1. Manuals
  2. Brands
  3. RSA Security Manuals
  4. Software
  5. RSA RADIUS Server 6.1
  6. Administrator's manual

RSA Security RSA RADIUS Server 6.1 Administrator's Manual

Radius server
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
RSA RADIUS Server 6.1
Administrator's Guide
®
Powered by Steel-Belted Radius

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the RSA RADIUS Server 6.1 and is the answer not in the manual?

Questions and answers

Summary of Contents for RSA Security RSA RADIUS Server 6.1

  • Page 1 RSA RADIUS Server 6.1 Administrator’s Guide ® Powered by Steel-Belted Radius...

  • Page 2: Contact Information

    Copyright Copyright © 2005 RSA Security, Inc. All rights reserved. No part of this document may be reproduced, modified, distributed, sold, leased, transferred, or transmitted, in any form or by any means, without the written permission of RSA Security, Inc. Information in this document is subject to change without notice.
  • Page 3 SecurCare, SecurID, SecurWorld, Smart Rules, The Most Trusted Name in e-Security, Transaction Authority, and Virtual Business Units are either registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. All other goods and/or services mentioned are trademarks of their respective companies.
  • Page 4 Any unauthorized use or reproduction of this software may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by RSA Security. Note on encryption technologies This product may contain encryption technology.

  • Page 5: Table Of Contents

    Centralized Configuration Management ..............16 Replacing a Replica RADIUS Server ..............17 Designating a New Primary RADIUS Server............17 Recovering a Replica After a Failed Download ..........18 Changing the Name or IP Address of a Server ..........18 RSA RADIUS Server 6.1 Administrator’s Guide Contents...
  • Page 6 Chapter 2 Installing the RSA RADIUS Server Before You Begin......................19 Required Files......................19 Data Migration/Registration................19 Installing on Windows....................20 System Requirements .................... 20 Installing the RSA RADIUS Server..............21 Uninstalling the RSA RADIUS Server Software ..........22 Installing on Solaris....................... 23 System Requirements ....................
  • Page 7 Using the RADIUS System Log..................75 Level of Logging Detail..................76 Controlling Log File Size ..................76 Using the Accounting Log ...................77 Accounting Log File Format ................77 First Line Headings....................78 Comma Placeholders .....................78 Standard RADIUS Accounting Attributes............79 RSA RADIUS Server 6.1 Administrator’s Guide Contents...
  • Page 8 Appendix A Using the LDAP Configuration Interface LDAP Configuration Interface File ................81 About the LDAP Configuration Interface..............82 LDAP Utilities......................82 LDAP Requests ..................... 83 Downloading the LDAP Utilities................ 83 LDAP Version Compliance ................. 84 Configuring the LDAP TCP Port............... 84 LDAP Virtual Schema....................

  • Page 9: About This Guide

    About This Guide The RSA RADIUS Server 6.1 Administrator’s Guide describes how to install, configure, and administer the RSA RADIUS Server software on a server running the Solaris operating system, the Linux operating system, or the Windows 2000 or Windows Server 2003 operating systems.

  • Page 10: Syntax Conventions

    This manual uses the following conventions to present file and command line syntax. represents the directory into which RSA RADIUS Server has radiusdir been installed. By default, this is C:\Program Files\RSA Security\ for Windows systems and on Linux and RSA RADIUS /opt/rsa/radius Solaris systems.

  • Page 11: Related Documentation

    Related Documentation The following documents supplement the information in this manual. RSA RADIUS Server Documentation The RSA RADIUS Server 6.1 Reference Guide describes configuration options for the RSA RADIUS Server software. Vendor Information You can consult the online Vendor Information file for information about using RSA RADIUS Server with different remote access servers and firewalls.
  • Page 12 RSA Authentication Manager software. Have the following information available when you call: Your RSA Security Customer/License ID. You can find this number on the license distribution medium or by running the Configuration Management application on Windows servers, or by issuing an...

  • Page 13: Chapter 1 About Rsa Radius Server

    Support for a variety of authentication methods, including Tunneled Transport Layer Security (TTLS), Protected Extensible Authentication Protocol (PEAP), Generic Token Card, RSA Security EAP (EAP-15), and Protected One-Time Password (EAP-32). Use of encryption keys eliminates the possibility of spoofing or masquerading as an “imposter agent.”...

