify user administration Chapter 7 Administering RADIUS Servers describes how to manage RADIUS server replication Chapter 6 Displaying Statistics describes how to use the monitoring capabilities in RSA RADIUS Server Chapter 8 Logging describes how to set up and use logging functions in RSA RADIUS Server Appendix A Using the LDAP Configuration Interface describes how to use the optional LDAP Configuration Interface LCI add on to RSA RADIUS Server The Glossary provides brief explanations for RADIUS terminology used in this and other RSA RADIUS Server manuals Syntax Conventions X This manual uses the following conventions to present file and command line syntax gt radiusdir represents the directory into which RSA RADIUS Server has been installed By default this is C Program Files RSA Security RSA RADIUS for Windows systems and opt rsa radius on Linux and Solaris systems Brackets enclose optional items in format and syntax descriptions In the following example the first Attribute argument is required you can include an optional second Attribute argument by entering a comma and the second argument but not the square brackets on the same line lt add replace gt Attribute Attribute In configuration files brackets identify section headers the Configuration section of radius ini In screen prompts brackets indicate the default value For example if you press EN
84. lling the RSA RADIUS Server software on a host that is running the RSA Authentication Manager software local installation the installer copies the radius cer server cer radius key and sdconf rec files automatically 7 Specify the number of the TCP port used to administer RSA RADIUS Server The default port number is 1813 Enter RSA administration port 1813 8 Specify whether you are installing a Primary or Replica RADIUS Servet Enter RADIUS identity REPLICA or PRIMARY PRIMARY 9 Ifyou are installing a Replica RADIUS Server specify whether a configuration package generated by the Primary RADIUS Server is available Is replica ccmpkg file present y n n If you enter y you are prompted to specify the path to the replica ccmpkg file Enter path to replica ccmpkg opt rsa 10 If you are installing a Replica RADIUS Server and a configuration package is not available specify the name of the Primary RADIUS Server Enter primary host name 11 If you are installing a Replica RADIUS Server and a configuration package is not available specify the IP address or addresses of the Primary RADIUS Server If the Primary RADIUS Server has more than one network interface multi homed you can enter as many as four IP addresses separating addresses with commas Enter primary host IP address list max 4 comma separated 12 Specify the host secret used to authenticate communication between the Primary R
85. lt number gt insufficient resources lt number gt transactions retried lt number gt total retry packets lt number gt Figure 28 LDAP Schema Slide 3 of 4 RSA RADIUS Server 6 1 Administrator s Guide Using the LDAP Configuration Interface 87 ey radiusstatus radiusstatus cn lt monitor gt acct_stats_by_nas acct_stats_by_nasipaddr nasname nasipaddr Available Attributes lt nas name gt lt nas ip addr gt dn lt string gt version lt string gt threads lt number gt connection lt string gt currentconnections lt number gt totalconnections lt number gt dtablesize lt number gt writewaiters lt number gt readwaiters lt number gt opsinitiated lt number gt opscompleted lt number gt entriessent lt number gt bytessent lt number gt currenttime lt time gt starttime lt time gt nbackends lt number gt Available Attributes nasname lt name gt nasipaddr lt name start lt number gt stop lt number gt interim lt number gt on lt number gt off lt number gt invalid shared secret lt number gt Figure 29 LDAP Schema Slide 4 of 4 While the LDAP virtual schema diagram shows as much of the detail of the LDAP virtual schema as possible the following rules and limitations should be considered gt Bind request All attempts to perform operations on the virtual schema must be preceded by an LDA
86. meaning to NAS A logical grouping of authentication servers Primary RADIUS Server and Replica RADIUS Servers A server that participates in balancing the load of user authentication requests within a realm A Replica RADIUS Server s database is periodically synchronized with the database on the Primary RADIUS Server Compare Primary RADIUS Server An attribute that RSA RADIUS Server returns to a RAS in an Access Accept message when a user is authenticated Return list attributes provide additional parameters such as VLAN assignment or IP address assignment that the RAS needs to connect the user A host running RSA Security proprietary RSA SecurID software which identifies and authenticates users by validating their RSA SecurID passcodes Security token system that allows remote access users to generate a pseudo random value they can forward as part of an authentication sequence Session Identifier A string of characters uniquely identifying the session An encryption key known only to the sender and receiver of data Simple Network Management Protocol A software utility running on a computer or digital assistant that generates a tokencode Compare token The client in an 802 1X authenticated network The process by which two clocks that are initially synchronized gradually display different times A physical device such as an RSA SecurID card or key fob that displays a tokencode A uset s token is one of the factors in
87. more packets than it could handle The number of invalid RADIUS requests received by the RSA RADIUS Server A device is sending incorrectly formed packets to RSA RADIUS Server either there is a configuration error or the device does not conform to the RADIUS standard The number of RADIUS accounting requests that RSA RADIUS Server was unable to process The number of rejects due to a server resource problem Retries Received Transactions Retried Total Retry Packets The number of requests for which one or more duplicates was received The number of duplicate packets received Interim Requests The number of interim accounting packets received RSA RADIUS Server 6 1 Administrator s Guide Displaying Statistics 61 Resetting Server Statistics To reset authentication and accounting statistics for an RSA RADIUS server to zero 1 a Fk O N Open the Statistics panel Select the server for which you want to reset statistics in the Server list Click the System tab Click the View list and choose Accounting or Authentication Click the Reset button in the toolbar Displaying RADIUS Client Statistics RADIUS client statistics Figure 20 provide information about the number of authentication and accounting requests by client To display RADIUS client statistics for the RSA RADIUS server 1 2 3 4 Open the Statistics panel Select the server for which you want to display statistics in the
