| Line 4: | Line 4: | ||
! Items !! Description | ! Items !! Description | ||
|- | |- | ||
| − | | style='width:200px' | | + | | style='width:200px' | Cached User || If you set this, the imRAD saves a username and its password into the imRAD local database. The password is encrypted with a hash function and can't be decrypted to a plaintext. |
After that, the imRAD can authenticate a user not from a customer database but from the imRAD local database. This can reduce traffics to a customer database. | After that, the imRAD can authenticate a user not from a customer database but from the imRAD local database. This can reduce traffics to a customer database. | ||
The imRAD will delete after a specified number of days after being saved. | The imRAD will delete after a specified number of days after being saved. | ||
|- | |- | ||
| − | | Local User || It will delete local users that are inactive for more than the specified day. | + | | Local User || It will delete local users that are inactive for more than the specified day. Local user is a user that was created by an administrator. |
|- | |- | ||
| NAS-ID || It automatically saves [[NAS Identifier | NAS-IDs ]] from the ACCESS-REQUEST and deletes the inactive NAS IDs for more than the specified day. | | NAS-ID || It automatically saves [[NAS Identifier | NAS-IDs ]] from the ACCESS-REQUEST and deletes the inactive NAS IDs for more than the specified day. | ||
| Line 14: | Line 14: | ||
|} | |} | ||
| − | ==== Password | + | |
| − | + | ==== Password Complexity Requirements for Local User-Password ==== | |
| + | For security reasons, a minimum length of 8 characters is recommended, and it's advisable to mix all password combinations. | ||
| + | |||
| + | |||
| + | ==== Additional attributes for Multi-Factor Authentication ==== | ||
| + | Please refer to [[Multi-Factor Authentication]]. | ||
| + | |||
==== EAP(Extensible Authentication Protocol) ==== | ==== EAP(Extensible Authentication Protocol) ==== | ||
| Line 25: | Line 31: | ||
** TLS version: Set min / max TLS version. Some operating system still use TLS 1.0 | ** TLS version: Set min / max TLS version. Some operating system still use TLS 1.0 | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
==== RADIUS configuration ==== | ==== RADIUS configuration ==== | ||
| Line 48: | Line 49: | ||
The wildcard (i.e. *) in the address field indicates "any". The 0 in the port field indicates "default".<br> | The wildcard (i.e. *) in the address field indicates "any". The 0 in the port field indicates "default".<br> | ||
You can only change the port to another. | You can only change the port to another. | ||
| + | |||
| + | |||
| + | ==== Reject2ban ==== | ||
| + | Please refer to [[Reject2ban]]. | ||
| + | |||
| + | |||
=== References === | === References === | ||
Revision as of 15:21, 9 August 2023
RADIUS > Settings > General
Data Maintenance
| Items | Description |
|---|---|
| Cached User | If you set this, the imRAD saves a username and its password into the imRAD local database. The password is encrypted with a hash function and can't be decrypted to a plaintext.
After that, the imRAD can authenticate a user not from a customer database but from the imRAD local database. This can reduce traffics to a customer database. The imRAD will delete after a specified number of days after being saved. |
| Local User | It will delete local users that are inactive for more than the specified day. Local user is a user that was created by an administrator. |
| NAS-ID | It automatically saves NAS-IDs from the ACCESS-REQUEST and deletes the inactive NAS IDs for more than the specified day. |
Password Complexity Requirements for Local User-Password
For security reasons, a minimum length of 8 characters is recommended, and it's advisable to mix all password combinations.
Additional attributes for Multi-Factor Authentication
Please refer to Multi-Factor Authentication.
EAP(Extensible Authentication Protocol)
The imRAD supports two EAP methods. You can select either the TTLS(AP Tunneled Transport Layer Security) or PEAP(Protected Extensible Authentication Protocol).[1] The recommended phase 2 authentication is the EAP-GTC(Generic Token Card). If a username is authenticated from a customer database by the Pass-Through Authentication, you should not use the MSCHAPv2 as phase 2 authentication.
- Timer: A list is maintained to correlate EAP-Response packets with EAP-Request packets. After a configurable length of time, entries in the list expire, and are deleted.
- Advanced
- TLS Cipher Suite: Set this option to specify the allowed TLS cipher suites. The format is listed in https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
- TLS version: Set min / max TLS version. Some operating system still use TLS 1.0
RADIUS configuration
The thread pool is a long-lived group of threads that take turns (round-robin) handling any incoming requests. You probably want to have a few spare threads around, so that high-load situations can be handled immediately. If you don't have any spare threads, then the request handling will be delayed while a new thread is created, and added to the pool. You probably don't want too many spare threads around, otherwise, they'll be sitting there taking up resources, and not doing anything productive.
We recommend having you use the default thread values.
Reject delay
When sending an Access-Reject, it can be delayed for a few seconds. This may help slow down a DoS attack. It also helps to slow down people trying to brute-force crack a user's password. Setting this number to 0 means "send rejects immediately". You can set the value between 0 and 5.
Advanced
The port values of 1812 for authentication and 1813 for accounting are RADIUS standard ports defined by the Internet Engineering Task Force (IETF) in RFCs 2865 and 2866.
The wildcard (i.e. *) in the address field indicates "any". The 0 in the port field indicates "default".
You can only change the port to another.
Reject2ban
Please refer to Reject2ban.