RSA Security 6.1 manual

RSA RADIUS Server 6.1 Administrator ’ s Guide Powered by S teel-Belted Radius ®[...]

Contact Information See our web site for regional Custom er Support telephone and fax numbers. RSA Security Inc. RSA Se curity Ireland Limited www .rsasecurity .com ww w .rsas ecurity .ie Copyright Copyright © 2005 RSA Security , Inc. All rights reserved . No part of this document may be reproduced, modified, distributed, sold, leased, transf erre[...]

• Redistributions in binary form must reproduce the above c opyright notice, this list of conditions and the following disclaimer in the documentati on and/or other materials pr ovided with the distribution. • The name of Cambridge Broadband Ltd. may not be used to endorse or promote products de rived from this software without specific prior w[...]

Sun Microsystems, Solaris, and all Sun- based trademarks and logos, Java, HotJ ava, JavaScript, the Java Coffee Cup Logo, and all Java-bas ed trademarks and logos are trademarks or register ed trademarks of Sun Mi crosystems, Inc. in the United States and other count ries. Raima, Raima Database Manager and Ra ima Object Manager are trademarks of Bi[...]

RSA RADIUS Server 6.1 Admi nistrator’s Guide Contents v Contents About This Guide Audience ........................................ ....................................... ........................................ ... ix What’s In This Manual........................... ....................................... ................................. ix [...]

vi Contents September 2 005 Chapter 2 Inst alling the RSA RADIUS Server Before You Begin .................................................................................. ........................ 19 Required Files .................................................... ................................................. .... 19 Data Migration/Registrat[...]

RSA RADIUS Server 6.1 Admi nistrator’s Guide Contents vii Chapter 5 Administering Profiles About Profiles ............................... ................................................. ................................ 5 1 Adding a Checklist or Return List Attribute for a Profile ............................... 51 Resolving Profile and User Att[...]

viii Contents September 2 005 Appendix A Using the LDAP Configuration Interface LDAP Configuration Interface File .. ....................................... .................................. 81 About the LDAP Configuration Interface .................... ............................................ 82 LDAP Utilities........... .....................[...]

RSA RADIUS Server 6.1 Administra tor’s Guide About This Guide ix About T his Guide The RSA RADIUS S er ver 6.1 Administrator’ s Guide describes how to install, configure, and administer the RSA RADIUS Ser ver software on a ser ver running the Solaris operating system, the Linux operating system, or the Windows 2000 or Windows Ser ver 2003 opera[...]

x About This Guide September 2005 X Chapter 4, “ Administeri ng RADIUS Clients , ” describes ho w to set up remote access ser ver (RAS) devices as RSA RADIUS Ser ver clients . X Chapter 5, “ Administeri ng Profiles, ” describes how to set up user profiles to simplify user administration. X Chapter 7, “ Administeri ng RADIUS Ser vers , ”[...]

RSA RADIUS Server 6.1 Administra tor’s Guide About This Guide xi X Angle brack ets < > enclose a list from which y ou must c hoose an item in for mat and syntax descriptions . X A vertical bar ( | ) separates items in a list of choices . In the follo wing example, y ou must specify add or replace (but not both): [ AttributeName ] <add | [...]

xii About This Guide September 2005 X Internet-Draft, “T he Protecte d One-Time P assw ord Protocol (EAP-POTP)”, M. Nystrom, J une 2005. ftp://ftp.rsasecurity.com/pub/otps/eap/ draft-nystrom-eap-potp-02.html Third-Party Products F or more inform ation about configuring y o ur access ser vers and firewalls , consult the manufacturer’ s documen[...]

RSA RADIUS Server 6.1 Administra to r’s Guide About RSA RADIUS S erver 1 Chapter 1 About RSA RADIUS Ser v er RSA RADIUS Ser ver is a complete impl ementation of the industr y-standard RADIUS (R emote A uthenticatio n Dial-In User Ser vice) protocols . RSA RADIUS Ser ver is designed to me et the access control and policy management re quirements o[...]

2 About RSA RADIUS Server September 2005 X Centralized configuration manage ment (CCM) pro vides simplified configuration manag ement and automat ic data distribution for multi-ser ver environments . X Authentication logs provide a complete audit trail of user authentication activity and administrative transactions . X Encryption of communication b[...]

RSA RADIUS Server 6.1 Administra to r’s Guide About RSA RADIUS S erver 3 Figure 1 RSA RADIUS Authentication 1A R A D I U S access client , who could be a dial-in user , a mobile user with wireless network access , or someone w orking at a remote of fice, sends an authentication reque st to a r emote access ser ver (RAS), which might be a wireless[...]

4 About RSA RADIUS Server September 2005 If the user ID is not found or if the passcode is not approp riate for the specified user , the RSA A ut hentication Manag er retur ns a message indic ating the passcode is no t acce pted (6b). 7 If the RSA RADIUS ser ver recei ves a message indicating the passcode is accepte d, it forwards a RADIUS Access-A[...]