  • Page 14: Rsa Radius Server Overview

    TTLS/PAP tunnel to facilitate communication between the access client and the RSA RADIUS server. Note that some access clients may be configured to use RSA Security EAP or Protected One-Time Password (POTP) instead of a TTLS/PAP tunnel. In such cases, the sequence of transactions is similar, though the communication mechanics are different.
  • Page 15 (6a). The RSA Authentication Manager may also return the name of the profile associated with this user in the Access-Accept message. RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server...

  • Page 16: Radius Packets

    If the user ID is not found or if the passcode is not appropriate for the specified user, the RSA Authentication Manager returns a message indicating the passcode is not accepted (6b). If the RSA RADIUS server receives a message indicating the passcode is accepted, it forwards a RADIUS Access-Accept message to the RAS (7a).

  • Page 17: Radius Configuration

    RSA RADIUS Server, log on to the client device, run its administration program, and enter the following information: The IP address of the RSA RADIUS Server. RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server...

  • Page 18: Shared Secrets

    The RADIUS shared secret to be used by the RSA RADIUS Server and the client device. For information on RADIUS shared secrets, see “Shared Secrets” on page The UDP ports on which to send and receive RADIUS authentication and accounting packets. RSA RADIUS Server uses UDP ports 1645 and 1812 for authentication and UDP ports 1646 and 1813 for accounting.
  • Page 19 A node secret is a pseudorandom string known only to the RSA RADIUS Server and RSA Authentication Manager. Before the RSA RADIUS Server sends an authentication request to the RSA Authentication Manager, it encrypts the data using a symmetric node secret key. RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server...

  • Page 20: Radius Ports

    The RSA Authentication Manager software views the RSA RADIUS Server service as a host agent. Communication between RSA RADIUS Server and RSA Authentication Manager uses specific UDP ports, which are configured during installation. To prevent “masquerading” by unauthorized hosts, you configure RSA Authentication Manager with the IP addresses of each RSA RADIUS Server host.

  • Page 21: Accounting

    Accounting-Off. conditions. This table describes the most typical conditions. The client ensures that the server receives accounting requests. Most clients retry periodically until the server responds. RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server...

  • Page 22: Accounting Sequence

    Table 2. Message Conditions and Attributes (Continued) Message Conditions Purpose of Message Attributes After receiving an Access-Accept from Record connection data such as user ID, the server, the RAS completes its RAS identifier, RAS port identifier, port access negotiation with the user. The type, and connection start time.
  • Page 23 If the server finds an encapsulated identity attribute, it decapsulates and decrypts the attributes to reconstitute the original inner User-Name and Class attributes. The server substitutes the decrypted attributes for the ones returned from the RAS or AP. RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server...

  • Page 24: Attributes

    RSA RADIUS Server service (usually C:\Program Files on Windows computers and \RSA Security\RSA RADIUS\Service on Solaris and Linux computers). /opt/rsa/radius Vendor-Specific Attributes In addition to the standard attributes, many RAS devices use vendor-specific attributes (VSAs) to complete a connection.

  • Page 25: Attribute Lists

    For information on modifying vendor dictionary files, refer to the RSA RADIUS Server 6.1 Reference Guide. Attribute Lists You can use profiles to control authentication at finer levels of detail than simple user ID and password checking allow.

  • Page 26: Attribute Values

    During authentication, RSA RADIUS Server filters the checklist based on the dictionary for the RADIUS client that sent the authentication request. The server ignores any checklist attribute that is not valid for this device. Return List Attributes A return list is a list of attributes that RSA RADIUS Server must return to the RAS after authentication succeeds.

  • Page 27: Default Values

    Another use is to provide a default value for an attribute in conjunction with the echo property in the return list. RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server...

  • Page 28: Centralized Configuration Management

    If an attribute appears once in the checklist marked as , and the same default attribute appears in the return list marked as , the server echoes the actual echo value of the attribute in the RADIUS response if the attribute appears in the RADIUS request.

  • Page 29: Replacing A Replica Radius Server

    You can change which server within a realm is designated as the Primary RADIUS Server for that realm. For more information, see “Designating a New Primary RADIUS Server” on page RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server...

  • Page 30: Recovering A Replica After A Failed Download

    Recovering a Replica After a Failed Download If a Replica RADIUS Server fails during the download of a configuration package, its configuration may be corrupted or it may have a stale secret. For information on how to recover a Replica after a failed download, refer to “Recovering a Replica After a Failed Download”...

