__FORCETOC__
=== RADIUS > Attributes ===
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which are stored on the RADIUS program.

RADIUS Internet Engineering Task Force (IETF) attributes are the original set of 255 standard attributes that are used to communicate AAA information between a client and a server. The IETF attributes are standard and the attribute data is predefined. All clients and servers that exchange AAA information using IETF attributes must agree on attribute data such as the exact meaning of the attributes and the general bounds of the values for each attribute.<ref>https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-ov-ietf-attr.html</ref>

You can search for one or more attributes in this menu.

==== Useful User and Group Authentication Attributes ====
{| class="wikitable"
! width="200" | attribute !! Operator !! width="100" | Value !! Description
|-
| PAP-Auth-Allow || := || 1 || When not using [[RADIUS Settings - General|Phase 2 Authentication Using PAP]], use this attribute to allow 2-Step PAP authentication for specific users or groups.
|-
| PAP-Auth-Deny || := || 1 || When using [[RADIUS Settings - General|Phase 2 Authentication Using PAP]], use this attribute to deny 2-Step PAP authentication for specific users or groups.
|-
| Login-Time || += || text || The Login-Time attribute defines the time span during which a user may login to the system and can deny the authentication on specified days/times. It also allows for automatic termination of wireless LAN connections if they are already established after the specified end time. However, adding this attribute later to a device already connected to the wireless LAN may not result in automatic disconnection.
{{note| Wireless equipment needs to support Session-Timeout attribute for automatic disconnection.}}
You should define time strings using the "Day%H%M-Day%H%M" format. Days can be Mo, Tu, We, Th, Fr, Sa, or Su, with "Wk" for weekdays and "Any" for all days. <ref>https://networkradius.com/doc/current/raddb/mods-available/logintime.html</ref> 
"%H" represents the hours in the range from 00 to 23, and "%M" represents the minutes in the range from 00 to 59. 
If you omit "%H" and "%M" in a time string format, it indicates "any time", allowing for any hour and any minute.

{{note|Multiple time strings may be a list of simple time strings separated by <nowiki>"|"</nowiki>}}
For examples)
* Wk0900-1800 // Authentication is possible from Monday to Friday, between 9:00 AM and 6:00 PM.
* Wk0900-1800, Sa0900-1200 // Authentication is possible from Monday to Friday between 9:00 AM and 6:00 PM and on Saturday only between 9:00 AM and 12:00 PM.
* Any0900-1800 // Authentication is possible everyday between 9:00 AM and 6:00 PM
* Any0900-1800, We2000-2100 //Authentication is possible everyday between 9:00 AM and 6:00 PM, and on Wednesday only between 8:00 PM and 9:00 PM.
* Sa // Authentication is possible every Saturday at any time.
* Any // Always(Default)

|-
| User-Login-Time || := || text || It is similar to the Login-Time attribute. however, it is an exclusive attribute that does not affect users if they are part of a specific group with its own Login-Time attribute. '''This attribute applies only to users.'''
|-
| Group-Login-Time || := || text || It is also similar to the Login-Time attribute but acts as an exclusive attribute that takes precedence over Login-Time attributes for users who are part of a group, even if they have their own Login-Time attribute. However, if a user has a User-Login-Time attribute, Group-Login-Time will not be applied (User-Login-Time takes the highest priority). '''This attribute applies only to groups.'''
|-
| Login-Time-Nas-Identifier || ''':=''' || ssid || The attribute implies that time-based authentication is applied only when the user is connected through a specific SSID, and it can be defined as Login-Time, User-Login-Time, or Group-Login-Time. To define multiple SSIDs, use <nowiki>"|"</nowiki>. 
For examples)
* my-ssid-A 
* my-ssid-A <nowiki>|</nowiki> my-ssid-B
|-
| Calling-Station-Id || =~ || mac address1 <nowiki>|</nowiki> mac address2 ... || It is used to include the user's device MAC address for user identification during authentication. If this attribute is included, user authentication requires a match in Username, User-Password, and MAC address. You can use the <nowiki>"|"</nowiki> symbol to define multiple MAC addresses. When entering MAC addresses, use lowercase letters without separators.
For examples)
* 0000aaaa2222
* 0000aaaa2222 <nowiki>|</nowiki> 0000aaaa3333 // 2 MAC addresses
* ^bbbb22 // MAC address begins with "bbbb22" 
* 0000bbbb2222 <nowiki>|</nowiki> 0000bbbb3333 <nowiki>|</nowiki> ^bbbb22 <nowiki>|</nowiki> 0000bbbb3333 // Multiple MAC addresses