88. mpany a RADIUS Access Request for a connection before the connection can be authenticated A return list attribute is an item of information that the RSA RADIUS Server includes in the RADIUS Access Accept message when a user is authenticated and a connection request is approved RSA RADIUS Server 6 1 Administrator s Guide Administering Profiles 51 Resolving Profile and User Attributes If user specific attributes are stored in the RSA Authentication Manager database RSA RADIUS Server determines the final set of attributes for a user by merging the attributes stored in the user s profile with user specific attributes from the RSA Authentication Manager database This calculation is performed as follows 1 The attributes from the profile assigned to the user are retrieved 2 These attributes are then merged with the user specific attributes in the following manner gt Ifan attribute is multi valued then the user specific attribute is added to the overall list of attributes gt Ifan attribute is single valued then the user specific attribute replaces the attribute of the same name that was provided by the profile gt Ifthe attribute is orderable then the user specific attribute replaces the attribute of the same name that was provided by the profile Default Profile After RSA Authentication Manager authenticates a user it can return the profile name associated with that user to RSA RADIUS Server The profile name specifie
89. mproves the performance of the transaction D cn oper o radius The command is authenticated using an administrative account called oper NOTE Any administrative account name may be used in place of oper in this example o radius may not be changed w radadmin The command is providing an authentication password of radadmin NOTE The w parameter value in this case radadmin must match the passcode or cached password of the account named by the D parameter Using the LDAP Configuration Interface September 2005 Table 17 Searching for Records Using the Idapsearch Command Continued ldapsearch Option Meaning s sub Recursion is to be used starting at the base T To make the output more readable long output lines are not continued on the next line b This is the base at which the search operation is to radiusclass Client o radius begin radiusname Modifying Records This is the criterion which matched objects must satisfy You can use the ldapmodify command to modify the RSA RADIUS Server configuration ldapmodify c V2 h hostname p 354 D cn oper o radius w radadmin f filename Table 18 Modifying Records Using the Idapmodify Command ldapmodify Option Meaning C The command is to run in continuous mode do not stop on errors V2 The version 2 dialect of LDAP is to be used to communicate with the server NOTE This option is not required but specifying
90. n an object is selected in the active panel Paste Pastes an object from the Clipboard to the RSA RADIUS Server database Active only after a Cut or Copy command has been used Delete Deletes an existing object from the RSA RADIUS Server database Publish Replication panel only Initiates creation of replication package on the Primary RADIUS Server Notify Replication panel only Initiates download of replication package by Replica RADIUS Servers Reset Statistics panel only In the Statistics panel resets statistics to zero RSA RADIUS Administrator Windows This section summarizes how to use RSA RADIUS Administrator windows and controls Adding an Entry To add an entry to the RSA RADIUS Server database open the appropriate panel and click the Add button on the RSA RADIUS Administrator toolbar The RSA RADIUS Server 6 1 Administrator s Guide Using RSA RADIUS Administrator 39 RSA RADIUS Administrator displays an Add window A sample Add window appears in Figure 6 Add Profile Name Description E o Attributes Checklist Return list Attribute Figure 6 Sample Add Window Every object of the same type must have a unique name If the name you assign to an item is already being used by another item of the same type the RSA RADIUS Administrator displays a warning Editing an Entry To edit an existing entry to the RSA RADIUS Server database
91. n attribute appears more than once in the checklist this means that any one of the values is valid For example you can set up a checklist to include both Sync and Async values for attribute RAS Port Type This means that the user can dial into a Sync port or an Async port but not one of the ISDN ports If an attribute appears more than once in the return list each value of the attribute is sent as part of the response packet For example to enable both IP and IPX header compression for a user you would configure the 14 About RSA RADIUS Server September 2005 Framed Compression attribute to appear twice in the return list once with the value VJ TCP IP header compression and once with the value IPX header compression Orderable Attributes Certain multi valued return list attributes are also orderable that is the attribute can appear more than once in a RADIUS response and the order in which the attributes appear is important For example the Repl y Message attribute allows text messages to be sent back to the user for display A multi line message is sent by including this attribute multiple times in the return list with each line of the message in its proper sequenice System Assigned Values Some attributes do not allow the administrator to set a value RSA RADIUS Server retrieves the appropriate values for these attributes when they are needed Echo Property Using the echo property you can force an attribute from the RA
92. n the RSA RADIUS Server accounting log is enabled all of the RADIUS accounting attributes that the server receives are reformatted and logged to a Comma Separated Value CSV text file which is easily imported into spreadsheets and database programs for report generation and billing 10 About RSA RADIUS Server September 2005 Tunneled Accounting During authentication a user is typically identified by attributes such as User Name in the authentication request and Class in the authentication accept response Standard RADIUS accounting requests typically include these attributes in messages flagging Start Interim and Stop events so that the uset s identity can be recorded for accounting and auditing purposes When an organization uses a tunneled authentication protocol such as EAP TTLS or EAP PEAP the identity of a user requesting authentication might be concealed from the RAS the User Name attribute carried by the outer authentication protocol is typically a nonunique value such as anonymous As a result the outer User Name value included in accounting requests might not be sufficient to determine a user s identity Class attributes provided by an authentication server cannot be included in cleartext in an outer Access Accept message because they might contain clues about the user s identity thereby defeating the identity hiding feature of the tunneled protocol Tunneled accounting enables RSA RADIUS Server to pass user identity
93. nce Inspired e Titlement IntelliAccess Keon RC2 RC4 RCS RSA the RSA logo RSA Secured the RSA Secured logo RSA Security SecurCare SecurID SecurWorld Smart Rules The Most Trusted Name in e Security Transaction Authority and Virtual Business Units are either registered trademarks or trademarks of RSA Security Inc in the United States and or other countries All other goods and or services mentioned are trademarks of their respective companies Microsoft Windows Windows 2000 Internet Explorer and other Microsoft products referenced herein are either trademarks or registered trademarks of the Microsoft Corporation in the United States and other countries Solaris is a registered trademark in the U S and other countries licensed exclusively through X Open Company Limited Sun Sun Microsystems Solaris and all Sun based trademarks and logos Java HotJava JavaScript the Java Coffee Cup Logo and all Java based trademarks and logos are trademarks or registered trademarks of Sun Microsystems Inc in the United States and other countries Raima Raima Database Manager and Raima Object Manager are trademarks of Birdstep Technology License agreement This software and the associated documentation are proprietary and confidential to RSA Security are furnished under license and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright below This software and any copies thereof may