  • Page 31: Chapter 2 Installing The Rsa Radius Server

    RADIUS data to the new RSA RADIUS Server. Information transferred during data migration includes RADIUS client names, IP addresses, and shared secrets; profile names, checklist RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server...

  • Page 32: Installing On Windows

    attributes, and return list attributes; and RSA SecurID prompts used to format messages to users. Data migration also registers the RSA RADIUS Server as an agent host with RSA Authentication Manager. Registration information includes the server type (Primary or Replica), fully qualified name, administrative port number, and IP address.

  • Page 33: Installing The Rsa Radius Server

    Primary RSA RADIUS Server. You can specify the name, IP address(es), and replication secret of the Primary RADIUS Server, or you can RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server...

  • Page 34: Uninstalling The Rsa Radius Server Software

    NOTE: After you install the RSA RADIUS Server software, you may need to modify the server configuration files. For more information, refer to the RSA RADIUS Server 6.1 Reference Guide. Uninstalling the RSA RADIUS Server Software To uninstall the RSA RADIUS Server software from a Windows host, run the...

  • Page 35: Installing On Solaris

    Table 5. Command Options for the install_rsa.sh Command Option Function Specifies the top-level directory for installation of the -dir RSA RADIUS Server files. /opt Default value is RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server...
  • Page 36 Table 5. Command Options for the install_rsa.sh Command (Continued) Option Function Specifies whether you are installing a Primary or Replica -identity RADIUS Server. PRIMARY REPLICA Valid values are Default value is PRIMARY Indicates you want to run the RSA RADIUS Server -migrate rsainstalltool migration utility (...

  • Page 37: Installing The Rsa Radius Server Software

    Step 2. Execute the following command to run the installation script. # ./install_rsa.sh [options] Table 5 on page 23 for an explanation of the install_rsa.sh command options. RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server...
  • Page 38 Specify the directory where you want to install the RSA RADIUS Server files. By default, the installation script puts the directory files in /rsa/radius directory (that is, /opt /opt/rsa/radius) Enter install path [/opt]: If you are installing the RSA RADIUS Server software on a host that is not running the RSA Authentication Manager software (remote installation), specify the location of the , and...

  • Page 39: Stopping And Starting The Radius Daemon

    Stop the RADIUS daemon currently running on your server. Back up your RSA RADIUS Server directory. Log into the Solaris server as root Type the following command to uninstall the RSA RADIUS Server software: # ./opt/rsa/radius/install/uninstall_rsa.sh RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server...

  • Page 40: Migration Log File

    Type when you are asked to confirm that you want to uninstall the RSA RADIUS Server software. Confirm removal of sbr-rsa_1.0-1 (y/n) [y]? y Removing /etc/rc2.d/S90radius script. Removing /etc/rc2.d/K90radius script. Removal of <RSARadius> was successful. RSARadius removed. Migration Log File If the RSA RADIUS Server migration utility ( ) encounters a rsainstalltool...

  • Page 41: Installing On Linux

    Table 7. Command Options for the install_rsa.sh Command Option Function Specifies the top-level directory for installation of the -dir RSA RADIUS Server files. Default value is /opt RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server...
  • Page 42 Table 7. Command Options for the install_rsa.sh Command (Continued) Option Function Specifies whether you are installing a Primary or Replica -identity RADIUS Server. PRIMARY REPLICA Valid values are Default value is PRIMARY Indicates you want to run the RSA RADIUS Server -migrate rsainstalltool migration utility (...

  • Page 43: Installing The Rsa Radius Server Software

    Step 2. Execute the following command to run the installation script. # ./install_rsa.sh [options] Table 7 on page 29 for an explanation of the install_rsa.sh command options. RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server...
  • Page 44 Specify the directory where you want to install the RSA RADIUS Server files. By default, the installation script puts the directory files in /rsa/radius directory (that is, /opt /opt/rsa/radius) Enter install path [/opt]: If you are installing the RSA RADIUS Server software on a host that is not running the RSA Authentication Manager software (remote installation), specify the location of the , and...

  • Page 45: Stopping And Starting The Radius Daemon

    /etc/init.d/sbrd stop force Use the following command to start the RADIUS daemon: /etc/init.d/sbrd start RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server...