{{note|MAC addresses are in hexadecimal, and you should enter them in lowercase without any separators. When including multiple MAC addresses, be sure to separate them using <nowiki>"|"</nowiki> within a single Calling-Station-Id attribute. If multiple MAC addresses are defined, authentication will succeed if any one of them matches.}}
|-
| Nas-Identifier || =~ || ssid || You can specify the SSID when authenticating individual users and users included in a group. In other words, authentication will only proceed if the user connects through a specific SSID. To define multiple SSIDs, use <nowiki>"|"</nowiki>. 
For examples)
* my-ssid-A
* my-ssid-A <nowiki>|</nowiki> my-ssid-B
|-
| Expiration || := || datetime || This can be set in user or group attributes and refers to the authentication expiration time. When the time for this attribute expires, authentication for the user with this attribute or users belonging to groups that include this attribute will be denied.

The expiration time should be defined in the format "%b %d %Y %H:%M:%S %Z." 
For example: Oct 20 2023 14:00:00 KST

{{note | To set the expiration time for individual users, specify "Expiration" in the detailed information of the [[RADIUS Users]] page, and then this attribute will be automatically added, so use that interface.}}
|-
|}

==== Useful User and Group Reply Attributes ====
{| class="wikitable"
! width="200" | attribute !! Operator !! width="100" | Value !! Description
|-
| Session-Timeout || := || 3600~86400(second) || It refers to the Session-Timeout of a user connected to the wireless LAN, and when this time elapses, a new wireless LAN encryption key is generated to maintain a secure wireless LAN connection. In a typical WPA-Enterprise environment through a wireless LAN authentication server, keys are generated securely to maintain an encrypted channel. However, to ensure an even more secure encrypted channel, you can use this attribute.
|-
| Tunnel-Medium-Type || := || 6 || 802 (includes all 802 media plus Ethernet “canonical format”)
|-
| Tunnel-Private-Group-Id || := || VLAN ID || It includes the VLAN ID or name and accommodates a string length of up
to 253 characters.
|-
| Tunnel-Type|| := || 13 || Virtual LANs (VLAN)
|-
|}
To assign a specific VLAN to a user or users in a group, include Tunnel-Medium-Type, Tunnel-Private-Group-Id, and Tunnel-Type in the repply attributes.

=== References ===

2023-10-28T05:01:14Z

Shin: /* Create New User */

__FORCETOC__
=== RADIUS > Users ===
You can add, update, or delete the usernames for the RADIUS authentication.

==== Create New User ====
You can add a new user at the top right of the page and can create a user as either a Username authentication or a [[MAC Address]] authentication.
The Username authentication stores a User-Name and User-Password and the credentials are validated with the two attributes to authenticate an ACCESS-REQUEST. 
The MAC address authentication store a MAC address of a user machine and the credentials are validated with the address. The MAC address type is applied usually in the environment of an open wireless network. 

{| class="wikitable"
|+ Username / MAC Authentication
|-
! style='width:150px' !! Item !! Required !! Description
|-
| Username|| Yes || The multibyte characters(e.g, korean, japaneses) are not allowed.
|-
| Status || Yes || Select "authorized"
|-
| Password Type || Yes || It is the encryption method of a password. If a user machine is windows 10, the type must be either the Windows NT hashed passwords or clear-text passwords.
|-
| Password Confirm Password|| Yes || Input the password of a username.
|-
| Expiration || No || Set the user authentication expiration date.
|-
| User Information || Optional || You can fill out the general user informations. The requirement of this field depends on "Environment > [[Environment | Custom Fields]]".
|-
| Group || No || A group to which the user.
|-
| Additional Attributes || No || You can add more attributes for authentication or reply. You don't need to add additional attributes at this step because they can be added after creating a user.
|-
|}

{| class="wikitable"
|+ MAC Address Authentication
|-
! style='width:150px' | Item !! Required !! Description
|-
| MAC Address || Yes || The [[MAC Address]] of a user machine. The address is case-sensitive and also may include delimiters and you can find the format of the MAC address from the [[Accounting]].
|-
| Expiration || No || Set the user authentication expiration date.
|-
| colspan=3 | Others are same as the Username Authentication.
|-
|}

==== User Authorization, Updating, and Deleting ====
A username that was registered from the captive portal page will be added as an un-authorized one. You can authorize it by click the [[File:popup.png|23x]] icon in front of each row.
Within the same interface, you can also change other information and delete a user.