94. ng LOS File POLMALs is ccssssssesscaceiesssestersonsdsocasigasessadesrsossdiecdessdeedescteavenies Fitst Line eadities sissiasiesssecssecessestecesostsoceseredaastostsoavavedorsdtecsessucedocelacesesedeteceseas Comma Placehold ts asacnastsaniiam E E Standard RADIUS Accounting Attributes ceseesesessesesssseenssesnsseeneee RSA RADIUS Server 6 1 Administrator s Guide Contents vii Appendix A viii Contents Using the LDAP Configuration Interface LDAP Configuration Interface File wcrc About the LDAP Configuration Interface eee LDAP MOTRIN gia csaansseasdievionetetviae tenn inen havior deuadiuelientes LDAP REGUEStS cisi t cds tssasscesdvoredeonees ctendcdeesonnnseseteeseveceends Downloading the LDAP Utilities eee LDAP Version Compliance sss ssssessesssrissssrsessressressreesse Configuring the LDAP TCP Pott eee LDAP Virtual Schetiiastisiescssssssiecscvctsoceiscosevedseesocevedeversseveserers LDAP Command Examples ss sssssssessssissssisssriessreerrresrrressreesns Searching for R cotdsinecnninnisocsnsacarnrenanii Modifying Records vec ccccsosscvsscussscteressocsevanienvacshsnencsverdeversees Adding RECOLAS e vstsestes cove stestassiscscatndsaa chan esas toeorotssessorasss Deleting Records lt ticiscctassccshestiecvonegicvntncssnscvesscvetetuevseeseaes Statistics Variabl sain cue pec tacsdnnadne enue LeReLe Counter STATSHCS ennienni E RAE SHAU SUC Seo ran nR CLERC Glossary Index September 2005 About Thi
95. nneled accounting you must configure the classmap ini file to specify how attributes should be presented and you must configure the spi ini file to specify the keys that are used to encrypt and decrypt users identity information Attributes Dictionaries You work with RADIUS attributes while setting up users profiles and RADIUS clients on the RSA RADIUS Server The RSA RADIUS Server Administrator program allows you to choose RADIUS attributes by name from a predefined list For each attribute the RSA RADIUS Administrator prompts you to enter values using familiar data types such as string integer telephone number or network address RSA RADIUS Server uses dictionary files to store lists of RADIUS attributes RSA RADIUS Server uses these dictionaries to parse authentication and accounting requests and generate responses The main RSA RADIUS Server dictionary file radius dct lists attributes defined by the RADIUS standard The radius dct file resides in the same directory as the RSA RADIUS Server service usually C Program Files RSA Security RSA RADIUS Service on Windows computers and opt rsa radius on Solaris and Linux computers Vendor Specific Attributes In addition to the standard attributes many RAS devices use vendor specific attributes VSAs to complete a connection RSA RADIUS Server supports a large number of specific RAS devices by providing vendor specific proprietary dictionary files These files also reside
96. nt 5 5 5 radiusname radiusname radiusname MYPROFILE MYPROFILE MYRASCLIENT Available Attributes Login Limit lt number gt Profile lt string gt radiuslist reply radiuslist check Available Child Objects radiusclass server radiusclass rsa_cached_passwords read only Availa Acct S ble Attributes Shared Secret lt string gt hared Secret lt string gt IP Add ress nnn nnn nnn nnn Product lt string gt Inactivity Timeout lt seconds gt Available Reply Attributes All reply list attributes from dictionaries Available Check Attributes All check list attributes from dictionaries Available Attributes Server Password lt string gt Server Password Enabled 0 1 Default Reject Msg lt string gt Unknown User Msg lt string gt Lists Mismatch Msg lt string gt Invalid Lists Msg lt string gt Auth Methods lt meth1 gt lt meth2 gt Log Max Days lt number gt Available Attribute cached password Figure 26 LDAP Schema Slide 1 of 4 RSA RADIUS Server 6 1 Administrator s Guide Using the LDAP Configuration Interface 85 Root o radius C cn admin radiusstatus sessions_by_calling_station radiusstatus sessions_by_called_station radiusstatus sessions_by_user radiusstatus sessions
97. ntication Manager database 7 Publish the modified configuration to propagate the name change to the Replica RADIUS Servers Regenerating a Node Secret You can regenerate the node secret used to authenticate communication between the RSA Authentication Manager and RSA RADIUS Server at any time To regenerate a node secret 1 Stop the RSA RADIUS service daemon on the RADIUS server 2 Log into the RADIUS server as root Solaris Linux or administrator Windows 3 Navigate to the RSA Radius Service Windows or opt rsa radius Solaris Linux directory 4 Runthe rsainstalltool Windows or rsaconfiguretool Solaris Linux utility with the identity option To regenerate the node secret for a Primary RADIUS Server enter the following command rsaconfiguretool identity PRIMARY 72 Administering RADIUS Servers September 2005 To regenerate the node secret for a a Replica RADIUS Server enter the following command rsaconfiguretool identity REPLICA 5 Restart the RSA RADIUS service Resetting the RADIUS Database If the RSA RADIUS Server fails the RADIUS database may remain running If this happens the RSA RADIUS Server may refuse to run To resolve this problem execute the following command to stop the mkded btrieve daemon etc init d sbrd stop force After the mkded btrieve daemon is stopped you can start the RADIUS service and the database by executing the following command etc init d sbrd start RSA
98. ntry If there are no subkeyword attribute entries in the transaction the change applies to the entire entry For example it is faster to delete an entire entry dn radiusname TINYCO COM radiusclass client o radius changetype delet but if you want to delete only a few attributes from the entry you may do so dn radiusname TINYCO COM radiusclass client o radius changetype delet delete acct shared secret If the subkeyword is add or replace an attribute value entry must appear immediately following the subkeyword attribute entry If the subkeyword is delete the attribute value entry does not apply and should be omitted Adding Records You can populate an LDAP database by creating an LDIF file that imports entries from one LDAP database into another You can search the first database for the entries you want then add them to the second database You can even use the seatch operation to filter out attributes from the first database that you do not want in the second database You can search the first database using ldapsearch This creates an LDIF file which you can then input to ldapmodify To import entries from one LDAP database into another run the ldapsearch command on the first database Request only the attributes you want for the new database When ldapsearch completes processing edit the output LDIF file After each line that begins with dn add a single line containing the text RSA RADIUS Server 6 1 Adm
