| (3 intermediate revisions by the same user not shown) | |||
| Line 18: | Line 18: | ||
For security reasons, a minimum length of 8 characters is recommended, and it's advisable to mix all password combinations. | For security reasons, a minimum length of 8 characters is recommended, and it's advisable to mix all password combinations. | ||
| + | ===== Password Reset ===== | ||
| + | Password reset involves resetting the password of users stored in the local database and comes in both PASSWORD and OTP (One-Time Password) methods. | ||
| − | + | When a password is reset, a temporary password is issued, and the wireless LAN authentication for that user is temporarily denied. Wireless LAN users must connect the 'Password Change' page and sets a new password using the temporary password generated during the reset to regain wireless LAN access. The page that allows wireless LAN users to change their passwords can be configured in the [[Guest Page]] menu. | |
| − | + | ||
| + | PASSWORD: After a password reset, the temporary password is set to a designated password (the same for all users). | ||
| + | OTP: After a password reset, the temporary password is randomly generated as a 6-digit number (unique for each user). | ||
| + | |||
| + | Here is the basic flow of the password reset process: | ||
| + | |||
| + | # A wireless LAN user requests a password reset(directly via phone or other methods) | ||
| + | # The administrator informs the user of the temporary password generated after the password reset. | ||
| + | # The wireless LAN user accesses the password change page through the Captive Portal or another method. | ||
| + | # The user enters the temporary password and creates a new password, then saves it. | ||
| + | # The user connects to the wireless LAN using the new password after changing the SSID. | ||
==== EAP(Extensible Authentication Protocol) ==== | ==== EAP(Extensible Authentication Protocol) ==== | ||
| − | The | + | The basic EAP types include TTLS (Tunneled Transport Layer Security) and PEAP (Protected Extensible Authentication Protocol), and you can choose either one.<ref>https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol</ref> |
| − | + | ||
| + | If the phase 2 authentication PAP (Password Authentication Protocol) is not used, authentication may fail on Windows 10 or 11. To allow the use of PAP at the user or group level in such environments, you can use the PAP-Auth-Allow := 1 attribute in the user or group authentication properties. Conversely, if you want to restrict the use of PAP for specific users or groups while allowing phase 2 PAP authentication, you can add the PAP-Auth-Deny := 1 attribute. | ||
| + | |||
* Timer: A list is maintained to correlate EAP-Response packets with EAP-Request packets. After a configurable length of time, entries in the list expire, and are deleted. | * Timer: A list is maintained to correlate EAP-Response packets with EAP-Request packets. After a configurable length of time, entries in the list expire, and are deleted. | ||
* Advanced | * Advanced | ||
** TLS Cipher Suite: Set this option to specify the allowed TLS cipher suites. The format is listed in https://www.openssl.org/docs/man1.0.2/man1/ciphers.html | ** TLS Cipher Suite: Set this option to specify the allowed TLS cipher suites. The format is listed in https://www.openssl.org/docs/man1.0.2/man1/ciphers.html | ||
| − | ** TLS version: Set min / max TLS version. Some operating | + | ** TLS version: Set min / max TLS version. Some operating systems still use TLS 1.0 |
| − | |||
==== RADIUS configuration ==== | ==== RADIUS configuration ==== | ||
Latest revision as of 16:20, 17 October 2023
RADIUS > Settings > General
Data Maintenance
| Items | Description |
|---|---|
| Cached User | If you set this, the imRAD saves a username and its password into the imRAD local database. The password is encrypted with a hash function and can't be decrypted to a plaintext.
After that, the imRAD can authenticate a user not from a customer database but from the imRAD local database. This can reduce traffics to a customer database. The imRAD will delete after a specified number of days after being saved. |
| Local User | It will delete local users that are inactive for more than the specified day. Local user is a user that was created by an administrator. |
| NAS-ID | It automatically saves NAS-IDs from the ACCESS-REQUEST and deletes the inactive NAS IDs for more than the specified day. |
Password Complexity Requirements for Local User-Password
For security reasons, a minimum length of 8 characters is recommended, and it's advisable to mix all password combinations.
Password Reset
Password reset involves resetting the password of users stored in the local database and comes in both PASSWORD and OTP (One-Time Password) methods.
When a password is reset, a temporary password is issued, and the wireless LAN authentication for that user is temporarily denied. Wireless LAN users must connect the 'Password Change' page and sets a new password using the temporary password generated during the reset to regain wireless LAN access. The page that allows wireless LAN users to change their passwords can be configured in the Guest Page menu.
PASSWORD: After a password reset, the temporary password is set to a designated password (the same for all users). OTP: After a password reset, the temporary password is randomly generated as a 6-digit number (unique for each user).
Here is the basic flow of the password reset process:
- A wireless LAN user requests a password reset(directly via phone or other methods)
- The administrator informs the user of the temporary password generated after the password reset.
- The wireless LAN user accesses the password change page through the Captive Portal or another method.
- The user enters the temporary password and creates a new password, then saves it.
- The user connects to the wireless LAN using the new password after changing the SSID.
EAP(Extensible Authentication Protocol)
The basic EAP types include TTLS (Tunneled Transport Layer Security) and PEAP (Protected Extensible Authentication Protocol), and you can choose either one.[1]
If the phase 2 authentication PAP (Password Authentication Protocol) is not used, authentication may fail on Windows 10 or 11. To allow the use of PAP at the user or group level in such environments, you can use the PAP-Auth-Allow := 1 attribute in the user or group authentication properties. Conversely, if you want to restrict the use of PAP for specific users or groups while allowing phase 2 PAP authentication, you can add the PAP-Auth-Deny := 1 attribute.
- Timer: A list is maintained to correlate EAP-Response packets with EAP-Request packets. After a configurable length of time, entries in the list expire, and are deleted.
- Advanced
- TLS Cipher Suite: Set this option to specify the allowed TLS cipher suites. The format is listed in https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
- TLS version: Set min / max TLS version. Some operating systems still use TLS 1.0
RADIUS configuration
The thread pool is a long-lived group of threads that take turns (round-robin) handling any incoming requests. You probably want to have a few spare threads around, so that high-load situations can be handled immediately. If you don't have any spare threads, then the request handling will be delayed while a new thread is created, and added to the pool. You probably don't want too many spare threads around, otherwise, they'll be sitting there taking up resources, and not doing anything productive.
We recommend having you use the default thread values.
Reject delay
When sending an Access-Reject, it can be delayed for a few seconds. This may help slow down a DoS attack. It also helps to slow down people trying to brute-force crack a user's password. Setting this number to 0 means "send rejects immediately". You can set the value between 0 and 5.
Advanced
The port values of 1812 for authentication and 1813 for accounting are RADIUS standard ports defined by the Internet Engineering Task Force (IETF) in RFCs 2865 and 2866.
The wildcard (i.e. *) in the address field indicates "any". The 0 in the port field indicates "default".
You can only change the port to another.
Reject2ban
Please refer to Reject2ban.