RSA RADIUS Server 6.1 Administra to r’s Guide About RSA RADIUS S erver 5 Each RADIUS pac ket supports a specific pur pose: authentication or accoun ting . A packet can contain va lues called attributes . The attributes foun d in ea ch p acke t depend upon t he type of packet (authentication or accounting) and the device that sent it (for exa mple[...]

6 About RSA RADIUS Server September 2005 X The RADIUS shared secret to be us ed by the RS A RADIUS Ser ver and the client device. F or infor mation on RADIUS shared secrets , see “Shared Secrets” on page 6 . X The UD P ports on w hich to send and receiv e RADIUS authentication and accounting pack ets . RSA RADIUS Ser ver uses UDP ports 1645 and[...]

RSA RADIUS Server 6.1 Administra to r’s Guide About RSA RADIUS S erver 7 RADIUS Secret A RADIUS shared secret is a case-sensitiv e passw ord used to v alidate communications between a RADIUS ser ver, suc h as RSA RADIUS Ser ver , and a RADIUS client, such as an Access P oint (A P) or R emote Access Ser ver (RAS). RSA RADIUS Ser ver supports share[...]

8 About RSA RADIUS Server September 2005 The RSA Authentication Manager software views the RSA RADIUS Ser ver ser vice as a host agent . Communication between RSA RADIUS Ser ver and RSA Authentication Manager uses specif ic UDP por ts , which are configured during installation. T o prevent “masquerading” by unauthorized hosts, y ou configure RS[...]

RSA RADIUS Server 6.1 Administra to r’s Guide About RSA RADIUS S erver 9 Accounting T o understand the RSA RADIUS Ser ver accounting sequence, you need an ov er view of RADIUS accounting messag es . Tab l e 2 describes the conditions under which each type of message is issued, and the purp ose of any RADIUS attributes that a messag e contai ns . [...]

10 About RSA RADIUS Server September 20 05 Accounting Sequence A RAS can issue an Accounting-R equest whenever it chooses , for example upon establishing a successful connection. Ea ch time an Accounting-R equest message ar riv es at the RSA RADIUS S er ver , an accounting t ransaction begins . During this transaction, the ser ver handles the messa[...]

RSA RADIUS Server 6.1 Administrato r’s Guid e About RSA RADIUS Serve r 11 T unneled Accounting During authentication, a user is typic a lly identified by attributes suc h as User-Name (in the authentication request ) and Class (in the authe ntication acce pt response). Standard RADIUS accountin g requests typically include the se attributes in me[...]

12 About RSA RADIUS Server September 20 05 6 The ser ver processes the accounting request locally . T o implement tunneled accounting, you m ust configure the classmap.ini file to specify how attributes should be presented, and you must configure the spi.ini file to specify the keys that are used to encrypt and dec r ypt users’ identity infor mat[...]

RSA RADIUS Server 6.1 Administrato r’s Guid e About RSA RADIUS Serve r 13 nonstandard attributes th at it encounters in the packet. Standard RADIUS attributes are always defined by the radius.dct file . If you do not know the make/model for a RADIUS client, choose the default option: - St andard Radius - . F or the most part, the selections cur r[...]

14 About RSA RADIUS Server September 20 05 During authentication, RSA RADIUS Ser ve r filters the chec klist based on the dictionar y for the R ADIUS client that sent the auth entication request. T he ser ver ignores any checklist attribute that is not valid for this device . Return List Attributes A re t u rn l i st is a list of attributes that RS[...]

RSA RADIUS Server 6.1 Administrato r’s Guid e About RSA RADIUS Serve r 15 Framed-Compression attribute to appear twice in the retur n list: once with the va lu e VJ-TCP-IP-header-compression and once with the value IPX-header-compression . Orderable Attributes Cert ain multi-valued retur n list attribute s are also orderable; that is , the attrib[...]

16 About RSA RADIUS Server September 20 05 If an attribute appears once in th e chec klist marked as default , and the same attribute appears in the re turn list marked as echo , the ser ver ec hoes the ac tual value of the attribute in the RADIUS respon se if the attribute appears in the RADIUS reques t. If the attribute does not app ear in the RA[...]

RSA RADIUS Server 6.1 Administrato r’s Guid e About RSA RADIUS Serve r 17 The Primar y RADIUS Ser ver maintains a list of the R eplica RADIUS Ser vers that hav e registered with it . The Primar y RADIUS Ser ver uses this list to track which ser vers to notify after it publishes an upda ted configuration package to resynchronize the configuration [...]

18 About RSA RADIUS Server September 20 05 Recovering a Replica After a Failed Download If a R eplica RADIUS Ser ver fails during the download of a configuration package, its configuration may be cor r up ted or it may have a stale secret. For infor matio n on how to recov er a R eplica after a fa iled download, refer to “R ecov ering a Replica A[...]