  • Page 46: Uninstalling The Rsa Radius Server Software

    Uninstalling the RSA RADIUS Server Software To uninstall the RSA RADIUS Server software: Stop the RADIUS daemon currently running on your server. Back up your RSA RADIUS Server directory. Log into the Linux server as root Type the following command to uninstall the RSA RADIUS Server software: # ./uninstall_rsa.sh Type when you are asked to confirm that you want to uninstall the...

  • Page 47: Chapter 3 Using Rsa Radius Administrator

    Administrator user with a token or password, refer to the RSA Authentication Manager 6.1 Administrator’s Guide. To run the RSA RADIUS Administrator: Choose Start > All Programs > RSA Security > RSA Authentication Manager Host Mode When the RSA Authentication Manager 6.1 Administration window opens, choose RADIUS >...

  • Page 48: Navigating In Rsa Radius Administrator

    Navigating in RSA RADIUS Administrator Figure 4 illustrates the RSA RADIUS Administrator user interface. This section describes how to use the RSA RADIUS Administrator menus and toolbar. Menu Bar Toolbar Navigation Frame Content Frame Figure 4 RSA RADIUS Administrator User Interface RSA RADIUS Administrator Menus The main RSA RADIUS Administrator window has four menus: File, Panel, Web, and Help.
  • Page 49 RSA RADIUS Administrator window. For more information, Chapter 7, “Administering RADIUS Servers” on page Statistics Displays the Statistics panel in the RSA RADIUS Administrator window. For more information, Chapter 6, “Displaying Statistics” on page RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator...

  • Page 50: Rsa Radius Administrator Toolbar

    Opens the online help for the RSA RADIUS Administrator application. Manuals Displays the RSA RADIUS Server 6.1 Administrator’s Guide or RSA RADIUS Server 6.1 Reference Guide (in PDF format). About Displays the About RSA RADIUS Administrator window, which lists version information for the RSA RADIUS Administrator.

  • Page 51: Rsa Radius Administrator Windows

    This section summarizes how to use RSA RADIUS Administrator windows and controls. Adding an Entry To add an entry to the RSA RADIUS Server database, open the appropriate panel and click the button on the RSA RADIUS Administrator toolbar. The RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator...
  • Page 52 RSA RADIUS Administrator displays an Add window. A sample Add window appears in Figure Figure 6 Sample Add Window Every object of the same type must have a unique name. If the name you assign to an item is already being used by another item of the same type, the RSA RADIUS Administrator displays a warning.
  • Page 53 Name cleared; you must enter a unique name to save the pasted information as a new record. Canceling from a Paste operation does not change the contents of the Clipboard. RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator...

  • Page 54: Using Context Menus

    Figure 8 Sample Paste Window Resizing Columns You can resize columns in an RSA RADIUS Administrator table by dragging the column header boundary to the left or right. Changing Column Sequence You can change the sequence of columns in an RSA RADIUS Administrator table by dragging the column headers left or right.

  • Page 55: Accessing Online Help

    (LCI), which is described in Appendix A, “Using the LDAP Configuration Interface.” To add a license key to an RSA RADIUS Server installation: Start the RSA RADIUS Administrator application. Choose File > License RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator...

  • Page 56: Exiting The Rsa Radius Administrator

    When the Add a License for Server window (Figure 10) opens, enter the license key and click When the server displays a confirmation message, click Figure 10 Add a License for Server Window Restart your RSA RADIUS Server. Exiting the RSA RADIUS Administrator To close the RSA RADIUS Administrator, choose File >...

  • Page 57: Chapter 4 Administering Radius Clients

    RADIUS Clients Panel The RADIUS Clients panel (Figure 11) lets you identify the devices that you want to define as clients of the RSA RADIUS Server. Figure 11 RADIUS Clients Panel RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Clients...

  • Page 58: Adding A Radius Client

    Adding a RADIUS Client To add a RADIUS client: Open the RADIUS Clients panel. Click the button. The Add RADIUS Client window (Figure 12) opens. Figure 12 Add RADIUS Client Window Enter the name of the RADIUS client in the field.
  • Page 59 RADIUS secret you want the RADIUS client to use for accounting. Figure 14 Accounting Shared Secret Window For privacy, asterisks are echoed as you type. You can click the Unmask checkbox to display the characters in the shared secret. RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Clients...

