test

SunScreen EFS Release 3.0 Reference Manual

Typical RADIUS Configuration

A typical RADIUS configuration scenario has two Screens that each protect a site. la-screen and la-radsvr are a Screen and RADIUS server in the la location, sf-screen and sf-radsvr are a Screen and RADIUS server in the sf location. Each site uses the RADIUS server of the other as a backup.

Note -

Ephemeral IP addresses are shown. Encrypted tunnels, or VPNs, are possible, perhaps likely, in such a configuration, but are not shown for purposes of clarity.

The following is an example of what you type to create address objects, while logged into the primary Screen:


admin% ssadm -r primary edit ConfigNameedit> add address la-radsvr HOST 1.2.3.4 ..edit> add address sf-radsvr HOST 4.3.2.1 ...edit> add address radsvrs GROUP { la-radsvr sf-radsvr } { } ...

The following is an example of what you type to create a rule to allow RADIUS-Requestor-to-server access, while logged into the primary Screen:


edit> add rule radius localhost radsvrs ALLOW

The following is an example of what you type to create RADIUS variables, while logged into the primary Screen:


edit> vars add sys=la-screen prg=auth name=RADIUSServers values={ host=la-radsvr host=sf-radsvr } description="RADIUS servers for la site"edit> vars add sys=sf-screen prg=auth name=RADIUSServers values={ host=sf-radsvr host=la-radsvr } description="RADIUS servers for sf site"

The following is an example of what you type to create RADIUS node secret variables, while logged into the primary Screen:


edit> vars add sys=la-screen prg=auth name=RADIUSNodeSecret value=la--secretedit> vars add sys=sf-screen prg=auth name=RADIUSNodeSecret value=sf--secret

Save and activate the configuration:


edit> saveedit> quitadmin% ssadm -r primary activate configname

For example, given a valid, RADIUS-hosted user gooduse with password goodpass and an invalid user baduser, while logged into the Screen la-screen:


admin% ssadm -r la-screen lib/user_authenticate -v /radius/gooduser goodpassUser  /radius/gooduser
 authenticated and mapped to backend user  gooduser

admin% ssadm -r la-screen lib/user_authenticate -v /radius/gooduseranythingelse

User  /radius/gooduser  failed authentication.

admin% ssadm -r la-screen lib/user_authenticate -v /radius/baduseranything

User  /radius/baduser  failed authentication.

Note -

lib/user_authenticate is a low-level program used internally to perform user authentication; its interface is not supported for general use. It echoes the password as it is typed.