RSA RADIUS Server 6.1 Ad ministrator’s Guid e Installing the RSA RADIUS Server 19 Chapter 2 Installing the RSA RADIUS Ser v er The RSA RADIUS Ser ver softw are package includes the ser ver softwa re and various dictionar y and configuration files to support authentication and accounting . This chapter describes how to install the RSA RADIUS Ser v[...]

20 Installing the RSA RADIUS Server September 2005 attributes , and return list attributes; an d RSA SecurID prompts used to for mat messages to users . Data mig ration also registers the RSA RADIUS Ser ver as an ag ent host with RSA Authentication Manager . Registration infor mation includes th e ser ver type (Primar y or R eplica), fully qualifie[...]

RSA RADIUS Server 6.1 Ad ministrator’s Guid e Installing the RSA RADIUS Server 21 Installing the RSA RADIUS Server T o install the RSA RADIUS Ser ver software o n a Windows host: 1 Log on to the Windows ser ver . 2 R un the RSA RADIUS Ser ver softw are installation from a CD or from a network ser ver . Z Using the CD-ROM installer – If you want[...]

22 Installing the RSA RADIUS Server September 2005 click the Bro wse button to locate the director y containing the sdconf.rec , radius.cer , server.cer , and radius.key files on your netw ork. 9 When the Primary RSA RADIUS Ser ver windo w opens , specify the replication secret used to authenticate communications be tween the Primar y RADIUS Ser ve[...]

RSA RADIUS Server 6.1 Ad ministrator’s Guid e Installing the RSA RADIUS Server 23 Installing on Solaris This section describes how to install and uninstall the RSA RADIUS Ser ver on a Solaris ser ver . System Requirements The RSA RADIUS Ser ver softw are packag e includes the ser ver daemon and v arious dictionary and database files to sup port u[...]

24 Installing the RSA RADIUS Server September 2005 -identity S pecifies whether you are installing a Pri mary or Replica RADIUS Server . V alid values are PRIMARY and REPLICA . Default value is PRIMARY . -migrate Indicates you want to run the RSA RADIUS Server migration utility ( rsainstalltool ), which transfers RADIUS settings from an olde r vers[...]

RSA RADIUS Server 6.1 Ad ministrator’s Guid e Installing the RSA RADIUS Server 25 Installing the RSA RADI US Server Software The following procedure describes ho w to install the RSA RADIUS Ser ver software on a Solaris ser ver . Some of the steps in the procedure are omitted if you specify the -silent option for the install_rsa.sh comman d. 1 Lo[...]

26 Installing the RSA RADIUS Server September 2005 5 Specify the director y where you want to install the RSA RADIUS Ser ver files . By default, the installation script puts the /rsa/radius director y files in the /opt director y (tha t is , /opt/rsa/radius) . Enter install path [/opt]: 6 If you are installing the RSA RADIUS Ser ve r software on a [...]

RSA RADIUS Server 6.1 Ad ministrator’s Guid e Installing the RSA RADIUS Server 27 Enter primary host secret: 13 If you are installing a Primary RADIUS Se r ver on a host running an earlier version of the RSA Authentication Mana ger software, specify whet her you want to mig rate data to the cur r ent installation. Do you want to migrate data from[...]

28 Installing the RSA RADIUS Server September 2005 5 Ty p e y when you are ask ed to co nfir m that you w ant to unins tall the RSA RADIUS Ser ver software . Confirm removal of sbr-rsa_1.0-1 (y/n) [y]? y Removing /etc/rc2.d/S90radius script. Removing /etc/rc2.d/K90radius script. Removal of <RSARadius> was successful. RSARadius removed. Migrat[...]

RSA RADIUS Server 6.1 Ad ministrator’s Guid e Installing the RSA RADIUS Server 29 Installing on Linux This section describes how to insta ll and uninstall the RSA RADIUS Ser ver software on a L inux ser ver . System Requirements The RSA RADIUS Ser ver softw are packag e includes the ser ver daemon and various dictionar y and databa se files to su[...]

30 Installing the RSA RADIUS Server September 2005 -identity S pecifies whether you are installing a Pri mary or Replica RADIUS Server . V alid values are PRIMARY and REPLICA . Default value is PRIMARY . -migrate Indicates you want to run the RSA RADIUS Server migration utility ( rsainstalltool ), which transfers RADIUS settings from an olde r vers[...]

RSA RADIUS Server 6.1 Ad ministrator’s Guid e Installing the RSA RADIUS Server 31 Installing the RSA RADI US Server Software The following procedure describes ho w to install the RSA RADIUS Ser ver software on a Linux ser ver . Some of the steps in the p rocedure are omitted if you specify the -silent option for the install_rsa.sh comman d. 1 Log[...]