==== Additional Attributes ====
===== Authentication Attributes =====
Authentication attributes are pieces of information used in RADIUS authentication in addition to the basic information (User-Name, User-Password). For useful authentication attributes, refer to the [[Attributes]] section.

===== Reply Attributes =====
Reply attributes refer to the attributes provided to the user after RADIUS authentication. For useful reply attributes, refer to the [[Attributes]] section.

==== Password Reset ====
You can reset the password of registered users.

When a user's password is reset, the previous password becomes unusable, and a temporary password is issued. The use of such temporary passwords and the password reset feature can be configured in RADIUS > Settings > General > [[RADIUS Settings - General | Password Complexity Requirements for RADIUS User-Password]]. If the password reset feature is inactive (default state), users cannot use the password reset function.

When a password is reset, the user must create a new password using the temporary password on the password change page. For more details, refer to RADIUS > Settings > General > [[RADIUS Settings - General | Password Complexity Requirements for RADIUS User-Password]].

{{note|Passwords for users authenticated based on MAC address or stored in an external database as "[[RADIUS Settings - General | cached user]]" cannot be reset.}}

==== Expiration ====
Users with a specified expiration time that has passed will not be granted authentication (Access-Reject), and this information will not be automatically deleted."

RADIUS Users

2023-10-28T04:58:20Z

Shin: /* Create New User */

2023-10-24T06:57:46Z

Shin:

__FORCETOC__
=== RADIUS > Attributes ===
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which are stored on the RADIUS program.

RADIUS Internet Engineering Task Force (IETF) attributes are the original set of 255 standard attributes that are used to communicate AAA information between a client and a server. The IETF attributes are standard and the attribute data is predefined. All clients and servers that exchange AAA information using IETF attributes must agree on attribute data such as the exact meaning of the attributes and the general bounds of the values for each attribute.<ref>https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-ov-ietf-attr.html</ref>

You can search for one or more attributes in this menu.

==== Useful User and Group Authentication Attributes ====
{| class="wikitable"
! width="200" | attribute !! Operator !! width="100" | Value !! Description
|-
| PAP-Auth-Allow || := || 1 || When not using [[RADIUS Settings - General|Phase 2 Authentication Using PAP]], use this attribute to allow 2-Step PAP authentication for specific users or groups.
|-
| PAP-Auth-Deny || := || 1 || When using [[RADIUS Settings - General|Phase 2 Authentication Using PAP]], use this attribute to deny 2-Step PAP authentication for specific users or groups.
|-
| Login-Time || += || text || The Login-Time attribute defines the time span during which a user may login to the system and can deny the authentication on specified days/times. It also allows for automatic termination of wireless LAN connections if they are already established after the specified end time. However, adding this attribute later to a device already connected to the wireless LAN may not result in automatic disconnection.
{{note| Wireless equipment needs to support Session-Timeout attribute for automatic disconnection.}}
You should define time strings using the "Day%H%M-Day%H%M" format. Days can be Mo, Tu, We, Th, Fr, Sa, or Su, with "Wk" for weekdays and "Any" for all days. <ref>https://networkradius.com/doc/current/raddb/mods-available/logintime.html</ref> 
"%H" represents the hours in the range from 00 to 23, and "%M" represents the minutes in the range from 00 to 59. 
If you omit "%H" and "%M" in a time string format, it indicates "any time", allowing for any hour and any minute.

{{note|Multiple time strings may be a list of simple time strings separated by <nowiki>"|"</nowiki>}}
For examples)
* Wk0900-1800 // Authentication is possible from Monday to Friday, between 9:00 AM and 6:00 PM.
* Wk0900-1800, Sa0900-1200 // Authentication is possible from Monday to Friday between 9:00 AM and 6:00 PM and on Saturday only between 9:00 AM and 12:00 PM.
* Any0900-1800 // Authentication is possible everyday between 9:00 AM and 6:00 PM
* Any0900-1800, We2000-2100 //Authentication is possible everyday between 9:00 AM and 6:00 PM, and on Wednesday only between 8:00 PM and 9:00 PM.
* Sa // Authentication is possible every Saturday at any time.
* Any // Always(Default)