99. ny conflicts you can change this port number to 389 the standard LDAP TCP port You can configure RSA RADIUS Server to use a different TCP port to communicate with the LDAP client In the following example port 354 is assigned 1 Inthe radius ini configuration file create an LDAP section if one does not exist and set the TCPPort field to the port number you want to use For example LDAP Enable 1 TCPPort 354 2 Ifyou want to specify the interfaces on which you want RSA RADIUS Server to listen for LCI requests add a LDAPAddtesses section to the vadius ini file This section should contain a list of IP addresses one per line LDAPAddresses 84 Using the LDAP Configuration Interface September 2005 199 198 1 196 197 1 97 196 98 199 If the LDAPAddresses section is omitted or empty RSA RADIUS Server listens for LCI requests on all bound IP interfaces 3 Specify the same port number using the p option on the LDAP command line For exa mple ldapsearch V 2 p 354 D cn admin o radius w radius s sub T b radiusclass Client o radius radiusname LDAP Virtual Schema The LDAP server uses the virtual schema illustrated in Figures 26 29 to format configuration data so that this data can be understood by the RSA RADIUS Server database NOTE radiusstatus items can be read but they cannot be modified radiusclass radiusclass radiusclass securid user profile clie
100. object The contents of the context menu depends on the type of item for example if you right click a RADIUS client entry the context menu provides options for copying cutting pasting and deleting items 42 Using RSA RADIUS Administrator September 2005 If you right click a blank area in an RSA RADIUS Administrator window the context menu displays a different set of options For example if you right click a blank space in the RADIUS Client panel the context menu provides options for refreshing the display and for adding pasting or printing information Accessing Online Help To access help with the RSA RADIUS Server Administrator click the Help button on an RSA RADIUS Administrator window press F1 or choose Help gt Contents To view the PDF version of the RSA RADIUS Server manuals choose Help gt Manuals and choose the manual you want to open Displaying Version Information To identify the current version of the RSA RADIUS Administrator choose Help gt About to open the About RSA RADIUS Server window Figure 9 About RSA RADIUS Server RSA RADIUS Server 6 1 5 20 1365 Powered by Steel Belted Radius 2111111 1994 2005 RSA Security Inc All rights reserved Figure 9 About RSA RADIUS Server Window Adding a License Key You must add a license key if you want to use the LDAP Configuration Interface LCI which is described in Appendix A Using the LDAP Configuration Interface To add a l
101. of Access Accept and Access Reject messages in the log file These flags are set in the Configuration section of radius ini a value of 1 the default causes these messages to be logged and a value of 0 causes the messages to be omitted An Accept or Reject is logged only if LogAccept or LogReject respectively is enabled and the LogLevel is verbose enough for the message to be recorded The TraceLevel setting specifies whether packets should be logged when they are received and being processed and what level of detail should be recorded in the log Controlling Log File Size 76 Logging Optionally you can specify a maximum size for a RADIUS system log file by entering a non zero value for the LogfileMaxMBytes setting in the Configuration section of the radius ini file gt Ifa maximum file size is set the name of the RADIUS system log file identifies the date and time it was opened YYYYMMDD_HHMM log When the current RADIUS system log file approaches the specified number of megabytes 1024 x 1024 bytes the current log file is closed and a new one is opened The closed file will be slightly smaller than the specified maximum file size gt Ifthe maximum file size is set to 0 or if the LogfileMaxMBytes setting is absent the RADIUS system log file size is ignored and log file names are datestamped to identify when they were opened YYYYMMDDlog NOTE If LogFileMaxMBytes is configured for a small non zero number
102. on page 45 Profiles Displays the Profiles panel in the RSA RADIUS Administrator window For more information see Chapter 5 Administering Profiles on page 51 Replication Displays the Replication panel in the RSA RADIUS Administrator window For more information see Chapter 7 Administering RADIUS Servers on page 65 Statistics Displays the Statistics panel in the RSA RADIUS Administrator window For more information see Chapter 6 Displaying Statistics on page 57 RSA RADIUS Server 6 1 Administrator s Guide Using RSA RADIUS Administrator 37 Web Web Menu More about RSA RADIUS Server NAS Vendor Information Table 10 describes the functions of each entry in the Web menu in the RSA RADIUS Administrator Table 10 Web Menu Options Menu Entry Function More about RSA Opens the Funk Software webpage RADIUS Server NAS Vendor Information Opens the Funk RADIUS AAA Compatibility Guide webpage which lets you review information about remote access devices and wireless LAN devices made by third party vendors fa Help Menu Contents Manuals gt bak Table 11 describes the functions of each entry in the Help menu in the RSA RADIUS Administrator Table 11 Help Menu Options Menu Entry Function Contents Opens the online help for the RSA RADIUS Administrator application Manuals Displays the RSA RADIUS Server 6 1 Administrator s Guide or RSA RADIUS Server 6 1 Reference Guide
103. optional force argument to terminate all subsystems immediately etc init d sbrd stop force Use the following command to start the RADIUS daemon etc init d sbrd start RSA RADIUS Server 6 1 Administrator s Guide Installing the RSA RADIUS Server 33 Uninstalling the RSA RADIUS Server Software To uninstall the RSA RADIUS Server software 34 1 2 3 4 Stop the RADIUS daemon currently running on your server Back up your RSA RADIUS Server directory Log into the Linux server as root Type the following command to uninstall the RSA RADIUS Server software uninstall_rsa sh Type y when you are asked to confirm that you want to uninstall the RSA RADIUS Server software Confirm deletion of RSA RADIUS Server y n y The uninstall script displays a confirmation message RSA RADIUS Server removed when it finishes running NOTE If you delete the RSA RADIUS Server directory before you execute the uninstall rsa sh command the uninstall script cannot find the files it is supposed to delete causing it to fail If this occurs execute the following command to clear the package database rpm e noscripts sbr rsa 1 0 1 138 rpom Installing the RSA RADIUS Server September 2005 Chapter 3 Using RSA RADIUS Administrator The RSA RADIUS Administrator is a Java based application that enables you to configure settings for the RSA RADIUS Server This chapter presents an overview of how to use the RSA RADIUS Administrator