32 Installing the RSA RADIUS Server September 2005 5 Specify the director y where you want to install the RSA RADIUS Ser ver files . By default, the installation script puts the /rsa/radius director y files in the /opt director y (tha t is , /opt/rsa/radius) . Enter install path [/opt]: 6 If you are installing the RSA RADIUS Ser ve r software on a [...]

RSA RADIUS Server 6.1 Ad ministrator’s Guid e Installing the RSA RADIUS Server 33 12 Specify the host secret used to au thenticate comm unication betw een the Primar y RADIUS Ser ver and R eplica RADIUS Ser vers . Enter primary host secret: 13 If you are installing a Primary RADIUS Ser ver on a host running an earlier version of the RSA Authentic[...]

34 Installing the RSA RADIUS Server September 2005 Uninstalling the RSA RADIUS Server Software T o uninstall the RSA RADIUS Ser ver softw are: 1 Stop the RADIUS daemon cur rent ly r unning on your ser ver . 2 Ba ck u p yo ur R SA R AD IUS S er ver d i rec t or y . 3 Log into the Linux server as root . 4 T ype the following command to unin stall the[...]

RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator 35 Chapter 3 Using RSA RADIUS Administr a tor The RSA RADIUS Administrator is a Ja va-based application that enables you to configure settings for the RSA RADIUS Ser ver . This chapter presents an ov er view of how to use the RSA RADIUS Administrator . R unning RSA RADIUS [...]

36 Using RSA RADIUS Administrator September 2005 Na vigating in RSA RADIUS Administrator Figure 4 illustrates the RSA RADIUS Administrator user interface . This section describes how to use the RSA RADIUS Administrator menus and toolbar . Figure 4 RSA RADIUS Administrat or Us er Interface RSA RADIUS Administrator Menus The main RSA RADIUS Administr[...]

RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator 37 Panel Menu Ta b l e 9 describes the functions of each entry in the Panel men u in the RSA RADIUS Administrator . Print Prints the information in the active window . When you print the information in a panel, RSA RADIUS Administrator preserves the column spacing used on [...]

38 Using RSA RADIUS Administrator September 2005 Web Menu Ta b l e 1 0 de scribes the functions of each entry in the W eb menu in the RSA RADIUS Administrator . Help Menu Ta b l e 1 1 describes the functions of each entry in the Help menu in the RSA RADIUS Administrator . RSA RADIUS Administrator T oolbar After you log on to the RSA RADIUS Ser ver [...]

RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator 39 Figure 5 RSA RADIUS Adm inistrator T oolbar RSA RADIUS Administrator Windows This section summarizes how to use RSA RADIUS Administrator windo ws and controls . Adding an Entry T o add an entr y to the RSA RADIUS Ser ver database, open the appropriate pan el and click t[...]

40 Using RSA RADIUS Administrator September 2005 RSA RADIUS Administrator displays an Add window . A sample Add window appears in Figure 6 . Figure 6 Sample Add Window Every object of the same type must ha ve a u nique name. If the name y ou assign to an item is already be ing used by another item of the same type, the RSA RADIUS Administrator disp[...]

RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator 41 Figure 7 Sample Edit Window Cutting/Copying/P asting Records P anels displaying tables of items have Cut , Copy , and Paste buttons in the too lbar . Y ou can choose an item from the display and cut or copy it to the Clipboard, and then add a new record to the display b[...]

42 Using RSA RADIUS Administrator September 2005 Figure 8 Sample Paste Window Resizing Columns Y ou can resize column s in an RSA RADIUS Administ rator table by drag gin g the column header bo undar y to the left or righ t. Changing Column Sequence Y ou can change t he sequence of colu mns in an RSA RADIUS Administrator table by drag ging the colum[...]

RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator 43 If you right-clic k a blank area in an RSA RADIUS Administrator windo w , the context menu displays a different set of options . F or example, if you right-click a blank space in the RADIUS Client panel, the context menu provides options for refreshing the displa y and [...]

44 Using RSA RADIUS Administrator September 2005 3 When the Add a Li cense for Ser ver win dow ( Figure 10 ) opens , enter the license key and clic k OK . When the ser ver displays a confirmation messag e, click OK . Figure 10 Add a License for Server Window 4 R estart your RSA RADIUS Server . Exiting the RSA RADIUS Administr a tor T o close the RS[...]

RSA RADIUS Server 6.1 Ad ministrator’s Guide Adminis tering RADIUS Clients 45 Chapter 4 Administering RADIUS Clients A RADIUS client is a netw ork device or so ftw are application that interfaces with the RSA RADIUS Ser ver when it needs to authenticate a user or to record accounting infor mation about a net w ork connection. This chapter describ[...]

46 Administering RADIUS Clients September 2005 Adding a RADIUS Client T o add a RADIUS client: 1 Open the RADIUS Clients panel. 2 Click the Add button. The Add RADIUS Client win dow ( Figure 12 ) opens . Figure 12 Add RADIUS Client Window 3 Enter the name of the RADIUS client in the Name field. Although yo u can assign any name to a RADIUS clien t [...]