|-
| User-Login-Time || := || text || It is similar to the Login-Time attribute. however, it is an exclusive attribute that does not affect users if they are part of a specific group with its own Login-Time attribute. '''This attribute applies only to users.'''
|-
| Group-Login-Time || := || text || It is also similar to the Login-Time attribute but acts as an exclusive attribute that takes precedence over Login-Time attributes for users who are part of a group, even if they have their own Login-Time attribute. However, if a user has a User-Login-Time attribute, Group-Login-Time will not be applied (User-Login-Time takes the highest priority). '''This attribute applies only to groups.'''
|-
| Calling-Station-Id || =~ || mac address1 <nowiki>|</nowiki> mac address2 ... || It is used to include the user's device MAC address for user identification during authentication. If this attribute is included, user authentication requires a match in Username, User-Password, and MAC address. You can use the <nowiki>"|"</nowiki> symbol to define multiple MAC addresses. When entering MAC addresses, use lowercase letters without separators.
For examples)
* 0000aaaa2222
* 0000aaaa2222 <nowiki>|</nowiki> 0000aaaa3333 // 2 MAC addresses
* ^bbbb22 // MAC address begins with "bbbb22" 
* 0000bbbb2222 <nowiki>|</nowiki> 0000bbbb3333 <nowiki>|</nowiki> ^bbbb22 <nowiki>|</nowiki> 0000bbbb3333 // Multiple MAC addresses

{{note|MAC addresses are in hexadecimal, and you should enter them in lowercase without any separators. When including multiple MAC addresses, be sure to separate them using <nowiki>"|"</nowiki> within a single Calling-Station-Id attribute. If multiple MAC addresses are defined, authentication will succeed if any one of them matches.}}
|-
| Nas-Identifier || =~ || ssid || You can specify the SSID when authenticating individual users and users included in a group. In other words, authentication will only proceed if the user connects through a specific SSID. To define multiple SSIDs, use <nowiki>"|"</nowiki>. 
For examples)
* my-ssid-A
* my-ssid-A <nowiki>|</nowiki> myssid-B
|-
| Expiration || := || time || This can be set in user or group attributes and refers to the authentication expiration time. When the time for this attribute expires, authentication for the user with this attribute or users belonging to groups that include this attribute will be denied.

The expiration time should be defined in the format "%b %d %Y %H:%M:%S %Z." 
For example: Oct 20 2023 14:00:00 KST

{{note | To set the expiration time for individual users, specify "Expiration" in the detailed information of the [[RADIUS Users]] page, and then this attribute will be automatically added, so use that interface.}}
|-
|}

==== Useful User and Group Reply Attributes ====
{| class="wikitable"
! width="200" | attribute !! Operator !! width="100" | Value !! Description
|-
| Session-Timeout || := || 3600~86400(second) || It refers to the Session-Timeout of a user connected to the wireless LAN, and when this time elapses, a new wireless LAN encryption key is generated to maintain a secure wireless LAN connection. In a typical WPA-Enterprise environment through a wireless LAN authentication server, keys are generated securely to maintain an encrypted channel. However, to ensure an even more secure encrypted channel, you can use this attribute.
|-
|}

=== References ===

2023-10-17T07:20:09Z

Shin:

=== RADIUS > Settings > General ===
==== Data Maintenance ====
{| class="wikitable"
! Items !! Description
|-
| style='width:200px' | Cached User || If you set this, the imRAD saves a username and its password into the imRAD local database. The password is encrypted with a hash function and can't be decrypted to a plaintext.
After that, the imRAD can authenticate a user not from a customer database but from the imRAD local database. This can reduce traffics to a customer database.
The imRAD will delete after a specified number of days after being saved.
|-
| Local User || It will delete local users that are inactive for more than the specified day. Local user is a user that was created by an administrator.
|-
| NAS-ID || It automatically saves [[NAS Identifier | NAS-IDs ]] from the ACCESS-REQUEST and deletes the inactive NAS IDs for more than the specified day.
|-
|}

==== Password Complexity Requirements for Local User-Password ====
For security reasons, a minimum length of 8 characters is recommended, and it's advisable to mix all password combinations.

===== Password Reset =====
Password reset involves resetting the password of users stored in the local database and comes in both PASSWORD and OTP (One-Time Password) methods.

When a password is reset, a temporary password is issued, and the wireless LAN authentication for that user is temporarily denied. Wireless LAN users must connect the 'Password Change' page and sets a new password using the temporary password generated during the reset to regain wireless LAN access. The page that allows wireless LAN users to change their passwords can be configured in the [[Guest Page]] menu.

PASSWORD: After a password reset, the temporary password is set to a designated password (the same for all users).
OTP: After a password reset, the temporary password is randomly generated as a 6-digit number (unique for each user).

Here is the basic flow of the password reset process:

# A wireless LAN user requests a password reset(directly via phone or other methods)
# The administrator informs the user of the temporary password generated after the password reset.
# The wireless LAN user accesses the password change page through the Captive Portal or another method.
# The user enters the temporary password and creates a new password, then saves it.
# The user connects to the wireless LAN using the new password after changing the SSID.