104. ount Logging The count of links that are known to have been in a given multi link session at the time the accounting record is generated September 2005 Appendix A Using the LDAP Configuration Interface The LDAP Configuration Interface LCI is an optional add on to RSA RADIUS Server You must enter a separate license number and restart RSA RADIUS Server to activate LCI functions After the license key is registered you can edit the settings in the configuration files For information on adding license numbers see Adding a License Key on page 43 This appendix provides gt The file used to enable and configure the LDAP configuration interface LCI An overview of the LCI and LDAP utilities A description of the LDAP virtual schema Information about how to use LDAP utilities to configure the RSA RADIUS Server database Sample LDIF files that control the execution of LDAP utilities Information about how to view rate statistics variables with LCI utilities LDAP Configuration Interface File The radius ini file specifies among other things the interfaces on which RSA RADIUS Server listens for LCI requests If a specification is not present RSA RADIUS Server listens for LCI requests on all bound IP ports RSA RADIUS Server 6 1 Administrators Guide Using the LDAP Configuration Interface 81 About the LDAP Configuration Interface The LDAP Configuration Interface LCI consists of an LDAP interface in the
105. quest the server echoes the default value from the checklist in the response If you add multiple values of the same attribute to the checklist only one of them can be marked as default For example an administrator adds several Callback Number values to the checklist and marks one of them as default The administrator adds Callback Number to the return list and specifies it as echo gt Ifa Callback Number value is present in the RADIUS request it must match one of the checklist values or the user is rejected gt Ifit does match the user is accepted and the value supplied is echoed in the RADIUS response gt Ifno Callback Number is supplied in the request the user is accepted and the default value is echoed in the response Other checklist attributes provide configuration for the user such as time of day and concurrent login limit information Centralized Configuration Management The RSA RADIUS Server supports the replication of RADIUS configuration data from a Primary RADIUS Server to a maximum of 10 Replica RADIUS Servers within a realm on a customer network Replica servers help balance the load of authentication requests coming in from RADIUS clients and ensure that authentication services are not interrupted if the Primary or other Replica RADIUS servers stops working All the servers within a realm reflect the current configuration specified by the network administrator the network administrator modifies the conf
106. r 1 Open the Statistics panel 2 Select the server for which you want to display statistics in the Server list 3 Click the System tab 4 Click the View list and choose Authentication RSA RADIUS Server 6 1 Administrator s Guide Displaying Statistics oF ZF RSA RADIUS Powered by Steel Belted Radius File Panel Web Help Print Reset E RSA RADIUS Server Administr RADIUS Clients Profiles Replication EE Server rsamecoy primary _ System RADIUS Clients Figure 18 Statistics Panel System Authentication Statistics View Authentication Transactions Accepts Current Average Peak Total Rejects Current Average Peak Total Silent Discards Total Transactions Reject Details Dropped Packet Invalid Request Failed Authentication Failed on Check List Insufficient Resources Retries Sent Transactions Retried Total Retry Packets Challenges Server uptime O Days 08 02 53 Table 13 explains the fields on the Authentication tab and describes possible causes for authentication rejections Table 13 Authentication Statistics Authentication Statistic Meaning Transactions Accepts Rejects 58 Displaying Statistics The current average and peak number of RADIUS transactions that resulted in an Access Accept response since the last time authentication statistics were reset The current average and peak number of RADIUS transactions that result
107. r as many as four IP addresses separated by commas Use only when installing a Replica RADIUS Server Do not use the primary ips option if you are specifying the reppkg option primary secret 30 Installing the RSA RADIUS Server Specifies the CCM shared secret used to authenticate communications between the Primary RADIUS Server and Replica RADIUS Servers Do not use the primary secret option if you are specifying the reppkg option September 2005 Table 7 Command Options for the install_rsa sh Command Continued Option Function reppkg Specifies the path to the replica ccmpkg configuration file Use only when installing a Replica RADIUS Server Do not use the reppkg option if you are specifying the primary primary ips and primary secret options Default value is opt silent Specifies that if all required information is supplied through command options the installer does not display user prompts If you use the silent option and a required setting is missing the installer prompts you for the missing setting If you specify other command options and values and you do not specify the silent option the installer uses the values you specified as defaults and prompts you to confirm or override them start _sbr Specifies that the installer should start the RADIUS daemon at the conclusion of the installation process usage help h Displays help forthe install rsa sh command
108. rence Guide Attribute Lists You can use profiles to control authentication at finer levels of detail than simple user ID and password checking allow Checklists and return lists provide powerful tools for the authentication and authorization of users Checklist Attributes A checklist is a list of attributes that must accompany the request for connection before the connection request can be authenticated The RAS must send attributes that match the checklist associated with a user entry otherwise RSA RADIUS Server rejects the user even if the user s name and password are valid By including appropriate attributes in the checklist a variety of rules can be enforced For example only specific users might be permitted to use ISDN or dial in connections to a particular RAS or Caller ID might be used to validate a user against a list of acceptable originating telephone numbers A checklist is created by choosing attributes from a list of all RADIUS attributes known to the RSA RADIUS Server This list can include a variety of vendor specific attributes RSA RADIUS Server 6 1 Administrator s Guide About RSA RADIUS Server 13 During authentication RSA RADIUS Server filters the checklist based on the dictionary for the RADIUS client that sent the authentication request The server ignores any checklist attribute that is not valid for this device Return List Attributes A return listis a list of attributes that RSA RADIUS Server must r