RSA RADIUS Server 6.1 Ad ministrator’s Guide Adminis tering RADIUS Clients 47 4 Enter the IP address or DNS name of the RADIUS client in the IP Address field. If you enter a DNS name, the RSA RADIUS Administrator resolv es the name you enter to its corresponding IP address and displays the result in the IP Address field. See “Shared Secrets” [...]

48 Administering RADIUS Clients September 2005 d Click OK . Y ou must enter the same accounting shared secret when you configure the RADIUS client. 8 Optionally , indicate whether you want to enable keepalive processing and specify how long the ser ver waits for RA DIUS packets from the client before assuming connectivity has been lost. If you clic[...]

RSA RADIUS Server 6.1 Ad ministrator’s Guide Adminis tering RADIUS Clients 49 2 Select the RADIUS client entry you want to delete . 3 Click the Delete button on the RSA RADIUS Administrator toolba r . 4 When you are prompted to confir m the deletion request, click Ye s .[...]

50 Administering RADIUS Clients September 2005[...]

RSA RADIUS Server 6.1 Administrato r’s Guide Administering Profiles 51 Chapter 5 Administering Pr ofiles This chapter describes how to set up and admi nister user profiles. About Pr ofiles RSA RADIUS Ser ver lets you define default templates of checklist and return list attributes called profiles . A profile pro vides specific at tributes for one[...]

52 Administering Profiles September 2005 Resolving Profile and U ser Attributes If user-specific attributes are stored in the RSA A uthentication Manager database, RSA RADIUS Ser ver deter mines the final set of attributes for a user by merging the attributes stored in the user’ s profile with user-specific attributes from the RSA Authentication [...]

RSA RADIUS Server 6.1 Administrato r’s Guide Administering Profiles 53 Setting Up Profiles The Profiles panel ( Figure 15 ) lets you define standard sets of checklist an d return list attributes . Y ou can then associat e these profiles with users in the RSA Authentication Manager to simplify user administration. Figure 15 Profiles Panel Adding a[...]

54 Administering Profiles September 2005 4 Optionally , enter a description for the profile in the Description field. 5 Add chec klist and return list attributes to the profile. a Click the Checklist tab or the Return list tab . b Click Add . The Add Checklist Attribute windo w or the Add R etur n List Attribute window ( Figure 17 ) opens . Figure [...]

RSA RADIUS Server 6.1 Administrato r’s Guide Administering Profiles 55 f When you are finished adding attribute/value pairs , click Close to ret urn to the Add Profile window . 6 Click OK to sa ve the profile . Removing a Profile T o remov e a profile: 1 Open the Profiles panel. 2 Select the entr y for th e profile you want to remov e. 3 Click th[...]

56 Administering Profiles September 2005[...]

RSA RADIUS Server 6.1 Administra tor’s Guide Displaying Statistics 57 Chapter 6 Displaying Sta tistics The Statistics panel lets you disp lay statistics for authentication and account ing transactions by a RADIUS server or RADIUS client. Y o u can also use the Statistics panel to see how long RSA RADIUS Ser ver has been r unning . Displaying Ser [...]

58 Displaying Statistics September 2005 Figure 18 S tatistics Panel: System Authentication St atistics Ta b l e 1 3 explai ns the fields on the Authentication tab and describes possible causes for authen tication rejections . Ta b l e 1 3 . Authen tication Statistics Authentication Stat is t ic M ea n in g T ransactions Accepts The current, average[...]

RSA RADIUS Server 6.1 Administra tor’s Guide Displaying Statistics 59 Silent Discards The number of requests in which the client could not be identified since the last time auth entication statistics were reset. This might o ccur if a RADIUS client entry cannot be found for a device with the name and/or IP address of a device requesting auth enti[...]

60 Displaying Statistics September 2005 Displaying Ser v er Accounting Statistics Accounting statistics provide infor m ation such as the number of transaction star ts and stops and the reas ons for rejecting attem pted transactions. The transaction star t and sto p numbers rarely match, as many transactions can be in prog ress at any given time . [...]

RSA RADIUS Server 6.1 Administra tor’s Guide Displaying Statistics 61 Ta b l e 1 4 de scribes the ac counting statistics and sug gested actions in italics (if appropriate). T able 14. Accounting Statistics Accounting St atistic Meaning T ransactions S tart s The current, average, and peak number of transactions in which a connection was star ted [...]

62 Displaying Statistics September 2005 R esetting Ser v er Sta tistics T o reset authentication and accounting statist ics for an RSA RADIUS ser ver to zero: 1 Open the Statistics panel. 2 Select the ser ver for which y ou wa nt to reset statistics in the Server list. 3 Click the System tab . 4 Click the View list and choose Accounting or Authenti[...]