==== EAP(Extensible Authentication Protocol) ====
The basic EAP types include TTLS (Tunneled Transport Layer Security) and PEAP (Protected Extensible Authentication Protocol), and you can choose either one.<ref>https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol</ref>

If the phase 2 authentication PAP (Password Authentication Protocol) is not used, authentication may fail on Windows 10 or 11. To allow the use of PAP at the user or group level in such environments, you can use the PAP-Auth-Allow := 1 attribute in the user or group authentication properties. Conversely, if you want to restrict the use of PAP for specific users or groups while allowing phase 2 PAP authentication, you can add the PAP-Auth-Deny := 1 attribute.

* Timer: A list is maintained to correlate EAP-Response packets with EAP-Request packets. After a configurable length of time, entries in the list expire, and are deleted.
* Advanced
** TLS Cipher Suite: Set this option to specify the allowed TLS cipher suites. The format is listed in https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
** TLS version: Set min / max TLS version. Some operating systems still use TLS 1.0

==== RADIUS configuration ====
The thread pool is a long-lived group of threads that take turns (round-robin) handling any incoming requests.
You probably want to have a few spare threads around, so that high-load situations can be handled immediately. If you don't have any spare threads, then the request handling will be delayed while a new thread is created, and added to the pool.
You probably don't want too many spare threads around, otherwise, they'll be sitting there taking up resources, and not doing anything productive.
{{note|We recommend having you use the default thread values.}}

===== Reject delay =====
When sending an Access-Reject, it can be delayed for a few seconds.
This may help slow down a DoS attack. It also helps to slow down people trying to brute-force crack a user's password.
Setting this number to 0 means "send rejects immediately".
You can set the value between 0 and 5.

===== Advanced =====
The port values of 1812 for authentication and 1813 for accounting are RADIUS standard ports defined by the Internet Engineering Task Force (IETF) in RFCs 2865 and 2866.

The wildcard (i.e. *) in the address field indicates "any". The 0 in the port field indicates "default". 
You can only change the port to another.

==== Reject2ban ====
Please refer to [[Reject2ban]].

=== References ===

RADIUS Users

2023-10-17T07:11:27Z

Shin: /* Password Reset */

RADIUS Users

2023-10-17T07:09:21Z

Shin:

RADIUS Settings - General

2023-10-17T07:03:01Z

Shin: /* Password Complexity Requirements for Local User-Password */

=== RADIUS > Settings > General ===
==== Data Maintenance ====
{| class="wikitable"
! Items !! Description
|-
| style='width:200px' | Cached User || If you set this, the imRAD saves a username and its password into the imRAD local database. The password is encrypted with a hash function and can't be decrypted to a plaintext.
After that, the imRAD can authenticate a user not from a customer database but from the imRAD local database. This can reduce traffics to a customer database.
The imRAD will delete after a specified number of days after being saved.
|-
| Local User || It will delete local users that are inactive for more than the specified day. Local user is a user that was created by an administrator.
|-
| NAS-ID || It automatically saves [[NAS Identifier | NAS-IDs ]] from the ACCESS-REQUEST and deletes the inactive NAS IDs for more than the specified day.
|-
|}

==== Password Complexity Requirements for Local User-Password ====
For security reasons, a minimum length of 8 characters is recommended, and it's advisable to mix all password combinations.

===== Password Reset =====
Password reset involves resetting the password of users stored in the local database and comes in both PASSWORD and OTP (One-Time Password) methods.

When a password is reset, a temporary password is issued, and the wireless LAN authentication for that user is temporarily denied. Wireless LAN users must connect the 'Password Change' page and sets a new password using the temporary password generated during the reset to regain wireless LAN access. The page that allows wireless LAN users to change their passwords can be configured in the [[Guest Page]] menu.

PASSWORD: After a password reset, the temporary password is set to a designated password (the same for all users).
OTP: After a password reset, the temporary password is randomly generated as a 6-digit number (unique for each user).

Here is the basic flow of the password reset process:

# A wireless LAN user requests a password reset(directly via phone or other methods)
# The administrator informs the user of the temporary password generated after the password reset.
# The wireless LAN user accesses the password change page through the Captive Portal or another method.
# The user enters the temporary password and creates a new password, then saves it.
# The user connects to the wireless LAN using the new password after changing the SSID.

==== Additional attributes for Multi-Factor Authentication ====
Please refer to [[Multi-Factor Authentication]].