109. s View Summary T Auth Reqs Accepts Rejects Acct Reqs Starts stops i 0 0 0 0 0 Server up time 0 Days 08 06 22 Figure 20 Statistics Panel RADIUS Client Statistics RSA RADIUS Server 6 1 Administrators Guide Displaying Statistics 63 64 Displaying Statistics September 2005 Chapter 7 Administering RADIUS Servers RSA RADIUS Server supports the replication of RADIUS configuration data from a Primary RADIUS Server to a maximum of 10 Replica RADIUS Servers within a realm on a customer network All the servers within a realm reflect the current configuration specified by the network administrator the network administrator modifies the configuration on the Primary RADIUS Server and the Primary RADIUS Server propagates the new configuration to its Replica RADIUS Servers This chapter describes how to manage your Primary and Replica RADIUS servers NOTE Settings in RSA RADIUS Server configuration ini files are not copied as part of the replication process If you change a setting in an RSA RADIUS Server configuration file you must copy the file manually to each server Primary and Replica in a realm to keep them synchronized Refer to the RSA RADIUS Server 6 1 Reference Guide for information on the configuration files RSA RADIUS Server 6 1 Administrator s Guide Administering RADIUS Servers 65 Replication Panel The Replication panel Figure 21 lists your Primary and Replica RADIUS Servers and
110. s Guide The RSA RADIUS Server 6 1 Administrators Guide describes how to install configure and administer the RSA RADIUS Server software on a server running the Solaris operating system the Linux operating system or the Windows 2000 or Windows Server 2003 operating systems Audience This manual is intended for network administrators responsible for implementing and maintaining authentication authorization and accounting services This manual assumes that you are familiar with general RADIUS and networking concepts and the specific environment in which you are installing RSA RADIUS Server What s In This Manual This manual contains the following chapters and appendix gt Chapter 1 About RSA RADIUS Server presents an overview of RSA RADIUS Server and summarizes important concepts relating to the operation of RSA RADIUS Server gt Chapter 2 Installing the RSA RADIUS Server describes how to install and uninstall the RSA RADIUS Server software on a Solaris Linux or Windows computer gt Chapter 3 Using RSA RADIUS Administrator describes how to use the RSA RADIUS Server Administrator to configure RSA RADIUS Server RSA RADIUS Server 6 1 Administrator s Guide About This Guide ix Chapter 4 Administering RADIUS Clients describes how to set up remote access server RAS devices as RSA RADIUS Server clients Chapter 5 Administering Profiles describes how to set up user profiles to simp
111. should be able to identify the authentication shared secret and accounting shared secret that a server uses to communicate with each of the clients on this list During an authentication transaction password information must be transmitted securely between the RADIUS client RAS or AP and the RSA RADIUS Server RSA RADIUS Server uses the authentication shared secret to encrypt and decrypt password information No encryption is involved in transmitting accounting data between a RADIUS client and RADIUS server However the accounting shared secret is used by each device to verify that it can trust any RADIUS communications it receives from the other device Replication Secret A replication secret is a text string used to authenticate communications between a Primary RADIUS Server and a Replica RADIUS Server You do not need to configure the replication secret for a realm the Primary RADIUS Server generates it automatically and each Replica RADIUS Server in a realm receives the replication secret as part of its configuration package Node Secret A node secret is a pseudorandom string known only to the RSA RADIUS Server and RSA Authentication Manager Before the RSA RADIUS Server sends an authentication request to the RSA Authentication Manager it encrypts the data using a symmetric node secret key RSA RADIUS Server 6 1 Administrator s Guide About RSA RADIUS Server T The RSA Authentication Manager software views the RSA RADIUS S
112. srresneeseresseeee Administering RADIUS Servers Replication Patel s s is csisitss sacedscasesosussdnsasesnes ass ocasnssandovassasusvoc E E EEE EE Eai Adding a RADIUS Server Manually c ssssssssssscssssessssessssesssssssssssssvsssssssevesssvenes Epnablinga RADIUS S ryefecsisssnsssonssnsnienginonni n ni annA Deleting a RADIUS Servet vcscdecscssasasecuescastiosedssnesosaupsaupvons onecspveneeucesaserscectcasedeaucedh Publishing Server Configuration Information s ssss ssssissssesressssressreresrressrrenreessrresse Notifying Replica RADIUS Servers wo cesceneeeeneeeeeeseessesssesneseesssesneseeneneess Designating a New Primary RADIUS Servet wee ceseeneeeeneseceeeeeeseeeeneneess Recovering a Replica After a Failed Download ceeeeeneeeneneenenes Changing the Name or IP Address of a Servet wee csesesseesseseseteesseesseeeneneees Regenerating a Node Secret siacissssscsiscoissscacscectsstevesssnvtievessetiaverersdsosetececatevedecesensdansouagss Resetting the RADIUS Data as sssssossnasiiininiiriariiiiii iN Logging kopano WIL OS sr dacdevarsenvecceaenseecveravess ESERE R ERNA TEE E Using the RADIUS Systemi Logiss ccc ssiesssscscesssecscvanovocaussausvorssresas todutucecasenedsche orsenseusdos Leyelof Logging D tallarreseniisocrienessiegsneraie ouno nunun Controlling Log Pile Siz snpaisinesiii ieren near aiit Using the Accounting LOG vicssssissciessscsissececssusedocstsasanasioneduacarseverd esedesecesesecetvosseaioetarsants Accounti
113. ssesteaseaesaeaees 44 Administering RADIUS Clients RADIUS Clients Patel iianiidindninhinslandnansdinideaddoddaduawahanniin 45 Adding a RADIUS CMG ssdice osscasncadesncnsadassaccainanasrctnsaateaceensdataceibaleaaieeadaoniuaataasans 46 Verifying a Shared Secrets icv jsssesssvesiesesassescatiacecartpsorssnsndosotesnshapdosslechdasesucedasncedssetst 48 Deleting a RADIUS Cent csc csscsscctsvsbstdcvecesiecnstestsccesuoessestseusaoednusebesgndcvanegsovebucendveseeys 49 September 2005 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Administering Profiles ADOut ProfileSsesrenenccnecsand tananan nE Ea Adding a Checklist or Return List Attribute for a Profile sssssssssssssssresssssee Resolving Profile and User Attributes s sssssssssssssssrrsssrressrressrrenrressrressrressrressne Default Prosile s ccsscssss scensscvavepsnessvessovssascexetssnapuereansvapsoretaessiassoeatsceanigiatsspetedeteapseies Setting Up Profiles estes dei sssssscecssocosechentossiucnstadansstandotovs sdsaorvaneacesssednducaseioonsncadvoseareedovos Addino A POPC secs ssssicvsscusiccsccusscssenseionstecs E E EROAN Na Removitiona Prose svcsvecsacsaestecscssssasecuss cast na E RRRA RA Displaying Statistics Displaying Server Authentication Statistics 0 Displaying Server Accounting Statistics ics cesssssseseesseseessesseensees RESCH Server STAM SCS anann np R R NDO DENEN Displaying RADIUS Client StatistiCS ssee ssseeesresseeseseresseresseresreessreessrres
114. t only in STOP records Acc t Output Octets Number of octets bytes sent by the port over the connection present only in STOP records Acc t Session Id Identifier used to match START and STOP records in a log file Acc t Authentic indicates how the user was authenticated by RADIUS the RAS itself or another remote authentication protocol 1 RADIUS 2 Local 3 Remote Acct Session Time RSA RADIUS Server 6 1 Administrator s Guide Elapsed time of connection in seconds present only in STOP records Logging 79 80 Table 16 Standard RADIUS Accounting Attributes Continued Acct Input Packets Number of packets received by the port over the connection present only in STOP records Acct Output Packets Number of packets sent by the port over the connection present only in STOP records Acct Termination Cause Number that indicates how the session was terminated present only in STOP records 1 User Request 2 Lost Carrier 3 Lost Service 4 Idle Timeout 5 Session Timeout 6 Admin Reset 7 Admin Reboot 8 Port Error 9 NAS Error 10 NAS Request 11 NAS Reboot 12 Port Unneeded 13 Port Preempted 14 Port Suspended 15 Service Unavailable 16 Callback 17 User Error 18 Host Request Acct Multi Session Id Unique accounting identifier to make it easy to link together multiple related sessions in a log file Acct Link C