  • Page 60: Verifying A Shared Secret

    Click You must enter the same accounting shared secret when you configure the RADIUS client. Optionally, indicate whether you want to enable keepalive processing and specify how long the server waits for RADIUS packets from the client before assuming connectivity has been lost. If you click the checkbox, you can Assume down if no keepalive packets after...

  • Page 61: Deleting A Radius Client

    Select the RADIUS client entry you want to delete. Click the button on the RSA RADIUS Administrator toolbar. Delete When you are prompted to confirm the deletion request, click RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Clients...
  • Page 62 Administering RADIUS Clients September 2005...

  • Page 63: Chapter 5 Administering Profiles

    Access-Request for a connection before the connection can be authenticated. A return list attribute is an item of information that the RSA RADIUS Server includes in the RADIUS Access-Accept message when a user is authenticated and a connection request is approved. RSA RADIUS Server 6.1 Administrator’s Guide Administering Profiles...

  • Page 64: Resolving Profile And User Attributes

    Resolving Profile and User Attributes If user-specific attributes are stored in the RSA Authentication Manager database, RSA RADIUS Server determines the final set of attributes for a user by merging the attributes stored in the user’s profile with user-specific attributes from the RSA Authentication Manager database.

  • Page 65: Setting Up Profiles

    Click the button on the RSA RADIUS Administrator toolbar. The Add Profile window (Figure 16) opens. Figure 16 Add Profile Window Enter a name for the new profile in the field. Name RSA RADIUS Server 6.1 Administrator’s Guide Administering Profiles...
  • Page 66 Optionally, enter a description for the profile in the field. Description Add checklist and return list attributes to the profile. Click the tab or the tab. Checklist Return list Click . The Add Checklist Attribute window or the Add Return List Attribute window (Figure 17) opens.

  • Page 67: Removing A Profile

    Select the entry for the profile you want to remove. Click the button on the RSA RADIUS Administrator toolbar (or Delete right-click the profile entry and choose from the context menu). Delete When you are prompted to confirm the deletion, click RSA RADIUS Server 6.1 Administrator’s Guide Administering Profiles...
  • Page 68 Administering Profiles September 2005...

  • Page 69: Chapter 6 Displaying Statistics

    To display authentication statistics for the RSA RADIUS server: Open the Statistics panel. Select the server for which you want to display statistics in the list. Server Click the tab. System Click the list and choose View Authentication RSA RADIUS Server 6.1 Administrator’s Guide Displaying Statistics...
  • Page 70 Figure 18 Statistics Panel: System Authentication Statistics Table 13 explains the fields on the tab and describes possible Authentication causes for authentication rejections. Table 13. Authentication Statistics Authentication Statistic Meaning Transactions Accepts The current, average, and peak number of RADIUS transactions that resulted in an Access-Accept response since the last time authentication statistics were reset.
  • Page 71 Insufficient Resources The number of rejects due to a server resource problem. Retries Received Transactions Retried The number of requests for which one or more duplicates was received. Total Retry Packets The number of duplicate packets received. Challenges The number of challenges received. RSA RADIUS Server 6.1 Administrator’s Guide Displaying Statistics...

  • Page 72: Displaying Server Accounting Statistics

    Displaying Server Accounting Statistics Accounting statistics provide information such as the number of transaction starts and stops and the reasons for rejecting attempted transactions. The transaction start and stop numbers rarely match, as many transactions can be in progress at any given time. To display accounting statistics for the RSA RADIUS server: Open the Statistics panel.
  • Page 73 Transactions Retried The number of requests for which one or more duplicates was received. Total Retry Packets The number of duplicate packets received. Interim Requests The number of interim accounting packets received. RSA RADIUS Server 6.1 Administrator’s Guide Displaying Statistics...

  • Page 74: Resetting Server Statistics

    Resetting Server Statistics To reset authentication and accounting statistics for an RSA RADIUS server to zero: Open the Statistics panel. Select the server for which you want to reset statistics in the list. Server Click the tab. System Click the list and choose View Accounting...
  • Page 75 NOTE: The RADIUS client statistics are not displayed dynamically. To see the most recent statistics for a RADIUS client, click the button in the Refresh toolbar. Figure 20 Statistics Panel: RADIUS Client Statistics RSA RADIUS Server 6.1 Administrator’s Guide Displaying Statistics...
  • Page 76 Displaying Statistics September 2005...