==== EAP(Extensible Authentication Protocol) ====
The basic EAP types include TTLS (Tunneled Transport Layer Security) and PEAP (Protected Extensible Authentication Protocol), and you can choose either one.<ref>https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol</ref>

If the phase 2 authentication PAP (Password Authentication Protocol) is not used, authentication may fail on Windows 10 or 11. To allow the use of PAP at the user or group level in such environments, you can use the PAP-Auth-Allow := 1 attribute in the user or group authentication properties. Conversely, if you want to restrict the use of PAP for specific users or groups while allowing phase 2 PAP authentication, you can add the PAP-Auth-Deny := 1 attribute.

* Timer: A list is maintained to correlate EAP-Response packets with EAP-Request packets. After a configurable length of time, entries in the list expire, and are deleted.
* Advanced
** TLS Cipher Suite: Set this option to specify the allowed TLS cipher suites. The format is listed in https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
** TLS version: Set min / max TLS version. Some operating systems still use TLS 1.0

==== RADIUS configuration ====
The thread pool is a long-lived group of threads that take turns (round-robin) handling any incoming requests.
You probably want to have a few spare threads around, so that high-load situations can be handled immediately. If you don't have any spare threads, then the request handling will be delayed while a new thread is created, and added to the pool.
You probably don't want too many spare threads around, otherwise, they'll be sitting there taking up resources, and not doing anything productive.
{{note|We recommend having you use the default thread values.}}

===== Reject delay =====
When sending an Access-Reject, it can be delayed for a few seconds.
This may help slow down a DoS attack. It also helps to slow down people trying to brute-force crack a user's password.
Setting this number to 0 means "send rejects immediately".
You can set the value between 0 and 5.

===== Advanced =====
The port values of 1812 for authentication and 1813 for accounting are RADIUS standard ports defined by the Internet Engineering Task Force (IETF) in RFCs 2865 and 2866.

The wildcard (i.e. *) in the address field indicates "any". The 0 in the port field indicates "default". 
You can only change the port to another.

==== Reject2ban ====
Please refer to [[Reject2ban]].

=== References ===

ImRAD RADIUS

2023-10-17T06:23:49Z

Shin:

__FORCETOC__
=== RADIUS Overview ===
RADIUS(Remote Authentication Dial-In User Service) is a networking protocol, operating on ports 1812 and 1813, that provides centralized Authentication, Authorization, and Accounting (AAA or Triple-A) management for users who connect and use a network service.<ref name='radius-wiki'>https://en.wikipedia.org/wiki/RADIUS</ref>

RADIUS is a client/server protocol that runs in the application layer. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X<ref>https://en.wikipedia.org/wiki/IEEE_802.1X</ref> authentication.<ref name='radius-wiki' />

WPA-Enterprise is also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK), this is designed for enterprise networks and requires a RADIUS authentication server to have users can use a network service.<ref name='wiki-wpa>https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA2</ref>

The imRAD can be used on WPA, WPA2, and WPA3 Enterprise<ref name='wiki-wpa /> environments and supports EAP-TTLS<ref>https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP_Tunneled_Transport_Layer_Security_(EAP-TTLS)</ref> and EAP-PEAP<ref>https://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol</ref>.
The EAP-TTLS is a default authentication method.

RADIUS authentication consists of supplicant(user device), NAS(Network Access Server), and the RADIUS server.
The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The NAS sends a RADIUS Access-Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol. The RADIUS server checks that the information is correct.

[[File:Drawing_RADIUS_1812.svg.png|400px|thumb|RADIUS Authentication and Authorization Flow<ref name='radius-wiki' />]]

The imRAD was developed based on the '''[https://wiki.freeradius.org/Home FreeRADIUS]''' and provides the most of RADIUS services.
Our system can authenticate a User-Name in a Local database, remote databases, or LDAP servers, and Proxy servers.
The following is the supporting remote DBMS or LDAP.
* MariaDB
* MySql
* Oracle 11g ~ 19c
* Microsoft SQL Server 2014 ~ 2019
* Tibero 6
* PostgreSQL 12
* SYBASE
* OpenLDAP
* Microsoft Active Directory Domain service(AD DS)
* Microsoft Active Directory Lightweight directory service(AD LDS)

Using an '''[[Authentication DB | external Database]]''' makes it possible to authenticate directly a user through it(e.g, Customer employee database) without importing data from the remote database to the imRAD local database. 
In the environment of user authentication via an '''[[Authentication DB | external Database]]''', it may increase network traffic to the external database and slow down the database. 
To resolve this, the user credentials that were authenticated from an external database are saved into the local database for few days(You can set how many days the cached users are kept in the local database from the [[RADIUS Settings - General | RADIUS general settings]]). And then, authentication requests will not be sent to the external database but be completed in the local database. We called it "cached user". 
To securely save the User-password into the local database, it is saved as hashed data using the strong hash algorithm(e.g, SHA256 with salt). 