115. the RSA RADIUS Server files Default value is opt RSA RADIUS Server 6 1 Administrator s Guide Installing the RSA RADIUS Server 29 Table 7 Command Options for the install_rsa sh Command Continued Option Function identity Specifies whether you are installing a Primary or Replica RADIUS Server Valid values are PRIMARY and REPLICA Default value is PRIMARY migrate Indicates you want to run the RSA RADIUS Server migration utility rsainstalltool1 which transfers RADIUS settings from an older version of RSA Authentication Manager and registers the RSA RADIUS Server as a host agent For information on the migration utility refer to Data Migration Registration on page 19 overwrite Specifies that the torsMigReg log installation log file from a previous installation of RSA RADIUS Server should be overwritten path Specifies the path to the radius cer server cer radius key and sdconf rec files Default value is opt port Specifies the TCP port used for administration of the RSA RADIUS Server Default value is 1813 primary Specifies the name of the Primary RADIUS Server Use only when installing a Replica RADIUS Server Do not use the primary option if you are specifying the reppkg option primary ips Specifies the IPv4 address or addresses of the Primary RADIUS Server If your Primary RADIUS Server has more than one network interface you can ente
116. the log file may exceed the specified maximum file size in less than a minute To avoid file name collisions two log files created during the same minute interval the log info does not roll over more than once per minute Instead the log file size is ignored until the minute precision clock changes to ensure that log files have unique file names No log data is lost September 2005 By default RADIUS system log files are located in the RADIUS database directory You can specify an alternate destination directory in the Configuration section of the radius ini file Using the Accounting Log RADIUS accounting events are recorded in the accounting log file Accounting events include START messages which indicate the beginning of a connection STOP messages which indicate the termination of a connection and INTERIM messages which indicate a connection is ongoing Accounting log files use comma delimited ASCII format and are intended for import into a spreadsheet or database program Accounting log files are located in the RADIUS database directory area by default although you can specify an alternate destination directory in the Configuration section of the account ini file Accounting log files are named yyyymmdd act where yyyy is the four digit year mm is the month and dd is the day on which the log file was created The current log file can be opened while RSA RADIUS Server is running Accounting Log File Format The f
117. the RSA SecurID authentication system See PIN September 2005 tokencode The pseudorandom number that is displayed on the LCD of a hardware zoken or generated by a software token during logon TLS Transport Layer Security TILS Tunneled Transport Layer Security UTC Universal Time Coordinated Also known as Greenwich Mean Time GMT or Zulu time RSA SecurID tokens are synchronized to UTC to provide a standard time basis for tokencode calculation VSA Vendor Specific Attribute VSAs allow vendors to support proprietary RADIUS attributes that are not defined in RFCs 2865 and 2866 WLAN Wireless Local Area Network RSA RADIUS Server 6 1 Administrator s Guide Glossary 103 104 Glossary September 2005 Numerics 802 1X 1 A access client 3 accounting 2 Acct Authentic 79 Acct Delay Time 79 Acct Status Type 79 Acct Termination Cause 80 angle brackets in syntax xi attributes 5 authentication 2 authorization 2 B brackets in syntax x Cc centralized configuration management see CCM Challenges 59 checklist attributes 13 D Dropped Packet 59 61 E EAP 15 see RSA Security EAP EAP 32 see Protected One Time Password POTP 1 echo property 15 F Failed Authentication 59 Failed on Checklist 59 RSA RADIUS Server 6 1 Administrator s Guide index Pramed Compression 15 G Generic Token Card 1 H host agent 8 Insufficient Resources 59 Invalid Request 59 L log files 10 LogAccept 76 LogLevel 76
118. tor When you paste an item the RSA RADIUS Administrator displays a window similar to the Add window with the pasted record s contents The Name field is cleared you must enter a unique name to save the pasted information as a new record Canceling from a Paste operation does not change the contents of the Clipboard RSA RADIUS Server 6 1 Administrator s Guide Using RSA RADIUS Administrator 41 Paste Profile Name Description Attributes pen Check list Return list Attribute Value Echo Funk Full User Name Echo recieved or default value v Login IP Host 192 168 12 145 o Figure 8 Sample Paste Window Resizing Columns You can resize columns in an RSA RADIUS Administrator table by dragging the column header boundary to the left or right Changing Column Sequence You can change the sequence of columns in an RSA RADIUS Administrator table by dragging the column headers left or right Sorting Information By default items in RSA RADIUS Administrator tables are sorted by name You can sort items in any order by clicking a column header Previously sorted tables retain their order when the table is sorted on another column If you want to sort a table by more than one column click the less significant column and then click the more significant column Using Context Menus You can right click an object in RSA RADIUS Administrator windows to display a context menu for that
119. urn list single valued attributes only If you do not want to specify a particular value but want to make sure that whatever value of the attribute appears in the RADIUS request is echoed to the client in the RADIUS response click the Echo checkbox e Click Add to add this attribute value pair to the list 54 Administering Profiles September 2005 f When you are finished adding attribute value pairs click Close to return to the Add Profile window 6 Click OK to save the profile Removing a Profile To remove a profile 1 Open the Profiles panel 2 Select the entry for the profile you want to remove 3 Click the Delete button on the RSA RADIUS Administrator toolbar or right click the profile entry and choose Delete from the context menu 4 When you are prompted to confirm the deletion click Yes RSA RADIUS Server 6 1 Administrator s Guide Administering Profiles 55 56 Administering Profiles September 2005 Chapter 6 Displaying Statistics The Statistics panel lets you display statistics for authentication and accounting transactions by a RADIUS server or RADIUS client You can also use the Statistics panel to see how long RSA RADIUS Server has been running Displaying Server Authentication Statistics Authentication statistics Figure 18 summarize the number of authentication acceptances and rejections with summary totals for each type of rejection or retry To display authentication statistics for the RSA RADIUS serve