RSA RADIUS Server 6.1 Administra tor’s Guide Displaying Statistics 63 5 Optionally , sor t the messages by clicking a column header . NOTE: The RADIUS client statistics are no t displayed dynamically . T o see the most recent statistics for a RADIUS client, click the Refresh button in the toolbar . Figure 20 S tatistics Panel: RADIUS Client St at[...]

64 Displaying Statistics September 2005[...]

RSA RADIUS Server 6.1 Administrato r’s Guide Administering RADIUS Servers 65 Chapter 7 Administering RADIUS Ser v er s RSA RADIUS Ser ver supports the re plication of RADIUS configuration data from a Primar y RADIUS Server to a maximum of 10 Replica RADIUS Ser vers within a realm on a customer net w ork. All the ser vers within a realm reflect t [...]

66 Administering RADIUS Servers September 2005 R eplica tion P anel The Replicat ion panel ( Figure 21 ) lists you r Primar y and R eplica RADIUS Ser vers and indicates whether the c onfiguration of each ser ver is current. Figure 21 Replication Panel Adding a RADIUS Ser v er Manually Under most circumstances , R eplica RADIUS Ser vers register the[...]

RSA RADIUS Server 6.1 Administrato r’s Guide Administering RADIUS Servers 67 Figure 22 Add Server W indow 3 Enter the name of the RADIUS ser ver in the Name field. Although you can assign any name to a RADIUS ser ver , you should use the device's hostname to a void conf usion. 4 Enter the replication secret for the RADIUS ser ver in the Secr[...]

68 Administering RADIUS Servers September 2005 Enabling a RADIUS Ser v er T o enable a RADIUS ser ver: 1 Open the Replication pa nel. 2 Select the RADIUS ser ver you want to enable and click the Edit button (or double-click the RADIUS ser ver entry). The Ed it S erv er w in do w ( Figure 24 ) opens . Figure 24 Edit Server Window 3 Click the Enabled[...]

RSA RADIUS Server 6.1 Administrato r’s Guide Administering RADIUS Servers 69 Publishing Ser ver Configura tion Infor mation If you chan g e the c on fi gur at io n o f yo ur Pr im ar y R AD IU S S er ver, you mus t publish the modified configuration so that your R eplica RADIUS Ser vers can download the modified settings . T o publish ser ver con[...]

70 Administering RADIUS Servers September 2005 Designa ting a New Primar y RADIUS Ser v er Y ou can change which ser ver within a realm is designated as the Primar y RADIUS Ser ver for that realm. T o designate a new Primar y RADIUS Ser ver : 1 Stop the RADIUS ser vice/daemon on the Replica RADIUS Ser ver . 2 Log into the R eplica RADIUS Ser ver as[...]

RSA RADIUS Server 6.1 Administrato r’s Guide Administering RADIUS Servers 71 2 Log into the R eplica RADIUS Ser ver as root (Solaris/Linux) or administrator (Windows). 3 Navigate to the ..RSA RadiusService (Windows) or /opt/rsa/radius (Solaris/Linux) director y . 4 Run th e rsainstalltool (Windows) or rsaconfiguretool (Solaris/Linux) utility wit[...]

72 Administering RADIUS Servers September 2005 4 Run th e rsainstalltool (Windows) or rsaconfiguretool (Solaris/Linux) utility with the identity option. T o rename a Primar y RADIUS Ser ver , enter the following command: # ./ rsaconfiguretool -identity PRIMARY T o rename a Replica RADIUS Ser v er, enter the follo wing command: # ./ rsaconfiguretool[...]

RSA RADIUS Server 6.1 Administrato r’s Guide Administering RADIUS Servers 73 T o regenerate the node secret for a a Replica RADIUS Ser ver , enter the following command: # ./ rsaconfiguretool -identity REPLICA 5 R estart the RSA RADIUS ser vice. R esetting the RADIUS Da tabase If the RSA RADIUS Ser ver fails , the RADIUS database may remain r unn[...]

74 Administering RADIUS Servers September 2005[...]

RSA RADIUS Server 6.1 Administrator’s Guide Logging 75 Chapter 8 Log ging This chapter describes how to set up and use log ging functions in RSA RADIUS Ser ver . Logging Files The following files establish settin gs for log ging and re por ting . Using the RADIUS System Log The RADIUS system log records RADIUS events , suc h as ser ver startup or[...]

76 Logging September 2005 Level of Logging Detail Y ou can control the level of detail re corded in the system log files with LogLevel , LogAccept , and LogReject settings . X The LogLevel setting deter mines the level of detail gi ven in the RADIUS system log file. The LogLevel can be 0, 1, or 2, where 0 is the least amount of infor mat ion, 1 is [...]