[[File:pta.png]]

Supporting TLS(Transport Layer Security) version is between 1.0 and 1.3 and can be changed the minimum and the maximum version from the [[RADIUS Settings - General | RADIUS general settings]].
You must make sure the TLS version because some client operating systems still use TLS 1.0.

RADIUS Proxying is that the server can proxy any request to other RADIUS servers and other RADIUS servers can authenticate the proxying request.<ref>https://wiki.freeradius.org/features/Proxy</ref>
A famous proxying is eduroam(education roaming)<ref>https://www.eduroam.org/what-is-eduroam/</ref> and a user can be authenticated at an eduroam server using the RADIUS Proxying.

An [[Authentication DB | external database]] authentication and a RADIUS Proxying can be restricted by a NAS Identifier(NAS-ID) and you can also set this policy on RADIUS> Settings> [[Authentication DB]] or [[Realm and proxy|Realms/Proxys]] menu.

=== Configuring RADIUS ===
===== Getting started =====
Basically, to authenticate a user's device basically that is in the 802.1x environment, Follow the below instruction.

# Register the IP address of an imRAD and the shared secret at a [[NAS]].
# Register the IP address of a [[NAS]] and the same shared secret at the [[NAS setting | RADIUS > settings > NAS]] .

After doing the above, the imRAD RADIUS can process the requests from the [[NAS]] that was registered.
If you want to test a device(e.g, smartphone, tablet, laptop computer, and so on), please refer to the [[RADIUS Authentication testing]].

===== [[RADIUS Users|Users]]=====
It manages 802.1x Users.

===== [[Reject2ban]] =====
It is designed to reduce the load on the databases from random requests of a malicious client.

===== [[RADIUS Groups|Groups]]=====
It is the RADIUS User groups.

=====[[Attributes]]=====
It provides a manager can search the attributes used in RADIUS.

===== Log =====
* [[RADIUS Log | Accounting]]: It displays all Accounting.
* [[RADIUS Log | Post-Authentication]]: It displays all log after attempting authentication.
* [[Reject2ban]]: It displays the Reject2ban log.

=====Settings=====
All settings for the RADIUS can be configured on this menu. After configuring something, the radiusd service will automatically apply the changed values in few seconds without an administrator manually restart the radiusd service.
If you want to radiusd service can forcibly apply the changed value, click the "Apply" button at the bottom of this menu.

======  [[RADIUS Settings - General | General]]======
You can configure Data Maintenance, Password complexity for RADIUS User-Password, EAP, RADIUS general configuration, and Reject2ban.

======  [[NAS setting | NAS]]======
As a feature for managing the Network Access Server, you can add or remove wireless LAN controllers or Access Points (APs).

======  [[Realm and proxy|Realm/Proxy]]======
It manages Proxy servers and Realm for the Proxy Authentication.

======  [[Authentication DB]]======
Configure local or external database connection attributes for user authentication.

======  [[LDAP]]======
Configure LDAP(Lightweight Directory Access Protocol) or AD(Active Directory) server connection attributes for user authentication.
======  [[NAS Identifier|NAS-ID]]======
It manages automatically collected NAS-ID (SSID).

======  [[Guest Page]]======

======  [[RADIUS Authentication testing]]======
It shows several EAP methods for operating system-specific authentication tests.

=== References ===

Captive portal

2023-10-17T06:22:47Z

Shin: Created page with "Our system provides users who want to use the wireless LAN can register their UserName (ID) and password. The interface for designing this page is accessible through RADIUS >..."

Attributes

2023-10-17T06:20:16Z

Shin:

__FORCETOC__
=== RADIUS > Attributes ===
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which are stored on the RADIUS program.

RADIUS Internet Engineering Task Force (IETF) attributes are the original set of 255 standard attributes that are used to communicate AAA information between a client and a server. The IETF attributes are standard and the attribute data is predefined. All clients and servers that exchange AAA information using IETF attributes must agree on attribute data such as the exact meaning of the attributes and the general bounds of the values for each attribute.<ref>https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-ov-ietf-attr.html</ref>

You can search for one or more attributes in this menu.

