This page contains some high-level technical tips when authenticating a RADIUS user between the SBC Edge (SBC) to a FreeRADIUS Server provider:

FreeRADIUS Sample Configuration

In this section, we provide sample FreeRADIUS configuration bits relevant to RADIUS user authentication on SBC.

Users

We configure a RADIUS user called raduser who's User Class is ReadOnlyClass. This class name needs to be configured on the SBC - see Managing RADIUS User Class Access Level Mapping.

raduser User-Password == "Passw0rd"
        Class == "ReadOnlyClass"

radiusd.conf

This is used for the RADIUS server healthcheck:

status_server = yes

clients.conf

This defines the RADIUS client information with the RADIUS Server settings configured on SBC

client 172.16.250.246/32 {
       secret          = Passw0rd
       shortname       = SBC246
}

RADIUS Server Authentication Message Exchange

When a RADIUS user attempts to authenticate on the SBC system, the SBC behaves as a RADIUS authentication client and sends an Access-Request to the RADIUS server:

rad_recv: Access-Request packet from host 172.16.250.246:38525, id=170, length=65
        Service-Type = Login-User
        User-Name = "raduser"
        User-Password = "Passw0rd"
        NAS-Port = 0
        NAS-IP-Address = 172.16.250.246

If the request is authenticated

The RADIUS server responds with Access-Accept and it returns the Class attribute attribute:

Sending Access-Accept of id 170 to 172.16.250.246 port 38525
        Class == 0x41646d696e6973747261746f72436c617373

After SBC receives the Access-Accept, SBC uses the Class attribute returned by RADIUS to map the appropriate access level.

If the request is not authenticated

The RADIUS server responds with Access-Reject:

Sending Access-Reject of id 215 to 172.16.250.246 port 5412