Line 5: | Line 5: | ||
RADIUS is a client/server protocol that runs in the application layer. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication.<ref name='radius-wiki' /> | RADIUS is a client/server protocol that runs in the application layer. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication.<ref name='radius-wiki' /> | ||
− | WPA-Enterprise is also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK), this is designed for enterprise networks and requires a RADIUS authentication server to have users can use a network service.<ref>https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA2</ref> | + | WPA-Enterprise is also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK), this is designed for enterprise networks and requires a RADIUS authentication server to have users can use a network service.<ref name='wiki-wpa>https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA2</ref> |
+ | |||
+ | The imRAD can be used on WPA, WPA2, and WPA3 Enterprise<ref name='wiki-wpa /> environments and supports EAP-TTLS<ref>https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP_Tunneled_Transport_Layer_Security_(EAP-TTLS)</ref> and EAP-PEAP<ref>https://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol</ref>. | ||
+ | The EAP-TTLS is a default authentication method. | ||
RADIUS authentication consists of supplicant(user device), NAS(Network Access Server), and the RADIUS server. | RADIUS authentication consists of supplicant(user device), NAS(Network Access Server), and the RADIUS server. | ||
Line 26: | Line 29: | ||
* Microsoft Active Directory Lightweight directory service(AD LDS) | * Microsoft Active Directory Lightweight directory service(AD LDS) | ||
− | |||
− | |||
When you set the '''[[Pass-Through Authentication]]''' to authenticate a user from a remote database(e.g, Customer employee database), many traffic can be sent to the remote database whenever a user connects to a network, and it may slow down the database. | When you set the '''[[Pass-Through Authentication]]''' to authenticate a user from a remote database(e.g, Customer employee database), many traffic can be sent to the remote database whenever a user connects to a network, and it may slow down the database. |
Revision as of 11:28, 20 May 2021
Overview
RADIUS(Remote Authentication Dial-In User Service) is a networking protocol, operating on ports 1812 and 1813, that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.[1]
RADIUS is a client/server protocol that runs in the application layer. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication.[1]
WPA-Enterprise is also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK), this is designed for enterprise networks and requires a RADIUS authentication server to have users can use a network service.[2]
The imRAD can be used on WPA, WPA2, and WPA3 Enterprise[2] environments and supports EAP-TTLS[3] and EAP-PEAP[4]. The EAP-TTLS is a default authentication method.
RADIUS authentication consists of supplicant(user device), NAS(Network Access Server), and the RADIUS server. The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The NAS sends a RADIUS Access-Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol. The RADIUS server checks that the information is correct.
The imRAD was developed based on the FreeRADIUS and provides the most of RADIUS services. Our system can authenticate a User-Name in a Local database, remote databases, or LDAP servers, and Proxy servers. The following is the supporting DBMS or LDAP.
- MariaDB
- MySql
- Oracle 11g ~ 19c
- Microsoft SQL Server 2014 ~ 2019
- Tibero 6
- PostgreSQL 12
- SYBASE
- OpenLDAP
- Microsoft Active Directory Domain service(AD DS)
- Microsoft Active Directory Lightweight directory service(AD LDS)
When you set the Pass-Through Authentication to authenticate a user from a remote database(e.g, Customer employee database), many traffic can be sent to the remote database whenever a user connects to a network, and it may slow down the database.
So, the user credentials that were authenticated from a remote database can be saved into the local database for few days.
To conceal the User-Name password from any imRAD administrators, the User-Name password in the user credentials is saved as hashed data using the strong hash algorithm(e.g, SHA256 with salt). We called it "cached user".
You can set how many days the cached users are kept in the local database from the RADIUS general settings.
Supporting TLS(Transport Layer Security) version is between 1.0 and 1.3 and can be changed the minimum and the maximum version from the RADIUS general settings. You must make sure the TLS version because some client operating systems still use TLS 1.0.
RADIUS Proxying is that the server can proxy any request to other RADIUS servers and other RADIUS servers can authenticate the proxying request.[5] A famous proxying is eduroam(education roaming)[6] and a user can be authenticated at an eduroam server using the RADIUS Proxying.
The Pass-Through Authentication and the RADIUS Proxying can be restricted by a NAS Identifier and you can also set this policy.
Configuring RADIUS
Getting started
To authenticate a user's device basically that is in the 802.1x environment, Follow the below instruction.
- Register the IP address of an imRAD and the shared secret at a NAS.
- Register the IP address of a NAS and the same shared secret at the RADIUS > settings > NAS .
After doing the above, the imRAD RADIUS can process the requests from the NAS that was registered. If you want to test a device(e.g, smartphone, tablet, laptop computer, and so on), please refer to the RADIUS Authentication testing.
RADIUS Users
RADIUS Groups
Attributes
Log - Accounting, Postauth
Settings
General
NAS
Realm/Proxy
Pass-Through Authentication
LDAP
NAS-ID
RADIUS Authentication testing
References
- ↑ 1.0 1.1 https://en.wikipedia.org/wiki/RADIUS
- ↑ 2.0 2.1 https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA2
- ↑ https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP_Tunneled_Transport_Layer_Security_(EAP-TTLS)
- ↑ https://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol
- ↑ https://wiki.freeradius.org/features/Proxy
- ↑ https://www.eduroam.org/what-is-eduroam/