RSA RADIUS Server 6.1 Administrator’s Guide Logging 77 By default, RADIUS system log files are located in the RADIUS datab ase director y . Y ou can sp ecify an alter nate de stination director y in the [Configuration] section of the radius.ini file. Using the Accounting Log RADIUS accounting ev ents are recorded in the accounting log file. Accou[...]

78 Logging September 2005 Y ou can edit the account.ini initialization file to add, remov e or reorder the standard RADIUS or vendor -specific at tributes that are log ged. For more infor mation on the accoun t.ini file, refer to the RSA RADIUS Ser ver 6.1 Ref er ence Guide . First Line Headings The first line of the accounting log file is a file h[...]

RSA RADIUS Server 6.1 Administrator’s Guide Logging 79 aligned with their headings. F or exam ple, based on the “first line” of headings described abov e, the follo wing is a valid accounting log entr y , in which the v alue of the Acct - Status - T ype attribute is 7: "12/23/1997","12:11:55","RRAS","Account[...]

80 Logging September 2005 Acct-Input-Packets Number of packet s received by the port over the connection; pres ent only in STOP records. Acct-Output-Packets Number of packet s sent by the port over the connection; present only in STOP records. Acct-Termination-Cause Number that indicates how the session was terminated; present onl y in STOP records[...]

RSA RADIUS Server 6.1 Admini strator’s Guide Using the LDAP Configuration Interface 81 Appendix A Using the LD AP Configur ation Interf ace The LD AP Configuration Interface (LCI) is an optional add-on to RSA RADIUS Ser ver . Y ou must enter a separate lic ense number and restar t RSA RADIUS S er ver to activ ate LCI functions . After the license[...]

82 Using the LDAP Configur ation Interf ace September 2005 About the LD AP Configur ation Interf ace The LD AP Configuration Interfac e (LCI) consists of an LD AP interface in the RSA RADIUS Ser ver and an LD AP vir tual schema. The LD AP virtual schema enables the LD AP interface to translate LD AP requests into a for mat that can be understood by[...]

RSA RADIUS Server 6.1 Administ rator’s Guid e Using the LDAP Configuration Interface 83 in a specified file. Because ldapmodify uses LDIF update statemen ts , ldapmodify can do ev er ything ldapdelete can do . X ldapdelete – The ldapdelete utility deletes entries from an existing LD AP director y . ldapdelete opens a connectio n to the specifie[...]

84 Using the LDAP Configur ation Interf ace September 2 005 Z nsldapssl32v30.dll (if you are on a Windo ws host) Z libldap30.so (if y ou are on a Solaris host) T o r un the LD AP utilities , execute them fr om this director y . If you set the path environment variable to point to this director y , you can r u n them any lo cation on the system. NOT[...]

RSA RADIUS Server 6.1 Administ rator’s Guid e Using the LDAP Configuration Interface 85 199.198.197.196 196.197.198.199 If the [LD AP Addresses] section is omitted or empty , RSA RADIUS Server listens for LCI requests on all bound IP interfaces. 3 Specify the same port number using the -p option on the LD AP command line . F or example: ldapsearc[...]

86 Using the LDAP Configur ation Interf ace September 2 005 Figure 27 LDAP Schema (Slide 2 of 4) cn=admin radiusstatus= sessions_by_calling_station calling-station-id= <dialing number> called-station-id= <dialed number> radiusstatus= sessions_by_called_station username= <user name> radiusstatus= sessions_by_user radiusstatus= sess[...]

RSA RADIUS Server 6.1 Administ rator’s Guid e Using the LDAP Configuration Interface 87 Figure 28 LDAP Schema (Slide 3 of 4) A vailable Attributes: accept <number> reject <number> silent-discard <number> total-transactions <number> invalid-request <number> failed-authentication <number> failed-on-check-list <[...]

88 Using the LDAP Configur ation Interf ace September 2 005 Figure 29 LDAP Schema (Slide 4 of 4) While the LD AP virtual schema diagram shows as much of the detail of the LD AP vir tual schema as possible, the follo wing rules and limitations should be considered. X Bind request – All attempts to perfor m operations on the virtual sch ema must be[...]

RSA RADIUS Server 6.1 Administ rator’s Guid e Using the LDAP Configuration Interface 89 X Substrings – There are several places where a list of strings is the v alue of an attribute. The r ule for specify ing the data por tion for these lists is that semicolons must delimit the substrings . F or example, a DNIS list for a tunnel entr y might be[...]

90 Using the LDAP Configur ation Interf ace September 2 005 LD AP Command Examples This section explains ho w to use the LD AP commands ldapdelete , ldapmodify , and ldapsearch to configure the ser ver . Eac h example describes the LD AP command line options in detail. Note that a spac e must appear between each LD AP command option (for example, -[...]

RSA RADIUS Server 6.1 Administ rator’s Guid e Using the LDAP Configuration Interface 91 Modifying Records Y ou can use the ldapmodify command to modify the RSA RADIUS Server configuration. ldapmodify -c -V2 -h hostname -p 354 -D "cn=oper,o=radius" -w radadmin -f filename -s sub Recursion is to be used starting at the base. -T T o make t[...]

