Kiwire™ 2.0

Radius

109 views May 31, 2017 May 10, 2019 admin 0

The radius integrations module let you authenticate users with an external Radius server. The external Radius servers must accessible to the Kiwire™ platform for radius integration to work. Kiwire™ support authentication with multiple radius server or single server with multi profile by using realm suffix.

* NOTE : Remember to add Kiwire™ IP address into the Radius server as NAS device for Kiwire™ to integrate successfully.

 

Mode of Operation

Kiwire™ supports 2 mode of radius integration which are radius pass thru mode and override profile mode. Kiwire™ also have built-in features that check if the attribute replied by external radius server match with the realm configuration configured. This is useful in event you have multiple profile for each users group, using profile checks we will be able check if the realm suffix requested by user match the correct realm.

Mode : Radius Pass Thru

The radius pass thru mode, let you authenticate your users with the external radius and carry forward the restriction & profiles over to the Kiwire™, if the user have 30 minutes credit left from the external radius , the user will also have the same 30 minutes restrictions when authenticating.

  1. User send username and password.
  2. External radius reply authentication status and associated profiles from the external radius.
  3. Kiwire™ will check if user granted authentication, temporary profile will be created on Kiwire™ profiles database, Kiwire™ will optional perform a secondary check if attribute response matched with keyword set during add radius connection setup. If attribute does not match, it will be rejected to authenticate.
  4. Kiwire™ will send the attributes it received from the external radius to the NAS and let user connect to network with attributes.
  5. Kiwire™ will send accounting information to the external radius server. In event of user disconnected from network.

Mode : Override Profile

In the override profile mode, Kiwire™ will only use external radius as authentication host only. If the user authenticated successfully will be assign a locally created Kiwire™ profiles when login. This is useful for multi group, single external radius server setup or if you wish to provide an different profile  for users when they connect to networks.

  1. User send username and password.
  2. External radius reply authentication status.
  3. Kiwire™ will check if user authenticated successfully. A locally assigned profile to the realm will be attached to the user’s authentication.
  4. Kiwire™ will optionally perform secondary check if attribute response matched with keyword set during add radius connection.
  5. Kiwire™ will send the local assign profiles to NAS and let user connect to network.
  6. Kiwire™ will send accounting information to the external radius server.

Radius Connection

To access the radius module click on Integration > Radius from the navigation. On the radius listing module, you may search for specific radius connection by using the search field.

The listed fields and its meaning are:

Field Meaning & functions
Realm The realm of radius.
Auth Host   The accounting host for the external radius server.
Acct Host The accounting host for the external radius server.
NAS ID The assumed NAS ID of Kiwire™ to the external radius server.
Profile The profile that link with the radius realm.
Status Enable or disabled entry.
Action Modules action :

  To edit the setting of the entry.

  To delete the entry.

Add New Radius Connection

To add new radius connection to Kiwire™ platform, click on “Add Radius Connection” button and populate the required fields. Fill in the field with relevant information to complete the process.

The listed fields and its meaning are:

Field Function
Realm Define a realm which user will use to that will trigger authentication with 3rd party radius.

E.g. Domain, then username@domain will authenticate with the selected radius server as username / password.

Authentication host The IP address of the external radius server for use with authentication query.

E.g.  192.168.0.5:1812

Accounting Host The IP address of external radius server for accounting host.

E.g.  192.168.0.5:1813

Secret The shared password between NAS and the external radius server.
NAS Identifier The NAS client identifier for Kiwire™ that will use for communication to the external radius.
Realm in Username If enabled Kiwire™ will send the username together with realm to the authentication and accounting host.

E.g. If realm is domain the username send will be username@domain instead of username only.

Link Profile If no profile is selected, Kiwire™ will use pass thru mode for the radius integration. If a local profile is selected, it will use local profile override mode.
Local Profile Select the local profile.
Expiry (Days) The expiry date assign to the user when they 1st login to network successfully.
Keyword Keyword for Kiwire™ to perform checking on the external radius reply on the attributes received. Leave blank if you do not need to check for attributes match checking function.
Data Type The data type of the attributes.
Zone Restriction Default zone restriction assigned to user who login thru external radius. Leave it to “none” if you do not wish to assign restriction to users.
Enabled Enable or disable this function.

Edit / Delete Radius Connection

Click the edit icon on the listing screen to edit the setting of the radius connection. The edit screen be display which you can edit the setting of the radius connection. Click on the delete icon to delete the radius connection. A prompt will be display to ask for your confirmation to proceed to delete the radius connection. Please exercise with cautions as this not a reversible action.

Was this helpful?