Radius clients doc

Owned by lrk (Deactivated)
Last updated: Aug 11, 2023 by Lise Kristoffersen
3 min read

The Buypass Code identifies users using the Radius Protocol which communicates with the organization "Remote Access server" (RAS). All services which are to use Buypass Code must be defined so that Buypass can know which organization and RAS make each identification inquiry.

Configuration  

IP address: The IP address of the RAS (Radius client) which is permitted to send identification inquiries. The IP address must be "AAA.BBB.CCC.DDD" format.

For example: 213.123.121.23

Shared secret: Shared secret, also known as PSK (pre-shared key). This is used to authenticate a Radius-client within a Radius server/Service Connector. The shared secret set here must also be set in the Radius client.

For example: verysecretpsk

LDAP: The LDAP directories which queries are carried out in can be determined based on which Radius client the user uses. The standard is that all active LDAP directories are used. LDAP directories can be excluded from the query by moving configurations to "Available LDAPs" using the arrow buttons.

Offline: Placing a cross in this box means that this Radius configuration permits users to log on using OTPs which are generated when the mobile phone is offline. Users however cannot log on to Code Manager using offline generated OTPs.

 

Radius attribute: Additional information must be sent in the inquiry where a number of inquiries to the Service Connector (SC) come from the same IP address, so that the SC can differentiate between the clients. The main rule is that the IP address, NAS identifier and NAS IP address combination must be unique. Buypass in addition requests a Vendor Specific Attribute (VSA), Tunnel-Group-Name, where the Radius client cannot specify a NAS identifier and/or NAS IP address.

A NAS identifier has a Radius attribute ID 32 and name "NAS-Identifier". The NAS identifier cannot be longer then 40 characters.

For example: this-is-my-nas-identifier


IP address is usually set to the client’s internal IP address if the IP address field is set to its external ditto. A NAS IP address has a Radius attribute ID 4 and name ”NAS-IP-Address”.

For example: 192.168.3.1

Tunnel-Group-Name is a VSA which is required by Cisco and has VSA ID: 3076/146. Tunnel-Group-Name cannot be longer then 40 characters.

For example: this-is-my-tunnel-group

External Radius: It is possible to determine which external Radius configurations are to be used based on the Radius client used by the user. Standard is that no external Radius is used. Proxying is activated by moving external Radius configurations from "Available external Radius" to "Selected external Radius" using the arrow buttons. Inquiries which are unknown to Buypass Code are forwarded to the selected external Radius configurations. The external Radius configurations can be prioritised by using the up and down buttons beside the "Selected external Radius" box. The lowest number will be tried first. Note that the shared secret for the selected external Radius configurations must be identical.

Monitoring: Monitoring is one way that organization can test that all systems are up and running. If monitoring is activated, then this permits a user with fixed passcode to authenticate using a Buypass Code. Note that if monitoring is activated, then the organization is responsible for ensuring that this functionality is not used for any other purposes then monitoring. Placing a cross in the Used only for monitoring box means that only the monitoring user is permitted to be authenticated for this Radius configuration. It is recommended that separate Radius configurations are defined for monitoring to avoid the risk that a user authenticates using the monitoring user. User name and password for the monitoring user are specified in Code Manager and do not therefore need to be found in a LDAP directory.  .   




Innhold