In this section:

Related articles:


This object provides an option for configuring users on a remote RADIUS server and authenticating login attempts with that RADIUS server. The authenticating user should be part of the Administrator group.

Info

For configuration details, refer to Configuring SBC for RADIUS Authentication.


Info

Each SBC user is provided a private home directory for SFTP and files used by the CLI (refer to "Unique Home Directories" section on the page Managing SBC Core Users and Accounts). When using Radius authentication, users are only known to the Radius server and therefore do not have private home directories on the SBC. To create these home directories, you must also create Radius users on the SBC (refer to Local Authentication - CLI).


The CLI syntax to configure RADIUS-based authentication is provided below.

Radius Server

 Use this object to configure each RADIUS server for the specified Management Interface Group.

Command Syntax

% set oam radiusAuthentication radiusServer <serverName> 
    authenticationMethod <pap | peapmschapv2> 
	mgmtInterfaceGroup <string>
	priority <#>
	radiusNasIp <x.x.x.x>
	radiusServerIp <x.x.x.x>
	radiusServerPort <#>
	radiusSharedSecret <6-128>
	state <disabled | enabled>
	vsaVendorType <none | 0-255>

Command Parameters

Radius Server Parameters

ParameterLength/RangeDescription
<name> 1-23 charactersRADIUS server name.

authenticationMethod

 

N/A

The type of authentication to use.

  •  pap – Password Authentication Protocol. The password is sent in the radius request encoded with the shared secret.
  • peapmschapV2 – Protected EAP/ Microsoft Challenge Handshake Authentication Protocol. The password is sent via the Extensible Authentication Protocol over TLS and authenticated via the Microsoft Challenge Handshake Authentication Protocol.
mgmtInterfaceGroupN/AName of the Management Interface Group to connect to this RADIUS server.
priority1-8When configuring multiple RADIUS servers, use this attribute to specify the order to attempt RADIUS authentication. The RADIUS server with the lowest priority is contacted first.
radiusNasIpIPv4 formatIPv4 address of the SBC to send in ACCESS_REQUEST. (default = 0.0.0.0)
radiusServerIpIPv4/IPv6 formatIPv4 or IPv6 address of the RADIUS server. (default = 0.0.0.0)
radiusServerPort1-65535The RADIUS server port to which the SBC sends the request.
radiusSharedSecret6-128 characters

The shared secret used to encrypt the data exchanged between SBC and RADIUS server.

stateN/A 

Operational state of the RADIUS server

    • disabled (default)
    • enabled
vsaVendorTypenone | 0-255

Enter "none" to allow all VSA vendor-types, or a number between 0-255 to only return the group name in a VSA with that vendor-type.

Note

In a SBC HA configuration, four management IP addresses must be listed on the RADIUS server:

  • mgt0 and mgt1 IP addresses of the Active CE
  • mgt0 and mgt1 IP addresses of and Standby CE
Note

The radiusSharedSecret results in the 'show' command are encrypted.

Retry Criteria

Use this parameter to configure the authentication retry criteria before the SBC times out as well as the RADIUS server out-of-service setting.

Command Syntax

% set oam radiusAuthentication retryCriteria
	oosDuration <# minutes>
	retryCount <#>
	retryTimer <# milliseconds>

Command Parameters

Retry Criteria Parameters

ParameterLength/RangeDescription
oosDuration0-300

Time in minutes the RADIUS server remains out of service after a timeout.

retryCount1-3

Number of retries the SBC uses to attempt authentication. (Default = 3)

retryTimer

500-45000

Time in milliseconds before the SBC attempts another authentication request. (Default = 1000)

Command Examples

The following example configures SBC to communicate with the external RADIUS server for user authentication:

Configuration Examples
set oam radiusAuthentication radiusServer s1 priority 1
set oam radiusAuthentication radiusServer s1 mgmtInterfaceGroup mgmt0
set oam radiusAuthentication radiusServer s1 radiusServerIp 10.54.90.107
set oam radiusAuthentication radiusServer s1 radiusServerPort 1812
set oam radiusAuthentication radiusServer s1 radiusSharedSecret sonus123
set oam radiusAuthentication radiusServer s1 state enabled
set oam radiusAuthentication radiusServer s1 vsaVendorType 1
#
set oam radiusAuthentication retryCriteria oosDuration 120
set oam radiusAuthentication retryCriteria retryCount 2
set oam radiusAuthentication retryCriteria retryTimer 2000
#
show oam radiusAuthentication
radiusServer s1 {
    priority           1;
    state              enabled;
    radiusServerIp     10.54.90.107;
    radiusServerPort   1812;
    radiusSharedSecret $3$kAIoEV80OzbOGjefHnQH13BbycnbgbBM;
    mgmtInterfaceGroup mgmt0;
	vsaVendorType      1;
}
retryCriteria {
    retryTimer  2000;
    retryCount  2;
    oosDuration 120;
}
Note

The radiusSharedSecret results in the 'show' command are encrypted.

The following example enables external RADIUS authentication:

% set system admin TXSBC01a externalAuthenticationEnabled true