RADIUS provides authentication, accounting, and authorization functions. The NIOS appliance supports authentication using the following RADIUS servers: FreeRADIUS, Microsoft, Cisco, and Funk.
When NIOS authenticates administrators against RADIUS servers, NIOS acts similarly to a network access server (NAS), which is a RADIUS client that sends authentication and accounting requests to a RADIUS server. Figure 4.5 illustrates the RADIUS authentication process.
| Anchor | ||||
|---|---|---|---|---|
|
| Drawio |
|---|
|
|
Administrator
NIOS ApplianceRADIUS Server
1A user makes an HTTPS connection
to the NIOS appliance and sends a user name and password.The appliance checks the remote admin
2 policy which lists the RADIUS server
group.3The appliance sends an
Access-Request packet to the first RADIUS server in the group.The appliance lets the user log in and
applies the authorization profile.4a If the RADIUS server authenticates the
user, it sends back an Access-Accept packet.The appliance does not allow the user
to log in.4b If the RADIUS server rejects the authentication request, it sends back an Access-Reject packet.
|
| Anchor | ||||
|---|---|---|---|---|
|
When you configure the NIOS appliance to authenticate admins against a RADIUS server group, you must specify the authentication protocol of each RADIUS server, which can be either PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol).
PAP tries to establish the identity of a host using a two-way handshake. The client sends the user name and password in clear text to the NIOS appliance. The appliance uses a shared secret to encrypt the password and sends it to the RADIUS server in an Access-Request packet. The RADIUS server uses the shared secret to decrypt the password. If the decrypted password matches a password in its database, the user is successfully authenticated and allowed to log in.
With CHAP, when the client tries to log in, it sends its user name and password to the NIOS appliance. The appliance then creates an MD5 hash of the password together with a random number that the appliance generates. It then sends the random number, user name, and hash to the RADIUS server in an Access-Request package. The RADIUS server takes the password that matches the user name from its database and creates its own MD5 hash of the password and random number that it received. If the hash that the RADIUS server generates matches the hash that it received from the appliance, then the user is successfully authenticated and allowed to log in.
You can configure one of the following modes to send the authentication request to the RADIUS server:
...
- Configure at least one RADIUS authentication server group. For more information, see Configuring a RADIUS Authentication Server Group.
- Define admin groups for the admins that are authenticated by the RADIUS servers and specify their privileges and settings. The group names in NIOS must match the admin group names on the RADIUS server. See About Admin Groups for information about defining admin groups.
- In the authentication policy, add the RADIUS server groups and the admin groups that match those on the RADIUS server. You can also designate an admin group as the default group for remote admins. NIOS assigns admins to this group when it does not find a matching group for a remote admin. See Defining the Authentication Policy for more information about configuring the policy.
...
Note that the following fields in the wizard do not apply to this feature: Enable NAC Filter, Cache Time to Live, and Recovery Interval. They are used with the NAC Integration feature described in Chapter 32, Authenticated DHCP.