RADIUS / RADIUS as authenticator or network access server (NAS)
Parent topic: RADIUS as authenticator or network access server (NAS)

Dial-in using PPP and RADIUS

When dialing-in using the PPP protocol (Point-to-Point protocol), RADIUS can be used to check client access authorizations. A client can dial-in to the network from anywhere. The resulting data transmission between client and authenticator is encrypted.





The configuration is carried out in LANconfig under Communication > RADIUS.

Radius server
When authenticating using RADIUS, the user administration and authentication tasks are passed on to a RADIUS server.
  • Disabled: The functionality of RADIUS is disabled and no requests are forwarded to the RADIUS server (default).
  • Operating: The functionality of RADIUS is enabled and requests may be forwarded to the configured RADIUS server. Depending on the setting, other sources may be used for the authentication process (e.g. PPP list).
  • Exclusive: RADIUS functionality is enabled and the authentication process is run exclusively by RADIUS.
The appropriate RADIUS server must be configured to use the functionality of RADIUS. All user data, such as user name and password, is entered on the RADIUS server.
Protocols
The available protocols are the UDP-based RADIUS and the TCP-based RADSEC. See also RADSEC.
Address
Enter the IP address (IPv4, IPv6) or the hostname of the RADIUS server used for central user management.
Server port
Specify here the port used for communication to your RADIUS server (default: 1,812).
Source address
The device automatically determines the correct source IP address for the destination network. To use a fixed source IP address instead, enter it symbolically or directly here.
Attribute values
LCOS facilitates the configuration of the RADIUS attributes used to communicate with a RADIUS server (for authentication and accounting). The attributes are specified in a semicolon-separated list of attribute numbers or names along with a corresponding value in the following form: <Attribute_1>=<Value_1>;<Attribute_2>=<Value_2> As the number of characters is limited, the name can abbreviated. The abbreviation must be unique, however. Examples:
  • NAS-Port=1234 is not allowed, because the attribute is not unique (NAS-Port, NAS-Port-Id or NAS-Port-Type).
  • NAS-Id=ABCD is allowed, because the attribute is unique (NAS-Identifier).
Attribute values can be used to specify names or RFC-compliant numbers. For the device , the specifications Service-Type=Framed and Service-Type=2 are identical. Specifying a value in quotation marks ("<Value>") allows you to specify special characters such as spaces, semicolons or equals signs. The quotation mark in a value requires a leading backslash (\"), as does the backslash itself (\\). The following variables are permitted as values:
%n
Device name
%e
Serial number of the device
%%
Percent sign
%{name}
Original name of the attribute as transferred by the RADIUS application. This allows attributes to be set with the original RADIUS attributes, for example: Called-Station-Id=%{NAS-Identifier} sets the attribute Called-Station-Id to the value with the attribute NAS-Identifier.
Secret
Specify here the key to be used for coding data. The key must also be configured on the RADIUS server.
PPP operation
A RADIUS server may be used for the authentication process when dialing-in using PPP.
  • Disabled: PPP clients are not authenticated using RADIUS. They are checked exclusively using the PPP list (default).
  • Operating: RADIUS authentication for PPP clients is enabled. User data supplied by clients is first checked using the PPP list. If no matching entry is found in the PPP list, the client is checked by the RADIUS server. Authentication is successful if the PPP list check or RADIUS server check returns as positive.
  • Exclusive: RADIUS authentication for PPP clients is enabled. User data supplied by clients is checked exclusively by the RADIUS server. In this mode, solely the advanced settings of the PPP list for the user are interpreted (e.g. check for PAP/CHAP – or the allowed protocols IP and/or NetBIOS).
CLIP operation
A RADIUS server may be used for control of a return call when dialing-in using PPP.
  • Disabled: The return call function is not controlled by RADIUS. Only those entries in the name list are used (default).
  • Operating: The RADIUS function for the return call is enabled. Telephone numbers reported by clients are first checked using the name list. If no matching entry is found in the name list, the telephone number is checked by the RADIUS server. If the name list check or RADIUS server check returns as positive, a return call can be established.
    Note: If the telephone number communicated is in the name list, but no return call is active there, RADIUS ceases checking.
  • Exclusive: The RADIUS function for the return call is enabled. User data reported by clients is checked exclusively by the RADIUS server.
In order to use the return call control from RADIUS, a user must be set up on the RADIUS server for each telephone number to be authenticated. The user name corresponds to the telephone number and the user password is the CLIP password specified here.
CLIP password
Password for return call control.
Note: The generic values for retry and timeout must also be configured. They are under PPP on the same page as PPP parameters.
Parent topic: RADIUS as authenticator or network access server (NAS)

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo