test

SunScreen 3.2 Administrator's Overview

Typical RADIUS Configuration

A typical RADIUS configuration scenario has two Screens that each protect a site. la-screen and la-radsvr are a Screen and RADIUS server in the la location, sf-screen and sf-radsvr are a Screen and RADIUS server in the sf location. Each site uses the RADIUS server of the other as a backup.

Note -

Ephemeral IP addresses are shown. Encrypted tunnels, or VPNs, are possible, perhaps likely, in such a configuration, but are not shown for purposes of clarity.

Examples: Typical RADIUS Configurations

The following are examples of typical RADIUS configurations:

To create address objects, while logged into the primary Screen:


admin% ssadm -r primary edit ConfigName
edit> add address la-radsvr HOST 1.2.3.4 ...
edit> add address sf-radsvr HOST 4.3.2.1 ...
edit> add address radsvrs GROUP { la-radsvr sf-radsvr } { } ...

To create a rule to allow RADIUS Requestor-to-server access, while logged into the primary Screen:


edit> add rule radius localhost radsvrs ALLOW

To create RADIUS variables, while logged into the primary Screen:


edit> vars add sys=la-screen prg=auth name=RADIUSServers 
values={ host=la-radsvr host=sf-radsvr } description="RADIUS servers for la site"
edit> vars add sys=sf-screen prg=auth name=RADIUSServers 
values={ host=sf-radsvr host=la-radsvr } description="RADIUS servers for  sf site"

To create RADIUS node secret variables, while logged into the primary Screen:


edit> vars add sys=la-screen prg=auth name=RADIUSNodeSecret value=la-secret
edit> vars add sys=sf-screen prg=auth name=RADIUSNodeSecret value=sf--secret

To save and activate the configuration:


edit> save
edit> quit
admin% ssadm -r primary activate ConfigName

For example, given a valid, RADIUS-hosted user gooduser with password goodpass and an invalid user baduser, while logged into the Screen la-screen:


admin% ssadm -r la-screen lib/user_authenticate -v /radius/gooduser  goodpass 
User /radius/gooduser authenticated and mapped to backend user gooduser 
admin% ssadm -r la-screen lib/user_authenticate -v /radius/gooduser anythingelse
User /radius/gooduser failed authentication. 
admin% ssadm -r la-screen lib/user_authenticate -v /radius/baduser anything
User /radius/baduser failed authentication.