==== Useful User and Group Authentication Attributes ====
{| class="wikitable"
! width="200" | attribute !! Operator !! width="100" | Value !! Description
|-
| PAP-Auth-Allow || := || 1 || When not using [[RADIUS Settings - General|Phase 2 Authentication Using PAP]], use this attribute to allow 2-Step PAP authentication for specific users or groups.
|-
| PAP-Auth-Deny || := || 1 || When using [[RADIUS Settings - General|Phase 2 Authentication Using PAP]], use this attribute to deny 2-Step PAP authentication for specific users or groups.
|-
| Login-Time || := || text || The Login-Time attribute defines the time span during which a user may login to the system and can deny the authentication on specified days/times. It also allows for automatic termination of wireless LAN connections if they are already established after the specified end time. However, adding this attribute later to a device already connected to the wireless LAN may not result in automatic disconnection.
{{note| Automatic disconnection requires support for Session-Timeout by wireless LAN equipment.}}
Multiple time strings can be defined using the "dayhh:mm-hh:mm" format. Days can be Mo, Tu, We, Th, Fr, Sa, or Su, with "Wk" for weekdays and "Any" for all days. <ref>https://networkradius.com/doc/current/raddb/mods-available/logintime.html</ref>

{{note|Multiple time strings may be a list of simple time strings separated by <nowiki>"|"</nowiki>}}
For examples)
* Wk0900-1800 // Authentication is possible from Monday to Friday, between 9:00 AM and 6:00 PM.
* Wk0900-1800, Sa0900-1200 // Authentication is possible from Monday to Friday between 9:00 AM and 6:00 PM and on Saturday only between 9:00 AM and 12:00 PM.
* Any0900-1800 // Authentication is possible everyday between 9:00 AM and 6:00 PM
* Any0900-1800, We2000-2100 //Authentication is possible everyday between 9:00 AM and 6:00 PM, and on Wednesday only between 8:00 PM and 9:00 PM.
* Any // Always(Default)
|-
| User-Login-Time || := || text || It is similar to the Login-Time attribute. however, it is an exclusive attribute that does not affect users if they are part of a specific group with its own Login-Time attribute. '''This attribute applies only to users.'''
|-
| Group-Login-Time || := || text || It is also similar to the Login-Time attribute but acts as an exclusive attribute that takes precedence over Login-Time attributes for users who are part of a group, even if they have their own Login-Time attribute. However, if a user has a User-Login-Time attribute, Group-Login-Time will not be applied (User-Login-Time takes the highest priority). '''This attribute applies only to groups.'''
|-
| Calling-Station-Id || =~ || mac address1 <nowiki>|</nowiki> mac address2 ... || It is used to include the user's device MAC address for user identification during authentication. If this attribute is included, user authentication requires a match in Username, User-Password, and MAC address. You can use the <nowiki>"|"</nowiki> symbol to define multiple MAC addresses. When entering MAC addresses, use lowercase letters without separators.
For examples)
* 0000aaaa2222
* 0000aaaa2222 <nowiki>|</nowiki> 0000aaaa3333 // 2 MAC addresses
* ^bbbb22 // MAC address begins with "bbbb22" 
* 0000bbbb2222 <nowiki>|</nowiki> 0000bbbb3333 <nowiki>|</nowiki> ^bbbb22 <nowiki>|</nowiki> 0000bbbb3333 // Multiple MAC addresses

{{note|MAC addresses are in hexadecimal, and you should enter them in lowercase without any separators. When including multiple MAC addresses, be sure to separate them using <nowiki>"|"</nowiki> within a single Calling-Station-Id attribute. If multiple MAC addresses are defined, authentication will succeed if any one of them matches.}}
|-
| Nas-Identifier || =~ || ssid || You can specify the SSID when authenticating individual users and users included in a group. In other words, authentication will only proceed if the user connects through a specific SSID. To define multiple SSIDs, use <nowiki>"|"</nowiki>. 
For examples)
* my-ssid-A
* my-ssid-A <nowiki>|</nowiki> myssid-B
|-
|}

==== Useful User and Group Reply Attributes ====
{| class="wikitable"
! width="200" | attribute !! Operator !! width="100" | Value !! Description
|-
| Session-Timeout || := || 3600~86400(second) || It refers to the Session-Timeout of a user connected to the wireless LAN, and when this time elapses, a new wireless LAN encryption key is generated to maintain a secure wireless LAN connection. In a typical WPA-Enterprise environment through a wireless LAN authentication server, keys are generated securely to maintain an encrypted channel. However, to ensure an even more secure encrypted channel, you can use this attribute.
|-
|}

=== References ===