Version 5.1 |
||||||||||||||||||||||||||||||
|
|
By default the CommuniGate Pro RADIUS module is not activated.
CG/PL applications can communicate with remote RADIUS servers: they can send RADIUS requests and receive RADIUS responses. To enable this RADIUS client functionality, the RADIUS module has to be activated.
Use the WebAdmin Interface to configure the RADIUS module. Open the Services pages in the Settings realm, and open the RADIUS page:The RADIUS module accepts properly formatted "Access-Request" requests from RADIUS clients, retrieves the User-Name and User-Password attributes and tries to find the specified CommuniGate Pro Account and verify its password. If the password can be verified and the Account and its Domain both have the RADIUS Service enabled, a positive response is sent to the RADIUS client, otherwise a negative response with the error code text is sent.
If the CommuniGate Password option is enabled for the specified Account, the RADIUS module checks if the Account has the RADIUSPassword setting. If it exists, it is used instead of the standard Password setting. This feature allows an Administrator to assign a different password to an Account, and this password will be used for the RADIUS authentication only.
Note: clients authenticating via RADIUS do not use any network address on the Server, and Secondary Domain users should specify their full Account name (account@domain), or should specify a name that is routed to their Account using the Router. Because the Router is used to process the User-Name attribute, account aliases can be used for authentication, too. See the Access section for more details.
The CommuniGate Pro Server can use an external Helper program to implement a RADIUS authentication policy. That program should be created by your own technical staff.
The program name and its optional parameters should be specified using the WebAdmin Helpers page. Open the General page in the Settings realm, and click the Helpers link:See the Helper Programs section to learn about these options. The External RADIUS module System Log records are marked with the EXTRADIUS tag.
If the External RADIUS program is not enabled, then the positive authentication response is sent as soon as the user password is verified. The response does not contain any additional attributes.
To learn how to create your own External RADIUS programs, see the Helpers section.
Sample External RADIUS programs and scripts can be found at the RADIUS Helper programs site.
If the Record option is enabled, all RADIUS accounting operations are recorded in a text-based Accounting Log file. The Accounting Log files are stored inside the RADIUSLog file subdirectory.
A single-server system creates the RADIUSLog directory inside the Settings subdirectory of the base directory.
A Dynamic Cluster system creates the RADIUSLog directory
inside the Settings subdirectory of the SharedDomains directory.
Each RADIUS Accounting Log file has a yyyy-mm-dd file name (where yyyy is the current year, mm is the current month, and dd is the current month day), with the log file name extension. At local midnight, a new Accounting Log file is created.
Each RADIUS Accounting Log record is a text line containing a time-stamp, the operation type
or command (started, ended, updated, inited, stopped),
and optionally an account name.
The rest of the line contains accounting request attributes.
Each attribute is stored using the numeric attribute type, the equal (=) symbol, and the attribute value.
Attribute values are encoded in the same way as in they are encoded in dictionaries used in External RADIUS Helper Interface.