Using A Radius Client For Authentication; Advanced Radius Client N Parameters - Digi TransPort WR31 User Manual

Configure security settings
RADIUS parameters
RADIUS parameters are configured on the Configuration > Security > Radius pages.

Using a RADIUS client for authentication

You can use a RADIUS client for authentication purposes at the start of remote command sessions,
SSH sessions, FTP sessions, HTTP sessions and Wi-Fi client connections (PEAP & EAP-TLS).
Depending on how the RADIUS client is configured, the router may authenticate with one or two
RADIUS servers, or may authenticate a user locally using the existing table configured on the router.
There are 2 RADIUS client configurations: RADIUS Client 0 and RADIUS Client 1. Both have specific
functions and the correct instance (0, 1, or both) should be configured depending on the
requirements.
To use RADUIUS for authenticating router administration access, configure RADIUS Client 0. To use
RADIUS for authenticating Wi-Fi clients, configure RADIUS Client 1.
When the router has obtained the remote user username and password, the RADIUS client passes
this information (from the Username and Password attributes) to the specified RADIUS server for
authorization. The server should reply with an ACCEPT or REJECT message.
You can configure the RADIUS client with up to two Network Access Servers (NAS). Depending on
system requirements, you can turn on or off local authentication.
During user authentication, the configured RADIUS servers are contacted first. If a valid ACCEPT or
REJECT message is received from the server, the user is allowed or denied access respectively. If no
response is received from the first server, the second server is tried (if configured). If that server fails
to respond, the router uses local authentication unless disabled. If both servers are unreachable
and local authentication is disabled, all authentication attempts fail.
If a RADIUS server replies with a REPLY-MESSAGE attribute (18), the message is displayed after the
login attempt and after any configured "post-banner" message. The router will then display a
Continue Y/N? prompt to the user. If N is selected, the remote session is terminated. This applies to
remote command sessions and SSH sessions only.
If the login attempt is successful and the server sends an IDLE-TIMEOUT attribute (28), the idle time
specified will be assigned to the remote session. If no IDLE-TIMEOUT attribute is sent, the router
applies the default idle timeout values to the session.
The access level is determined by the value of the SERVICE-TYPE attribute returned by the RADIUS
server. Administrative access is determined by the value 6 being returned by the server. Any other
value or no value returned will result in the access level low being assigned.
When the session starts and ends, the router will send the RADIUS accounting START/STOP
messages to the configured server. Again, if no response is received from the primary accounting
server, the secondary server will be tried. No further action is taken if the secondary accounting
server is unreachable.
Because the router has separate configurations for authorization and accounting servers, you can
configure the router to perform authorization functions only, accounting only, or both. An example
of how to use this is to perform local authorizations, but send accounting start/stop records to an
accounting server.
Digi TransPort WR Routers User Guide
RADIUS parameters
715