ApplicGate
(v12.0.9111.30500 started 2024-12-11 16:09:49 on VM2)

RADIUS authentication

Authentication with username and password by a RADIUS server.

To configure RADIUS for logon, manage, status, web, and web destination routing entries see here.

The string "RADIUS-RadiusServer" is stored as Issuer and it can be checked via the ISS keyword.
A list of active RADIUS sessions is shown here.
A description of the state values is shown via tool tip (mouse over "State" values) or can be found here
For security reasons routing entries using RADIUS should have the UID field specified to be able to link session objects to a specific routing entry.

Keywords for RADIUS:
RADIUS:grouplist ... grouplist is a list of RADIUS groups (names must start with "R_") separated by |
- The RADIUS servers will be contacted from left to right until the access request is successful.
OTPR:otprdir ... otprdir is the root directory for html files etc.
CKGRP:cookiegroup ... optional, to configure cookie handling.
OTPU:EmailAddresses ... Users who may use this routing entry (optional).

To configure additional optional keywords see here.

The RADIUS groups must contain following keywords and are defined via menu, "Configuration", "New RADIUS Group":
RADIUS_SERVER ... DNS name or IP Address of RADIUS server with optional port (default is 1812), e.g. rserv.mycomp.com:1812
SHARED_SECRET ... Shared secret to encrypt the UDP nessage
NAS_IDENTIFIER ... NAS-Identifier to identify the NAS originating the Access-Request
AUTHENTICATION_METHOD ... PAP (default) or CHAP
- PAP: The password is encrypted with the shared secret when sent to the RADIUS server.
- CHAP: A password hash is sent to the RADIUS server but the password must be stored in the user database (Active Directory etc.) using reverseable encryption.

If a RADIUS username has no email format ("@" is missing):
When specifying the username with the keywords OTPU and OA2U the string "@radius" must be added to the username.

To authenticate with Windows users or Active Directory (AD):
Install Network Policy Server (NPS) on any Windows server and configure it as RADIUS server.

Configuration of Windows NPS as RADIUS Server:
- Register server in Active Directory if AD should be used.
- Configure a RADIUS client:
-- Address: IP Address of ApplicGate
-- Shared secret: as defined in the keyword SHARED_SECRET
- Connection RequestPolicy:
-- default configuration is sufficient
- Network Policy:
-- Conditions:
--- NAS Identifier: as defined in the keyword NAS_IDENTIFIER
-- Settings:
--- Access Permission: Grant Access
--- Authentication Method: PAP or CHAP as defined in the keyword AUTHENTICATION_METHOD
--- Service-Type: Login


ApplicGate Logo  reinhold.leitner@applicgate.com (C) December 2024
www.applicgate.com