The
Since 3.1 release,
Since the RADIUS protocol does not provide a means to assign users to a group, the implementation currently hard codes every RADIUS authenticated user to the Administrator group.
The
To configure RADIUS authentication for
When a user is authenticated via RADIUS, the user is assigned to a group provided by the RADIUS server as part of the ACCESS_ACCEPT packet.
If EMS is used for RADIUS authentication, the group information is passed in a VSA message as plain text after the vendor ID. The string start with "Sonus-Groups". No Vendor-specific formatting is used by EMS.
For SBC RADIUS authentication, RADIUS server is configured to return the group name using a VSA in ACCESS_ACCEPT packet. The VSA should be in the following format.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Vendor-Id +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor-Id (cont) | Vendor type | Vendor length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attribute-Specific... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
The Vendor-Id is a SMI Network Management Private Enterprise Code of the vendor Sonus as specified in RFC 2865.
If the RADIUS server does not provide a group or provides a group name which is not present in the SBC in the ACCESS_ACCEPT response, the user is denied access, and a log is written to the SECURITY event log stipulating that SBC received an invalid group name from the RADIUS server.
The SBC is enhanced in this release to configure up to three RADIUS servers per SBC with the addition of radiusServer
and retryCriteria
parameters to radiusAuthentication
configuration object.
When more than one RADIUS server is configured and RADIUS authentication is attempted, the server configured with the least priority value is tried first. If fallback is configured, the inverse priority order is followed to pick the next server for authentication. SBC allows a configurable number of retries and time-outs before retry.
Once the SBC sends an ACCESS_REQUEST, it waits until a configured amount of time (retryTimer
) before resending the ACCESS_REQUEST. After a configurable number of failed attempts (retryCount
), the RADIUS server is marked as unavailable, or out of service (OOS) for a configured amount of time (oosDuration
), and the SBC moves to the next configured RADIUS server based on the configured priority. Once all RADIUS servers are attempted and deemed unreachable (or no responses are received), the SBC falls back to Local Authentication (if Local Authentication is enabled).
An administrator can manually return an OOS RADIUS server back into service by setting radiusServer state
flag first to disabled
, and then back to enabled
setting.
SBC includes statistics to check the status of a RADIUS server, as well as the time when an unavailable server automatically becomes available again. See "radiusAuthentication" statistic details at show table oam or show status oam pages.
RADIUS authentication not supported for REST interface.
To enable remote authentication:
Change to the Configuration mode:
> configure private
Execute the following command:
% set system admin <system name> localAuthenticationEnabled false externalAuthenticationEnabled true
To configure the remote RADIUS Server:
Log on to SBC CLI.
Change to the Configuration mode:
> configure private
Execute the following command:
% set oam radiusAuthentication radiusServer <server name> mgmtInterfaceGroup <string> priority <#> radiusNasIp <x.x.x.x> radiusServerIp <x.x.x.x> radiusServerPort <#> radiusSharedSecret <8-128> state <disabled | enabled> retryCriteria oosDuration <# minutes> retryCount <#> retryTimer <# milliseconds>