Kiwire™ 2.0

Radius

102 views May 31, 2017 November 8, 2018 admin 0

The radius integrations module let you authenticate users with an external Radius server. The external Radius servers must accessible to the Kiwire™ platform for radius integration to work.

Kiwire™ support authentication with multiple radius server or single server with multi profile by using realm suffix.

Note: Remember to add Kiwire™ IP address into the Radius server as NAS device for Kiwire™ to integrate successfully.

 

Mode of Operation

Kiwire™ supports 2 mode of radius integration, radius pass thru and override profile. Kiwire™ also have built-in features that check if the attribute replied by external radius server match with the realm configuration configured, this is useful in event you have multiple profile for each users group , using profile checks we will be able check if the realm suffix requested by user match the correct realm.

Mode : Radius Pass Thru

The radius pass thru mode, let you authenticate your users with the external radius and carry forward the restriction & profiles over to the Kiwire™, if the user have 30 minutes credit left from the external radius , the user will also have the same 30 minutes restrictions when authenticating.

  1. User Send username and password
  2. External Radius reply authentication status and associated profiles from the external radius
  3. Kiwire™ will check if user granted authentication, temporary profile will be created on Kiwire™ Profiles database, Kiwire™ will optional perform a secondary check if attribute response matched with keyword set during add radius connection setup. If attribute does not match, it will be rejected to authenticate.
  4. Kiwire™ will send the attributes it received from the external radius to the NAS and let user connect to network with attributes
  5. Kiwire™ will send accounting information to the external radius server. In event of user disconnected from network.

Override Profile

In the Override profile mode, Kiwire™ will only use external radius as authentication host only, the user if authenticated successfully will be assign a locally created Kiwire™ profiles when login, this is useful for multi group, single external radius server setup or if you wish to provide an different profile  for users when they connect to networks.

  1. User Send username and password
  2. External Radius reply authentication status
  3. Kiwire™ will check if user authenticated successfully. A locally assigned profile to the realm will be attached to the user’s authentication.
  4. Kiwire™ will optionally perform secondary check if attribute response matched with keyword set during add radius connection.
  5. Kiwire™ will send the local assign profiles to NAS and let user connect to network
  6. Kiwire™ will send accounting information to the external radius server.

Radius Listing Screen

To access the radius module click on Integrations > Radius.

The listed fields and its meaning are:

Field Meaning & functions
Realm The realm of radius
Authentication Host   The accounting host for the external radius server
Accounting Host The accounting host for the external radius server
NAS ID The assumed NAS ID of Kiwire™ to the external radius server
Profile The profile that link with the radius realm
Status Enable or disabled entry
Action Edit or delete the entry.

Add/Edit Radius

to add or edit radius entry click on the  “Add Radius Connection “ button. The add or edit radius profile screen will be displayed, fill in the filed with relevant information.

Field Function
Realm Define a realm which user will use to that will trigger authentication with 3rd party radius
e.g. : domain, then username@domain will authenticate with the selected radius server as username / password
Authentication host The IP Address of the external Radius Server for use with authentication query
e.g. : 192.168.0.5:1812
Accounting Host The IP Address of external Radius Server for accounting host
: e.g. : 192.168.0.5:1813
Secret The shared password between NAS and the external Radius Server.
Nas Identifier The NAS client identifier for Kiwire™ that will use for communication to the external radius
Realm in Username If enabled Kiwire™ will send the username together with realm to the authentication and accounting host. Example , if realm is domain the username send will be
username@domain instead of username only.
Link Profile If no profile is selected, Kiwire™ will use Pass thru mode for the radius integration, if a local profile is selected, it will use local profile override mode.
Local Profile Select the local profile.
Expiry (Days) The expiry date assign to the user when they 1st login to network successfully.
Keyword Keyword for Kiwire™ to perform checking on the external radius reply on the attributes received. Leave blank if you do not need to check for attributes match checking function.
Data Type The data type of the attributes.
Zone Restriction Default zone restriction assigned to user who login thru external radius, leave it to “none” if you do not wish to assign restriction to users.
Enabled Enable or disable this function

Build 9 Updates*

The below article is copied from Build 9 Change Log, a summarized version is on the way.

Integration: Radius SSO

Radius SSO module will let you to send accounting data to external Radius Server for Single Sign-On. To access Radius SSO module click on Integrations > Radius SSO. The configuration screen will display. Fill in the relevant field with information then save it.

Field Function
Enable Enable or disable this function.
SSO Server IP address or the domain of Radius SSO server.
SSO Port Radius SSO server listening port.
SSO Secret Radius SSO secret / shared key.
Simultaneous Request Number of records to be send to the server simultaneously.
Request Timeout (Seconds) Time out for each request in seconds.
Retry Number of retry if request failed.
Acct-Session-Id Include this attribute in the Radius SSO request.
User-Name Include this attribute in the Radius SSO request.
NAS-IP-Address Include this attribute in the Radius SSO request.
NAS-Port-Id Include this attribute in the Radius SSO request.
NAS-Port-Type Include this attribute in the Radius SSO request.
Acct-Session-Time Include this attribute in the Radius SSO request.
Acct-Input-Octets Include this attribute in the Radius SSO request.
Acct-Output-Octets Include this attribute in the Radius SSO request.
Called-Station-ID Include this attribute in the Radius SSO request.
Calling-Station-ID Include this attribute in the Radius SSO request.
Acct-Terminate-Cause Include this attribute in the Radius SSO request.
Framed-IP-Address Include this attribute in the Radius SSO request.

Was this helpful?