120. urrently running on your server 2 Back up your RSA RADIUS Server directory 3 Log into the Solaris server as root 4 Type the following command to uninstall the RSA RADIUS Server software opt rsa radius install uninstall_rsa sh RSA RADIUS Server 6 1 Administrator s Guide Installing the RSA RADIUS Server 27 5 Type y when you are asked to confirm that you want to uninstall the RSA RADIUS Server software Confirm removal of sbr rsa_1 0 1 y n y y Removing etc rc2 d S90radius script Removing etc rc2 d K90radius script Removal of lt RSARadius gt was successful RSARadius removed Migration Log File 28 If the RSA RADIUS Server migration utility csainstalltool encounters a problem while it is running it records the problem in the tprsMigReg log file which is stored in the RSA RADIUS Server directory opt rsa radius by default Log for RSA to SBR Install Utility Install Date 07 15 2005 Install Time 12 52 55 NFO SBR Radius services directory is opt rsa radius NFO Host Name phobos DNS Name phobos mars com eplacing Host Name NFO SBR Radius server name is phobos mars com FO SBR Radius server IP Address is 192 168 21 137 SBR Radius server port is 1813 Attempting to Locate RSA Server RSA Server is Remote Attempting to Locate Key nd Certificate Files NFO Copying RSA files from export home ecarter RSA o opt rsa radius RROR server cer not found zZ we mj ij OO BS oe a eae
121. ustucnstectseesserssys 29 System Requiteimients 124 cis cche kaki dn dacin cian txdctha kn eiii eiaa 29 Ttistaller Sytitax tscsssstssieatersctvetisstdashiecttves nenen annaa iaaii 29 Installing the RSA RADIUS Server Software sss ssssessrsessrsesrriesiessreesreesrrreserene 31 Stopping and Starting the RADIUS Daemon ss es ssssissssissriesrresrrresrreesrrresresse 33 Uninstalling the RSA RADIUS Server Software sss sssssssrsessreesrreesrrresresrreeesrene 34 Using RSA RADIUS Administrator Running RSA RADIUS Administratof sss ssssissssessssiesreesrreesrrresnrresnrresnresnressrressnens 35 Navigating in RSA RADIUS Administratof ssssessssesssssssresssrresrrrerressreessrressreessrens 36 RSA RADIUS Administrator Menus s sessssessessssesssseseresssreessreessreessreerreenrreesrene 36 RSA RADIUS Administrator Toolbar ssssssessssessssisssseesressrressreessreessrressresrene 38 RSA RADIUS Administrator Windows ssssssessssessssissssessressrrressreessreessrsnrressnene 39 Using Context Menus sierrsprrcenoreisroestoetitsrs nostes restora EPEN raSi ESRAR eSEE 42 Acce ssing Online Help sisiivicstsoseisassccsscesessvetscesevovetvasosaasenensonseaensessseiecesesosesovetesesevaseners 43 Displaying Version Information csssssscnssssnnieniicsniinieninianin s 43 Adding a License IS Cyr vevesive coven sntesscvesdessseascusne socavnshupvons hetinocavsdestsnasdncsdeassvcedscae steve 43 Exiting the RSA RADIUS Administrator occ cece eeseeseeeeeeseseseese
122. uthentication Protocol A one time authentication string consisting of a uset s PIN followed by the user s tokencodle Protected Extensible Authentication Protocol A two phase authentication protocol where 1 an authentication server is authenticated to a supplicant using a digital certificate and a secure channel is established and 2 the supplicant is authenticated to the authentication server through the secure channel Personal Identification Number The numeric or alphanumeric string that identifies a user as being authorized for a specific RSA SecurID ken A RADIUS server that acts as the hub for database replication Compare Replica RADIUS Server A record in the RADIUS database describing the checklist attributes and return list attributes that should be associated with a user or group of users Remote Authentication Dial In User Service A security administration standard that functions as an information clearinghouse storing authentication Glossary 101 realm Replica RADIUS Server return list attribute RSA Authentication Manager SecurID session ID shared secret SNMP software token supplicant time drift token 102 Glossary information about users and administering multiple security systems across complex networks Remote Access Server Network device that accepts connection requests from remote users authenticates users through RADIUS and routes users onto the network Identical in
123. ween the LDIF files generated by ldapsearch and those required for input to ldapmodify is that the ldapmodify input files must contain a changetype entry immediately following each dn entry in the file The changetype entry specifies how to use the data to change the LDAP database The full syntax for changet ype within each transaction is as follows dn distinguished name of entry changetype keyword subkeyword attribute attribute value changetype keyword subkeyword attribute attribute value changetype keyword subkeyword attribute attribute value where keyword canbe add modify or delete subkeyword can be respectively add replace ordelete attribute can be any LDAP attribute in the entry value is the value to assign to the attribute Repeated changetype keyword entties are not required within a transaction unless you change the keyword From top to bottom within the transaction the latest keyword applies until another changetype keyword entry is provided 92 Using the LDAP Configuration Interface September 2005 The following syntax is valid if the same keyword applies throughout the transaction dn distinguished name of entry changetype keyword subkeyword attribute attribute value subkeyword attribute attribute value subkeyword attribute attribute value subkeyword attribute entries are optional and indicate that you want to apply the change to a specific attribute within the e
124. will be re synchronized with the current Primary RADIUS Server Changing the Name or IP Address of a Server You may need to change the DNS name or IP address assigned to a Primary or backup RADIUS server if your network changes To change the DNS name or IP address of a Primary or Replica RADIUS Server 1 Stop the RSA RADIUS service daemon on the RADIUS server you want to change Log into the RADIUS server as root Solaris Linux or administrator Windows Navigate to the RSA Radius Service Windows or opt rsa radius Solaris Linux directory RSA RADIUS Server 6 1 Administrator s Guide Administering RADIUS Servers 71 4 Runthe rsainstalltool Windows or rsaconfiguretool Solaris Linux utility with the identity option To rename a Primary RADIUS Server enter the following command rsaconfiguretool identity PRIMARY To rename a Replica RADIUS Server enter the following command rsaconfiguretool identity REPLICA Restart the updated server so that it can load its new configuration Run the RSA RADIUS Administrator and modify the DNS name or IP address for the server you want to rename Verify that the secret on the renamed server is correct You may need to use the Replication panel to delete the old server name from the list of servers in the realm NOTE After you change the name or IP address of a Primary or Replica RADIUS Server use RSA Authentication Manager to change the Agent Host record in the Authe
Download Pdf Manuals
Related Search