The radius integrations module let you authenticate users with an external Radius server. The external Radius servers must accessible to the Kiwire™ platform for radius integration to work.
Kiwire™ support authentication with multiple radius server or single server with multi profile by using realm suffix.
Mode of Operation
Kiwire™ supports 2 mode of radius integration, radius pass thru and override profile. Kiwire™ also have built-in features that check if the attribute replied by external radius server match with the realm configuration configured, this is useful in event you have multiple profile for each users group , using profile checks we will be able check if the realm suffix requested by user match the correct realm.
Mode : Radius Pass Thru
The radius pass thru mode, let you authenticate your users with the external radius and carry forward the restriction & profiles over to the Kiwire™, if the user have 30 minutes credit left from the external radius , the user will also have the same 30 minutes restrictions when authenticating.
- User Send username and password
- External Radius reply authentication status and associated profiles from the external radius
- Kiwire™ will check if user granted authentication, temporary profile will be created on Kiwire™ Profiles database, Kiwire™ will optional perform a secondary check if attribute response matched with keyword set during add radius connection setup. If attribute does not match, it will be rejected to authenticate.
- Kiwire™ will send the attributes it received from the external radius to the NAS and let user connect to network with attributes
- Kiwire™ will send accounting information to the external radius server. In event of user disconnected from network.
In the Override profile mode, Kiwire™ will only use external radius as authentication host only, the user if authenticated successfully will be assign a locally created Kiwire™ profiles when login, this is useful for multi group, single external radius server setup or if you wish to provide an different profile for users when they connect to networks.
- User Send username and password
- External Radius reply authentication status
- Kiwire™ will check if user authenticated successfully. A locally assigned profile to the realm will be attached to the user’s authentication.
- Kiwire™ will optionally perform secondary check if attribute response matched with keyword set during add radius connection.
- Kiwire™ will send the local assign profiles to NAS and let user connect to network
- Kiwire™ will send accounting information to the external radius server.
Radius Listing Screen
To access the radius module click on Integrations > Radius.
The listed fields and its meaning are:
|Field||Meaning & functions|
|Realm||The realm of radius|
|Authentication Host||The accounting host for the external radius server|
|Accounting Host||The accounting host for the external radius server|
|NAS ID||The assumed NAS ID of Kiwire™ to the external radius server|
|Profile||The profile that link with the radius realm|
|Status||Enable or disabled entry|
|Action||Edit or delete the entry.|
to add or edit radius entry click on the “Add Radius Connection “ button. The add or edit radius profile screen will be displayed, fill in the filed with relevant information.
|Realm||Define a realm which user will use to that will trigger authentication with 3rd party radius
e.g. : domain, then username@domain will authenticate with the selected radius server as username / password
|Authentication host||The IP Address of the external Radius Server for use with authentication query
e.g. : 192.168.0.5:1812
|Accounting Host||The IP Address of external Radius Server for accounting host
: e.g. : 192.168.0.5:1813
|Secret||The shared password between NAS and the external Radius Server.|
|Nas Identifier||The NAS client identifier for Kiwire™ that will use for communication to the external radius|
|Realm in Username||If enabled Kiwire™ will send the username together with realm to the authentication and accounting host. Example , if realm is domain the username send will be
username@domain instead of username only.
|Link Profile||If no profile is selected, Kiwire™ will use Pass thru mode for the radius integration, if a local profile is selected, it will use local profile override mode.|
|Local Profile||Select the local profile.|
|Expiry (Days)||The expiry date assign to the user when they 1st login to network successfully.|
|Keyword||Keyword for Kiwire™ to perform checking on the external radius reply on the attributes received. Leave blank if you do not need to check for attributes match checking function.|
|Data Type||The data type of the attributes.|
|Zone Restriction||Default zone restriction assigned to user who login thru external radius, leave it to “none” if you do not wish to assign restriction to users.|
|Enabled||Enable or disable this function|
Build 9 Updates*
The below article is copied from Build 9 Change Log, a summarized version is on the way.
Integration: Radius SSO
Radius SSO module will let you to send accounting data to external Radius Server for Single Sign-On. To access Radius SSO module click on Integrations > Radius SSO. The configuration screen will display. Fill in the relevant field with information then save it.
|Enable||Enable or disable this function.|
|SSO Server||IP address or the domain of Radius SSO server.|
|SSO Port||Radius SSO server listening port.|
|SSO Secret||Radius SSO secret / shared key.|
|Simultaneous Request||Number of records to be send to the server simultaneously.|
|Request Timeout (Seconds)||Time out for each request in seconds.|
|Retry||Number of retry if request failed.|
|Acct-Session-Id||Include this attribute in the Radius SSO request.|
|User-Name||Include this attribute in the Radius SSO request.|
|NAS-IP-Address||Include this attribute in the Radius SSO request.|
|NAS-Port-Id||Include this attribute in the Radius SSO request.|
|NAS-Port-Type||Include this attribute in the Radius SSO request.|
|Acct-Session-Time||Include this attribute in the Radius SSO request.|
|Acct-Input-Octets||Include this attribute in the Radius SSO request.|
|Acct-Output-Octets||Include this attribute in the Radius SSO request.|
|Called-Station-ID||Include this attribute in the Radius SSO request.|
|Calling-Station-ID||Include this attribute in the Radius SSO request.|
|Acct-Terminate-Cause||Include this attribute in the Radius SSO request.|
|Framed-IP-Address||Include this attribute in the Radius SSO request.|