Table of Contents
Advertisement
8.8. Radius Relay
Overview
The NetDefendOS feature RADIUS Relay is designed for telecom scenarios, such as Mobile Data
Offloading (MDO), where User Equipment (UE), such as a smartphone, switches from an operator's
wireless network to communicating using WiFi via an Access Point (AP). The AP connects the UE
to resources, such as the public Internet, via a NetDefend Firewall with the firewall controlling
this access.
To gain access to the resources behind the NetDefend Firewall, the UE must authenticate itself
via the AP using a RADIUS server. A RADIUS authentication request is sent to NetDefendOS by
the AP which relays it to a RADIUS server. The server's reply is relayed back to the AP and
authenticated users are entered into the NetDefendOS user list so that they can then be granted
access to resources based on NetDefendOS security policies.
Event Sequence During RADIUS Relay Authentication
The following sequence of events occurs with radius relay:
•
The UE requests network access from an AP.
•
The AP sends a RADIUS Access-Request to NetDefendOS. Providing the NetDefendOS radius
relay feature has been set up, this request is forwarded to the configured RADIUS server.
•
The RADIUS server either authenticates or does not authenticate the UE by sending a RADIUS
Access-Accept or Access-Reject message back to NetDefendOS. The content of these messages
is examined by NetDefendOS as they are relayed back to the AP.
•
If it is authenticated by the RADIUS server, the UE issues a DHCP request and a DHCP IP lease
from the configured NetDefendOS DHCP server is sent back to the UE.
The DHCP server must be configured so that leases are only be distríbuted to authenticated
clients (the LeasesRequireAuth option is enabled).
•
Successful authentication also means that NetDefendOS includes the UE's username in its list
of logged in users (visible with the CLI userauth command and through the Web Interface)
and this allows the UE access to resources determined by predefined NetDefendOS security
policies.
Using Group Membership
NetDefendOS security policies can be based on group membership where the UE's membership
in a group determines if access is allowed. If this is the case, the RADIUS server must be specially
configured to send back the group name of the user during authentication. In addition, RADIUS
servers communicating with NetDefendOS must have the Vendor ID set correctly. Doing this is
described further at the end of this section.
It is also important that that IP rule or IP policy that allows access by the UE must use an IP
address object for its Source Network which has its Authentication property (the UserAuthGroups
property in the CLI) set to the same group name sent back by the RADIUS server. Doing this is
described further in Section 8.5, "Policies Requiring Authentication".
If validation with group membership is not required then the No Defined Credentials property of
the IP address object used for the Source Network should be enabled.
A symptom that the group name has not been specified for the Source Network address object is
652
Chapter 8: User Authentication
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