  • Page 77: Chapter 7 Administering Radius Servers

    RSA RADIUS Server configuration file, you must copy the file manually to each server (Primary and Replica) in a realm to keep them synchronized. Refer to the RSA RADIUS Server 6.1 Reference Guide for information on the configuration files. RSA RADIUS Server 6.1 Administrator’s Guide...

  • Page 78: Replication Panel

    Replication Panel The Replication panel (Figure 21) lists your Primary and Replica RADIUS Servers and indicates whether the configuration of each server is current. Figure 21 Replication Panel Adding a RADIUS Server Manually Under most circumstances, Replica RADIUS Servers register themselves automatically after you install the RSA RADIUS Server software and configuration package file ( ) and restart the server.
  • Page 79 Address click Figure 23 Add IP Address Window Repeat Step 5b until you have finished adding IP addresses for the server. Click Close Click RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Servers...

  • Page 80: Enabling A Radius Server

    Enabling a RADIUS Server To enable a RADIUS server: Open the Replication panel. Select the RADIUS server you want to enable and click the button (or Edit double-click the RADIUS server entry). The Edit Server window (Figure 24) opens. Figure 24 Edit Server Window Click the checkbox.

  • Page 81: Publishing Server Configuration Information

    The Replica RADIUS Server downloads and installs its configuration package from the Primary RADIUS Server. After the package is installed, the Replica RADIUS Server is resynchronized with the Primary RADIUS Server. RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Servers...

  • Page 82: Designating A New Primary Radius Server

    Designating a New Primary RADIUS Server You can change which server within a realm is designated as the Primary RADIUS Server for that realm. To designate a new Primary RADIUS Server: Stop the RADIUS service/daemon on the Replica RADIUS Server. Log into the Replica RADIUS Server as (Solaris/Linux) or root...

  • Page 83: Changing The Name Or Ip Address Of A Server

    Stop the RSA RADIUS service/daemon on the RADIUS server you want to change. Log into the RADIUS server as (Solaris/Linux) or administrator root (Windows). Navigate to the (Windows) or ..RSA Radius\Service directory. /opt/rsa/radius (Solaris/Linux) RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Servers...

  • Page 84: Regenerating A Node Secret

    Run the (Windows) or rsainstalltool rsaconfiguretool (Solaris/Linux) utility with the option. identity To rename a Primary RADIUS Server, enter the following command: # ./rsaconfiguretool -identity PRIMARY To rename a Replica RADIUS Server, enter the following command: # ./rsaconfiguretool -identity REPLICA Restart the updated server so that it can load its new configuration.

  • Page 85: Resetting The Radius Database

    (btrieve) daemon. mkded /etc/init.d/sbrd stop force After the mkded (btrieve) daemon is stopped, you can start the RADIUS service and the database by executing the following command: /etc/init.d/sbrd start RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Servers...
  • Page 86 Administering RADIUS Servers September 2005...

  • Page 87: Chapter 8 Logging

    Each line of the system log file identifies the date and time of the RADIUS event, followed by event details. You can open the current RADIUS system log file while RSA RADIUS Server is running. RSA RADIUS Server 6.1 Administrator’s Guide Logging...

  • Page 88: Level Of Logging Detail

    Level of Logging Detail You can control the level of detail recorded in the system log files with , and settings. LogLevel LogAccept LogReject setting determines the level of detail given in the RADIUS LogLevel system log file. The can be 0, 1, or 2, where 0 is the least amount LogLevel of information, 1 is intermediate, and 2 is the most verbose.

  • Page 89: Using The Accounting Log

    “Standard RADIUS Accounting Attributes” on page You can include vendor-specific attributes if the device sending the accounting packet supports them. For more information on using vendor-specific attributes, refer to the RSA RADIUS Server 6.1 Reference Guide. RSA RADIUS Server 6.1 Administrator’s Guide Logging...

  • Page 90: First Line Headings

    RADIUS or vendor-specific attributes that are logged. For more information on the account.ini file, refer to the RSA RADIUS Server 6.1 Reference Guide. First Line Headings The first line of the accounting log file is a file header that lists the attributes that have been enabled for logging in the order in which they are logged.