92 Using the LDAP Configur ation Interf ace September 2 005 NOTE: Y ou can also use the -h option with ldapmodify to spec ify the name of a remote host on which the LDAP inte rface is available. Run the LDAP utilities remotely only if you are convin ced that unauthorized snooping on the network between the LDAP client and server is not an issue. Th[...]

RSA RADIUS Server 6.1 Administ rator’s Guid e Using the LDAP Configuration Interface 93 The following syntax is v alid if the same keyword applies throughout the transaction: dn: distinguished-name-of-entry changetype: keyword subkeyword: attribute attribute: value subkeyword: attribute attribute: value subkeyword: attribute attribute: value . . [...]

94 Using the LDAP Configur ation Interf ace September 2 005 changetype: add . Once your editing is complete, run an ldapmodify -f command that references the new LDIF file . When the ldapmodify command finishes processing, your new database is populated with the records you extracted from the old database . Deleting Records Y ou can use the ldapdel[...]

RSA RADIUS Server 6.1 Administ rator’s Guid e Using the LDAP Configuration Interface 95 This file can be passed to the ldapmodify command as follows: ldapmodify -V2 -h hostname -p 667 -D"cn=admi,o=radius" -w password -f deletemodify.ldf War n in g : Use caution when deleting items. An error could delete an entire container in some direc[...]

96 Using the LDAP Configur ation Interf ace September 2 005 high-auth-threads: 2 high-acct-threads: 0 high-total-threads: 2 st attype: authentication dn: stattype=authentication,radiusstatus=statistics,o=radius objectclass: top objectclass: radiusstatus radiusstatus: statistics stattype: authentication accept: 1 reject: 0 silent-discard: 0 total-tr[...]

RSA RADIUS Server 6.1 Administ rator’s Guid e Using the LDAP Configuration Interface 97 Rate S tatistics Rate statistics are deriv ed from other statist ics b y taking time into consideration . Three t ypes of rate values are calculated for each of these counter statistics: X Curr ent rate statist ics identify the ra te measured over the most rec[...]

98 Using the LDAP Configur ation Interf ace September 2 005[...]

RSA RADIUS Server 6.1 Admi nistrator’s Guide Glossary 99 Glossar y 802.1X The IEEE 802.1X standard defines a mechanism that allows a supplicant (client) to connect to a wireless access po int or wired switch (authenticator) so th at the supplicant can provide authentication cre dentials that can be verified by an authentication se r ver . AAA Aut[...]

100 Glossary September 2005 CA Cer tificate authorit y . A tr usted entity that registers the digital identity of a site or individu al and issues a digita l certificate that guarantees the binding betw een the the identity and t he data items in a certificate. CCM Centralized configuration management. T he process by whic h infor mation is shared [...]

RSA RADIUS Server 6.1 Admi nistrator’s Guide Glossary 1 01 IETF Internet Engineering Ta sk F orce. T echnical subdi vision of the Internet Architecture Board that coordin ates the development of Inter net standards . MIB Managemen t Infor mation Ba se. NAS Network Access Ser ver . Netw ork device that accepts connection requests from remote users[...]

102 Glossary September 2005 infor mation ab out users and administerin g multiple security systems across complex networks . RAS Remote Access Ser ver . Netw ork device that accepts connection requests from remote users , authenticates users thro ugh RADIUS , and routes users onto the network. Identical in meaning to NA S . realm A logical g roupin[...]

RSA RADIUS Server 6.1 Admi nistrator’s Guide Glossary 1 03 tokencod e The pseudorandom numb er that is displayed o n the LCD of a hardw are tok en or generated by a softw ar e tok en during logon. TLS T ranspor t Layer Security . TTLS T unneled T ransport Layer Security . UTC Univ ersal Time Coordinated. Also known as Greenwich Mean Time (GMT) or[...]

104 Glossary September 2005[...]

RSA RADIUS Server 6.1 Admi nistrator’s Guide Index 105 Inde x Numerics 802.1X 1 A access client 3 accounting 2 Acct-Authentic 79 Acct-Delay-Time 79 Acct-Status-T ype 79 Acct-T er mination-Cause 80 angle brackets , in syntax xi attributes 5 authentication 2 authorization 2 B brackets , in syntax x C centralized configurat ion manage ment, see CCM [...]

106 Ind ex September 2005 Protected Extensible Authentication Protocol (PEAP) 1 Protected One-Time P assword (POTP) 1 Protected One-Time Pa ssword, see POTP R RADIUS daemon, star ting and stopp ing 27, 33 radius .dct 12 radiusdir x RAS 3 remote access ser ver, see RAS Replication pane l 66 retur n list attributes 14 RSA Authentication Manager 2, 3,[...]