A typical RADIUS configuration scenario has two Screens that each protect a site. la-screen and la-radsvr are a Screen and RADIUS server in the la location, sf-screen and sf-radsvr are a Screen and RADIUS server in the sf location. Each site uses the RADIUS server of the other as a backup.
Ephemeral IP addresses are shown. Encrypted tunnels, or VPNs, are possible, perhaps likely, in such a configuration, but are not shown for purposes of clarity.
The following are examples of typical RADIUS configurations:
To create address objects, while logged into the primary Screen:
admin% ssadm -r primary edit ConfigName edit> add address la-radsvr HOST 1.2.3.4 ... edit> add address sf-radsvr HOST 4.3.2.1 ... edit> add address radsvrs GROUP { la-radsvr sf-radsvr } { } ... |
To create a rule to allow RADIUS Requestor-to-server access, while logged into the primary Screen:
edit> add rule radius localhost radsvrs ALLOW |
To create RADIUS variables, while logged into the primary Screen:
edit> vars add sys=la-screen prg=auth name=RADIUSServers values={ host=la-radsvr host=sf-radsvr } description="RADIUS servers for la site" edit> vars add sys=sf-screen prg=auth name=RADIUSServers values={ host=sf-radsvr host=la-radsvr } description="RADIUS servers for sf site" |
To create RADIUS node secret variables, while logged into the primary Screen:
edit> vars add sys=la-screen prg=auth name=RADIUSNodeSecret value=la-secret edit> vars add sys=sf-screen prg=auth name=RADIUSNodeSecret value=sf--secret |
To save and activate the configuration:
edit> save edit> quit admin% ssadm -r primary activate ConfigName |
For example, given a valid, RADIUS-hosted user gooduser with password goodpass and an invalid user baduser, while logged into the Screen la-screen:
admin% ssadm -r la-screen lib/user_authenticate -v /radius/gooduser goodpass User /radius/gooduser authenticated and mapped to backend user gooduser admin% ssadm -r la-screen lib/user_authenticate -v /radius/gooduser anythingelse User /radius/gooduser failed authentication. admin% ssadm -r la-screen lib/user_authenticate -v /radius/baduser anything User /radius/baduser failed authentication. |