  • Page 91: Standard Radius Accounting Attributes

    Acct-Authentic RADIUS, the RAS itself, or another remote authentication protocol: 1 - RADIUS 2 - Local 3 - Remote Elapsed time of connection in seconds; present Acct-Session-Time only in STOP records. RSA RADIUS Server 6.1 Administrator’s Guide Logging...
  • Page 92 Table 16. Standard RADIUS Accounting Attributes (Continued) Number of packets received by the port over Acct-Input-Packets the connection; present only in STOP records. Number of packets sent by the port over the Acct-Output-Packets connection; present only in STOP records. Number that indicates how the session was Acct-Termination-Cause terminated;...

  • Page 93: Appendix A Using The Ldap Configuration Interface

    (among other things) the interfaces on which radius.ini RSA RADIUS Server listens for LCI requests. If a specification is not present, RSA RADIUS Server listens for LCI requests on all bound IP ports. RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface...

  • Page 94: About The Ldap Configuration Interface

    About the LDAP Configuration Interface The LDAP Configuration Interface (LCI) consists of an LDAP interface in the RSA RADIUS Server and an LDAP virtual schema. The LDAP virtual schema enables the LDAP interface to translate LDAP requests into a format that can be understood by the RSA RADIUS Server database.

  • Page 95: Ldap Requests

    Versions of the SDK are available for Solaris, Linux, and Windows. When the download is completed, extract the following files from the compressed image to a directory on your computer: ldapsearch.exe ldapmodify.exe ldapdelete.exe RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface...

  • Page 96: Ldap Version Compliance

    (if you are on a Windows host) nsldapssl32v30.dll (if you are on a Solaris host) libldap30.so To run the LDAP utilities, execute them from this directory. If you set the path environment variable to point to this directory, you can run them any location on the system.

  • Page 97: Ldap Virtual Schema

    Auth-Methods <meth1>; <meth2>; ... Log-Max-Days <number> Available Reply Available Check Attributes: Attributes: All reply list attributes All check list attributes from dictionaries from dictionaries Figure 26 LDAP Schema (Slide 1 of 4) RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface...
  • Page 98 Root o=radius cn=admin radiusstatus= radiusstatus= radiusstatus= radiusstatus= radiusstatus= sessions_by_calling_station sessions_by_called_station sessions_by_user sessions sessions_by_ipaddress calling-station-id= called-station-id= username= framed-ip-address= <dialed number> <user name> <dialing number> <aaa.bbb.ccc.ddd> client= NASCLIENT acct-session-id= <sessionid> Available Attributes: client <string> acct-session-id <number> nas-ip-address <string> nas-port <string> nas-port-type <string> acct-multi-session-id <number>...
  • Page 99 Available Attributes: accept <number> reject <number> silent-discard <number> total-transactions <number> invalid-request <number> failed-authentication <number> failed-on-check-list <number> insufficient-resources <number> transactions-retried <number> total-retry-packets <number> Figure 28 LDAP Schema (Slide 3 of 4) RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface...
  • Page 100 radiusstatus= radiusstatus= cn=<monitor> acct_stats_by_nas acct_stats_by_nasipaddr Available Attributes: nasname= nasipaddr= dn <string> <nas-name> <nas-ip-addr> version <string> threads <number> connection <string> currentconnections <number> totalconnections <number> dtablesize <number> writewaiters <number> readwaiters <number> opsinitiated <number> Available Attributes: opscompleted <number> nasname <name> entriessent <number> nasipaddr <name bytessent <number>...
  • Page 101 RADIUS client entry, send some accounting traffic to it, and then delete the entry, the output of queries continues to list the deleted ldapsearch RADIUS client so that the per-RAS statistics add up to the total RAS statistics. RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface...

  • Page 102: Ldap Command Examples

    LDAP Command Examples This section explains how to use the LDAP commands ldapdelete , and to configure the server. Each example ldapmodify ldapsearch describes the LDAP command line options in detail. Note that a space must appear between each LDAP command option (for example, ) and its value (for example, ).

  • Page 103: Modifying Records

    The command is authenticated using an administrative account called oper NOTE: Any administrative account name may be used in place of oper in the preceding example. o=radius may not be changed. RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface...
  • Page 104 Table 18. Modifying Records Using the ldapmodify Command (Continued) ldapmodify Option Meaning -w radadmin The command is providing an authentication password radadmin NOTE: The -w parameter value (in this case, radadmin) must match the password of the account named by the -D parameter. -f filename This is the input LDIF file to process.

