Jump to: navigation, search

Deploying RADIUS Authentication

Task Summary

The following Task Summary lists the tasks required to deploy RADIUS in your configuration.

Deploying RADIUS External Authentication

Task

Related Procedures and Information

Install Configuration Server and deploy RADIUS during the installation.

This Configuration Server can be the primary or backup configuration server in a redundant configuration, or the Master Configuration Server in a geographically distributed configuration.

Use the procedure Deploying RADIUS external authentication during Configuration Server installation.

Modify the RADIUS configuration files.

Modify the RADIUS configuration files servers and radiusclient.conf . Refer to Modifying the RADIUS Configuration Files.

(optional) Install as many Configuration Servers as required, deploying RADIUS during the installation.

If you are deploying RADIUS in a geographically distributed configuration, install RADIUS on each Configuration Server Proxy using the procedure Deploying RADIUS external authentication on Configuration Server Proxy.

Use the following procedure to deploy RADIUS authentication during Configuration Server installation.

Deploying RADIUS external authentication during Configuration Server installation

Purpose

To install the RADIUS pluggable module for your environment where Configuration Server is installed and/or running.

Start

  1. Begin the installation of Configuration Server.
  2. On the Configuration Server Run Mode page, select Configuration Server Master Primary.
  3. Continue installing Configuration Server.
  4. On the Configuration Server External Authentication page, select Remote Authentication Dial In User Service (RADIUS).
  5. Finish installing Configuration Server.

End

During the installation of Configuration Server, a configuration options section named authentication is added to the configuration file, and is copied into the database when Configuration Server starts (see Configuring the Master Configuration Server). The authentication section indicates that RADIUS external authentication is to be used.

[authentication] Section

This section must be called authentication.


library

  • Default Value: No default value
  • Valid Values: Depends on type configuration option, as follows:

gauth_redius


All

gauth_ldap

All

gauth_radius, gauth_ldap


Configuration Server, Configuration Server Proxy

gauth_ldap, gauth_radius


Configuration Server, Configuration Server Proxy

internal


Tenant, Person

  • Changes Take Effect: Upon restart of the object for which this option is set
  • Description: Specifies the section that specifies the external authentication parameters. This option is mandatory, and its value is set automatically during installation.

You can deploy both RADIUS and LDAP on the same Configuration Server or Configuration Server Proxy. If this Configuration Server or Configuration Server Proxy was previously configured for another type of authentication, such as LDAP, you must manually add , gauth_radius to the value of this option.

When set to internal , all users associated with the object in which the object is set to this value are validated internally.

Example

The following is an example of the authentication section in a Configuration Server configuration file:

        [authentication] library=gauth_radius

Modifying the RADIUS Configuration Files

Pluggable Module Names for RADIUS lists the pluggable modules used for communication with the third-party authentication server.

Pluggable Module Names for RADIUS

Operating System

Module for 32-bit Version

Module for 64-bit Version

Windows

gauth_radius.dll

Solaris

libgauth_radius_32.so

libgauth_radius_64.so

AIX

libgauth_radius_32.so

libgauth_radius_64.so

Red Hat Linux

libgauth_radius_32.so

libgauth_radius_64.so

In addition to the pluggable module file, three RADIUS configuration files are copied to the destination directory when you install Configuration Server:

servers —specifies connection parameters of the RADIUS servers.

radiusclient.conf —specifies the RADIUS client parameters.

dictionary —contains communication protocol data.

You must modify the servers and radiusclient.conf files. Do not modify the dictionary file.

Important
Use the pound sign (#) to comment out a line in a configuration file.

Modifying the Servers File

The RADIUS Configuration Authentication Module uses the configuration file servers to determine to which RADIUS server it must connect. Each line of the file contains the connection parameters for one RADIUS server.

For each RADIUS server, specify:

The name or IP address of each RADIUS server.

A key; that is, a word that matches the shared secret word configured for each RADIUS server.

For example:

        #Server Name or Client/Server pair Key #---------------- --------------- server1 key1 server2 key2 server3 Key3

Modifying the radiusclient.conf File

The RADIUS Configuration Authentication Module uses the configuration file radiusclient.conf to read its own configuration. In the file, specify values for the following parameters:

authserver —the names or IP addresses of the RADIUS servers. These must be the same values as configured in the servers file. If necessary, also specify a port for the RADIUS server after a column.

      For example:
        authserver server1:1812 server2:1820 server3
        where:

server1 is the first RADIUS authorization server that will be used.

server2 is the backup RADIUS authorization server that will be used if server1 does not respond.

server3 is the backup RADIUS authorization server that will be used if server2 does not respond.

      If you specify only one RADIUS server, that server will continue to be used whether it responds or not.

radius_retries—The number of authorization retries that will be generated by Configuration Server if the current external authorization server does not respond. Specify a value for this parameter if you are using multiple RADIUS servers. If Configuration Server does not receive a reply within this number of retries, it sends the request to the next RADIUS authentication server specified in the list.

      For example:
        #resend request 6 times before trying the next serverradius_retries 6
      If you are using only one RADIUS server, requests will always be sent to that server regardless of the value of radius_retries.

radius_timeout—The time, in seconds, that Configuration Server waits for an authorization reply. If Configuration Server does not receive a reply from the current RADIUS server during that time, it sends the request again, either to the same RADIUS server or, if you are using multiple RADIUS servers, to the next RADIUS server after the number of tries specified in radius_retries.

      For example:
        #wait 20 seconds for a reply from the RADIUS server radius_timeout 20

default_realm —the extension to add to a user name if the RADIUS server required names in this format. If a value is specified, the RADIUS module adds it after the @ sign to all user names received from Configuration Server. For example, if you specify

        default_realm genesys.us
      and log in to a Genesys application with the user name scott, the resulting name that the RADIUS client passes to the RADIUS server is
        scott@genesys.us

Deploying RADIUS on Configuration Server Proxy

In geographically distributed systems prior to release 8.0, RADIUS external authentication was configured only on the Master Configuration Server, and each Configuration Server Proxy passed authentication requests to it.

Starting in release 8.0, RADIUS External Authentication can be configured on the Master Configuration Server and on each Configuration Server Proxy. Therefore, each Configuration Server Proxy can process authentication requests itself, and not pass them on to the Master Configuration Server.

Deploying RADIUS external authentication on Configuration Server Proxy

Prerequisites

RADIUS is installed on the Master Configuration Server.

The servers configuration file contains all of the servers listed in radiusclient.conf .


Start

  1. Do one of the following:

    2. If Configuration Server Proxy is not installed, install it now as described in the Framework Deployment Guide, being sure to select the RADIUS external authentication option when prompted.

    If Configuration Server Proxy has been installed but not configured to use external authentication, copy the following files from the Master Configuration Server installation directory to the Configuration Server Proxy installation directory:

    dictionary


    the appropriate pluggable file, as listed in Pluggable Module Names for RADIUS

    radius.seq


    radiusclient.conf


    servers


  2. In the Configuration Server Proxy Application object, configure the following options in the indicated sections, and set them to the specified values:

    3. If not set during installation, configure external authentication on Configuration Server Proxy by setting the option library in the authentication section to gauth_radius .

    To set the log level for monitoring the connection between Configuration Server Proxy and the RADIUS server, use the option verbose in the gauth_radius section of the options of the Configuration Server Proxy Application object, as described in Troubleshooting the External Authentication Connection.

  3. Restart Configuration Server Proxy.

End

This page was last edited on August 1, 2014, at 14:21.
Comments or questions about this documentation? Contact us for support!