  • Page 105: Adding Records

    Request only the attributes you want for the new database. When completes processing, edit the output LDIF file. ldapsearch After each line that begins with , add a single line containing the text RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface...

  • Page 106: Deleting Records

    . Once your editing is complete, run an changetype: add ldapmodify -f command that references the new LDIF file. When the command ldapmodify finishes processing, your new database is populated with the records you extracted from the old database. Deleting Records You can use the command to remove records from the LDAP ldapdelete...

  • Page 107: Statistics Variables

    2002/05/08 13:29:08 up-time: 26188 ip-address: 192.168.21.142 version: v 2.20.33 authentication-threads: 0 accounting-threads: 0 total-threads: 0 max-auth-threads: 100 max-acct-threads: 100 max-total-threads: 200 RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface...
  • Page 108 high-auth-threads: 2 high-acct-threads: 0 high-total-threads: 2 stattype: authentication stattype=authentication,radiusstatus=statistics,o=radius objectclass: top objectclass: radiusstatus radiusstatus: statistics stattype: authentication accept: 1 reject: 0 silent-discard: 0 total-transactions: 8 invalid-request: 0 failed-authentication: 0 failed-on-check-list: 0 insufficient-resources: 0 transactions-retried: 0 total-retry-packets: 0 stattype: accounting dn: stattype=accounting,radiusstatus=statistics,o=radius objectclass: top objectclass: radiusstatus radiusstatus: statistics...

  • Page 109: Rate Statistics

    0 auth-request-average-rate: 0 auth-request-peak-rate: 7 auth-accept-current-rate: 0 auth-accept-average-rate: 0 auth-accept-peak-rate: 1 auth-reject-current-rate: 0 auth-reject-average-rate: 0 auth-reject-peak-rate: 0 acct-start-current-rate: 0 acct-start-average-rate: 0 acct-start-peak-rate: 0 acct-stop-current-rate: 0 acct-stop-average-rate: 0 acct-stop-peak-rate: 0 RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface...
  • Page 110 Using the LDAP Configuration Interface September 2005...

  • Page 111: Glossary

    The process of controlling the network access, such as privileges or time limits, that the user can exercise on the protected network. Attribute-value pair. An attribute and its corresponding value.; for example, User-Name = admin RSA RADIUS Server 6.1 Administrator’s Guide Glossary...

  • Page 112: Glossary

    Certificate authority. A trusted entity that registers the digital identity of a site or individual and issues a digital certificate that guarantees the binding between the the identity and the data items in a certificate. Centralized configuration management. The process by which information is shared between a Primary RADIUS server and one or more Replica RADIUS servers in a multi-server environment.

  • Page 113: Glossary

    RADIUS Remote Authentication Dial-In User Service. A security administration standard that functions as an information clearinghouse, storing authentication RSA RADIUS Server 6.1 Administrator’s Guide Glossary...

  • Page 114: Glossary

    Return list attributes provide additional parameters, such as VLAN assignment or IP address assignment, that the RAS needs to connect the user. A host running RSA Security proprietary RSA SecurID software, which identifies Authentication and authenticates users by validating their RSA SecurID passcodes.
  • Page 115 Zulu time. RSA SecurID tokens are synchronized to UTC to provide a standard time basis for tokencode calculation. Vendor Specific Attribute. VSAs allow vendors to support proprietary RADIUS attributes that are not defined in RFCs 2865 and 2866. WLAN Wireless Local Area Network. RSA RADIUS Server 6.1 Administrator’s Guide Glossary...

  • Page 116: Glossary

    Glossary September 2005...

  • Page 117: Index

    59, 61 network access server (NAS), see RAS EAP-15, see RSA Security EAP orderable attributes EAP-32, see Protected One-Time Password (POTP) echo property passcode personal identification number POTP Failed Authentication profiles Failed on Checklist RSA RADIUS Server 6.1 Administrator’s Guide Index...
  • Page 118 RAS Replication panel return list attributes RSA Authentication Manager 2, 3, 4, 21, 22, 35, 53 RSA Security EAP 1, 2 rsaconfiguretool 18, 70, 71, 72 rsainstalltool 18, 28, 30, 70, 71, 72 shared secret...

Table of Contents